[Samba] How to use AD authentication for normal Samba file sharing
Rowland Penny
rpenny at samba.org
Tue Nov 28 08:51:52 UTC 2017
See inline comments:
On Tue, 28 Nov 2017 00:08:42 -0500
Mark Foley via samba <samba at lists.samba.org> wrote:
> I guess I'm answering my own questions on this thread!
>
> I believe I've found the answer to my last issue on this. To my
> smb.conf (message below), add:
>
> force user ohprso
> force group ohprs
>
> I've tested it and the Domain user 10001.10001 was able to create a
> file on the samba share as 1001.103.
Of course this works, you are forcing everybody and every group to be
just one user and just one group.
>
> If that seems wrong to anyone on this list, please advise. Even if it
> looks right, perhaps post a "Yes, that looks right", so I know these
> messages are making it to the list!
>
> --Mark
>
> -----Original Message-----
> Date: Mon, 27 Nov 2017 18:22:47 -0500
> Organization: Ohio Highway Patrol Retirement System
> To: samba at lists.samba.org
> Subject: Re: [Samba] How to use AD authentication for normal Samba
> file sharing From: Mark Foley via samba <samba at lists.samba.org>
>
> With help from kjhambrick at linuxquestions.org I did figure out how
> to authenticate from a Window domain member to a samba share using AD
> credentials. My smb.conf is listed below. I was able to map the
> share from Windows using domain credentials and create a file on the
> share.
>
> Here's my next challenge: All the UID.GIDs on the share (287G and
> +105K files) are currently the non-AD values of 1001.301. For the
> time being, I'd like to keep all files, and all newly created files
> with this UID.GID.
>
> How can I do this? On the "classic" samba share (not AD
> authentication) this was accomplished by:
>
> guest account = ohprso # where ohprso's UID = 1001
>
> I've seen the smb.conf setting:
>
> !<server user> = <client user>
I have never seen such lines in smb.conf, it is a line from a
user.map .e.g. !root = Administrator
>
> but I'm not sure that's appropriate in this case.
>
> Is there such a mechanism for AD authenticated clients?
>
> Thanks --Mark
>
> my AD Authenticating smb.conf:
>
> [global]
> netbios name = OHPRSSTORAGE
>
> server string = HPRS NAS server
>
> domain master = no
> prefered master = no
>
> realm = HPRS.LOCAL
> workgroup = HPRS
> usershare allow guests = Yes # Do I need this?
Do you use usershares ?
> usershare max shares = 10
> security = ADS
> template shell = /bin/bash
>
> max log size = 10000
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
>
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> [public]
> path = /mnt/RAID/public
>
> hide dot files = yes
> map hidden = yes
> hide files = /Outlook/outlook/~*/
>
> veto oplock files = /OfficeCalendar.pst/
>
> inherit acls = yes
> valid users = @"domain users"
>
> locking = yes
> public = yes
> writeable = yes
> browseable= yes
> printable = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0771
Nice Unix domain member smb.conf you have got there, you might as well
go the whole hog now and run 'net ads join -U Administrator' and have
all the benefits of being a domain member, because what you have now
is, for all intents and purposes, a Unix domain member.
Rowland
More information about the samba
mailing list