Disable winbindd?
Eric Shubert
ejs at shubes.net
Fri Oct 3 18:57:39 MST 2008
Craig White wrote:
> On Fri, 2008-10-03 at 18:22 -0700, Eric Shubert wrote:
>> Craig White wrote:
>>> On Fri, 2008-10-03 at 15:48 -0700, Eric Shubert wrote:
>>>> Craig White wrote:
>>>>>>> Are you saying this operational configuration is not possible or just
>>>>>>> a bad idea?
>>>>>> Sounds like it'd be possible using Share-Level Security "security = share".
>>>>>> See
>>>>>> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2552417
>>>>>>
>>>>> ----
>>>>> NO - don't use security = share
>>>>>
>>>>> Craig
>>>>>
>>>> I don't think would, Craig.
>>>>
>>>> Question though, is how does one use samba authentication (aka standalone
>>>> server with separate authentication) while already logged into a windoze domain?
>>> ----
>>> Yes, Windows domain authentication is designed to give a single-sign-on
>>> authentication method and if the samba server is not connected to the
>>> domain either via security = [server | ads ] or via winbind, it's going
>>> to be a bit confused of a setup.
>>>
>>> If the samba server is not joined to the domain, then I would set the
>>> workgroup of that samba server to something other than the Windows
>>> domain and set security = user and then each user would have to
>>> authenticate to it separately as the domain credentials would be
>>> meaningless. Sort of like having a Windows XP Home system which is also
>>> not capable of participating in a Windows Domain security model.
>>>
>>> I have on occasion resorted to stupid dos command line scripts to
>>> connect Windows XP Home systems like this (from memory, please verify)
>>>
>>> net use f: \\SERVER_NAME\SHARE /USER:SAMBA_USER_NAME
>>>
>>> and it will prompt for the password and that script can be put into
>>> 'Startup' to execute on login.
>>>
>>> Also, managing users/groups separately is another burden as now you
>>> would have at least two places to maintain when adding/deleting users
>>> and groups.
>>>
>>> Craig
>>>
>> I suspect for this scenario you'd also want to use
>> domain master = no
>> domain logons = no
>> in the configuration, yes?
> ----
> domain logons = no is the default but if you are wanting to override to
> be certain then sure but there are tons of settings that revert to
> default if not explicitly stated. You can view them by doing 'testparm
> -s' and then 'testparm -s -v' and diff'ing the results.
>
> if domain logons = no then the 'domain master' setting is meaningless
> (default is auto)
>
> I don't think that setting these values explicitly as indicated above
> would matter
>
> Craig
>
Thanks for the clarification.
--
-Eric 'shubes'
More information about the PLUG-discuss
mailing list