Disable winbindd?
Eric Shubert
ejs at shubes.net
Fri Oct 3 14:47:34 MST 2008
Alan Dayley wrote:
> On Fri, Oct 3, 2008 at 1:06 PM, Eric Shubert <ejs at shubes.net> wrote:
>> What you describe sounds nonsensical to me. Sounds like you want to use
>> Linux authentication in addition to a windows domain controller. That'd be
>> like trying to use 2 different domain controllers together. I don't see how
>> you can keep your windows DC and still have samba do authentication separate
>> from that (unless you do peer-to-peer type authentication, which would be
>> security = share). I think samba is designed to either work independently
>> (entirely), or work together with a domain controller. I could be wrong
>> though (it's been known to happen). ;)
>>
>> You might want to read up on samba server types:
>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html
>
> Maybe what we need to do cannot be done with Samba, which I am willing
> to entertain.
>
> We have a certain class of business data that must be completely
> restricted from all but a specific list of users. For specific
> reasons the restricted people include the IT department. If
> authentication of users is controlled by the domain controller, the IT
> department has indirect control over the data. So this share cannot
> have authentication by the domain.
>
> (I'm ignoring the fact that SMB is not a secure data protocol over the
> wire. That is very important but, for the moment, is being
> selectively ignored.)
>
> So we want the Samba server to be a stand-alone server. Each allowed
> user will have a Linux user defined on the server. When a user wants
> to get to the data, they connect to "\\SpecialServer\restricted",
> enter their Linux user ID and password and connect to the share.
>
> Are you saying this operational configuration is not possible or just
> a bad idea?
Sounds like it'd be possible using Share-Level Security "security = share".
See
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2552417
> BTW, the designer of the SWAT UI needs a lesson in preventing
> disasters! The select a share drop-down button is pixels away from
> the DELETE button (See attached)! (Backup /etc/samba/smb.conf before
> you start!)
>
Ha!
--
-Eric 'shubes'
More information about the PLUG-discuss
mailing list