[Samba] AD authentication for local users
mark at markdrayton.info
Tue Nov 3 09:19:13 MST 2009
We have a lot of Linux development servers (RHEL 5.3, Samba 3.0.33)
which are generally accessed via SSH. Each developer has a local
account on each box, managed by Puppet. Logins are via private keys
only; there are no local passwords.
I'd like to run Samba on these boxes and authenticate against our AD
domain. I don't want AD authentication for anything besides Samba --
the only other service we run is SSH via keys.
Here's my smb.conf:
workgroup = DOMAIN
server string = Samba Server Version %v
security = ADS
realm = DOMAIN.FQDN
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%U.log
comment = Home Directories
browseable = no
writable = yes
I'm pretty sure the Kerberos configuration is fine as I've joined the domain.
Relevant (ie, non-standard) nsswitch.conf lines:
passwd: files winbind
group: files winbind
It looks like the problem is AD UID to UNIX UID mapping. The default
TDB backend will create 'virtual' UNIX accounts on demand but I don't
want this -- I want user 'foo' to map to the local user 'foo'. If I
add idmap uid and idmap gid lines the users authenticate okay but the
TDB idmap backend wants to map a new user instead of using the
existing UNIX account by the same name.
Is this a workable configuration? I feel like I've tried every
combination of PAM fiddling and idmap settings possible for what seems
like a straightforward setup.
More information about the samba