SAMBA Tutorial
With Volker Lendecke
With 3.0.23, Samba has changed the internals of access controls considerably. Options like "valid users" have traditionally worked on the names of users, which gave problems in various places. In many situations it was not entirely clear which name was exactly meant, options like "winbind use default domain" and "map username" contributed to this mess.
3.0.23 changed this to a simple strategy, we are now completely based on SIDs and the NT-style token. This means that "valid users" has to convert the given names to SIDs before comparing them with the token created at login.
This tutorial will describe the authentication and authorization process of Windows and thus Samba in detail. Trusted domains, domain local groups, local and builtin groups into account are described, all of them contribute to the list of SIDs a user might be member of. The name lookup process will also be described, leading to correct and non-ambiguous use of the Samba options.
Volker Lendecke lives in Göttingen, Germany where he studied
Mathematics. His first patches to Samba are from 1994, he is
one of the first members of the Samba core Team. 1997
together with the colleagues from the university he founded
SerNet Service Network GmbH, a Linux and Security service
company now at 30 employees.