[Samba] winbind and authentication with local accounts

Philipp Braband PBraband at sul.de
Tue Jul 13 03:00:06 MDT 2010

Hi everyone,

I have a problem with my samba and winbind configuration:

before I switched the config (from local user authentication to AD authentication using winbind) my users were able to authenticate for example as “peter”. Now, after switching, they are forced to use SAMBASERVERNAME\peter. If they use only “peter” winbind tries to authenticate them against the AD which fails. Is there a way to “teach” winbind to try to authenticate every user locally if they dont use DOMAIN\peter ?
Hope you understand my problem in spite of my bad English ☺

My configuration:



        workgroup = DOMAIN
        netbios aliases = SAMBASERVER
        interfaces = eth0,
        bind interfaces only = Yes
        ;security = ADS
        security = ADS
        password server =
        load printers = No
        disable spoolss = Yes
        show add printer wizard = No
        ;printcap name = cups
        logon path = \\%L\profiles\.msprofile
        logon drive = P:
        logon home = \\%L\%U\.9xprofile
        encrypt passwords = Yes
        smb passwd file = /etc/samba/smbpasswd
        username map = /etc/samba/smbusers
        kernel oplocks = No
        ldap ssl = no
        printing = bsd
        ;cups options = raw
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        include = /etc/samba/dhcp.conf
        log level = 1
        realm = DOMAIN.DE
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare allow guests = No
        winbind refresh tickets = yes
        winbind offline logon = yes
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes

        idmap backend = ad
        idmap config DOMAIN : backend = ad
        winbind nss info = rfc2307


        default_realm = DOMAIN.DE
        clockskew = 300

        kdc =
        admin_server =
        default_domain = domain.de

        kdc = FILE:/var/log/krb5/krb5kdc.log
        admin_server = FILE:/var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON

        .domain.de = DOMAIN.DE

pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1


S&L Netzwerktechnik GmbH
Philipp Braband
Networking Team

Florinstrasse 18
56218 Muelheim-Kaerlich

Telefon: +49 261 92736 308
Email:   PBraband at sul.de
www:     http://www.sul.de
www:     http://www.controlseries.de
www:     http://www.monitoring-solution.de

S&L Netzwerktechnik GmbH - Geschaeftsfuehrer Goetz Schmitt, Oliver Schmitt
Sitz der Gesellschaft: Muelheim-Kaerlich - Amtsgericht Koblenz HRB 135 53
USt-ID: DE 171698897 - USt-ID: Luxembourg LU 18934643

Diese E-Mail kann vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht der beabsichtigte Empfaenger sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender telefonisch oder per E-Mail und loeschen Sie diese E-Mail aus Ihrem System. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Wir haften nicht fuer die Unversehrtheit von E-Mails, nachdem sie unseren Einflussbereich verlassen haben.

This e -mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately by call or e-mail and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. We are not responsible for the integrity of e-mails after they have left our sphere of control.

More information about the samba mailing list