[Samba] AD authentication for local users

Mark Drayton mark at markdrayton.info
Tue Nov 3 09:19:13 MST 2009


We have a lot of Linux development servers (RHEL 5.3, Samba 3.0.33)
which are generally accessed via SSH. Each developer has a local
account on each box, managed by Puppet. Logins are via private keys
only; there are no local passwords.

I'd like to run Samba on these boxes and authenticate against our AD
domain. I don't want AD authentication for anything besides Samba --
the only other service we run is SSH via keys.

Here's my smb.conf:

 workgroup = DOMAIN
 server string = Samba Server Version %v
 security = ADS
 realm = DOMAIN.FQDN
 encrypt passwords = yes
 log level = 3
 log file = /var/log/samba/%U.log

 comment = Home Directories
 browseable = no
 writable = yes

I'm pretty sure the Kerberos configuration is fine as I've joined the domain.

Relevant (ie, non-standard) nsswitch.conf lines:

passwd:     files winbind
group:      files winbind

It looks like the problem is AD UID to UNIX UID mapping. The default
TDB backend will create 'virtual' UNIX accounts on demand but I don't
want this -- I want user 'foo' to map to the local user 'foo'. If I
add idmap uid and idmap gid lines the users authenticate okay but the
TDB idmap backend wants to map a new user instead of using the
existing UNIX account by the same name.

Is this a workable configuration? I feel like I've tried every
combination of PAM fiddling and idmap settings possible for what seems
like a straightforward setup.



More information about the samba mailing list