[Samba] winbind and authentication with local accounts

Philipp Braband PBraband at sul.de
Wed Jul 14 02:17:31 MDT 2010 

Hi Rob,

thank you for your answer. 

>Depends on where you're talking about your users authenticating
My users should authenticate when they try to access a samba share. I don’t want to reconfigure every mapped samba share on the clients, because of this I want to use the "old" local accounts (like "peter", not "SAMBASERVER\peter").

I already tried "winbind use default domain = yes" and after winbind restart authentication failed for every user. I think the problem is that the users in the Active Directory have the same names (and UIDs) as the local users (because they are mapped with "idmap backend = ad").

Cheers,
Philipp 



>Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rob Moser
>Gesendet: Dienstag, 13. Juli 2010 17:09
>An: samba at lists.samba.org
>Betreff: Re: [Samba] winbind and authentication with local accounts
>
>Depends on where you're talking about your users authenticating, but it
>sounds like you need a:
>
>winbind use default domain = yes
>
>in your smb.conf.
>
>	- rob.
>
>On 07/13/2010 02:00 AM, Philipp Braband wrote:
> Hi everyone,
> 
> I have a problem with my samba and winbind configuration:
> 
> before I switched the config (from local user authentication to AD authentication using winbind) my users were able to authenticate for example as “peter”. Now, after switching, they are forced to use SAMBASERVERNAME\peter. If they use only “peter” winbind tries to authenticate them against the AD which fails. Is there a way to “teach” winbind to try to authenticate every user locally if they dont use DOMAIN\peter ?
> Hope you understand my problem in spite of my bad English ☺
> 
> 
> My configuration:
> 
> SLES11 SP0
> samba-3.2.7-11.6
> samba-winbind-3.2.7-11.6
> krb5-1.6.3-133.10
> 
> 
> smb.conf:
> 
> [global]
>         workgroup = DOMAIN
>         netbios aliases = SAMBASERVER
>         interfaces = eth0, 127.0.0.1/8
>         bind interfaces only = Yes
>         ;security = ADS
>         security = ADS
>         password server = 192.168.1.1
>         load printers = No
>         disable spoolss = Yes
>         show add printer wizard = No
>         ;printcap name = cups
>         logon path = \\%L\profiles\.msprofile
>         logon drive = P:
>         logon home = \\%L\%U\.9xprofile
>         encrypt passwords = Yes
>         smb passwd file = /etc/samba/smbpasswd
>         username map = /etc/samba/smbusers
>         kernel oplocks = No
>         ldap ssl = no
>         printing = bsd
>         ;cups options = raw
>         print command = lpr -r -P'%p' %s
>         lpq command = lpq -P'%p'
>         lprm command = lprm -P'%p' %j
>         include = /etc/samba/dhcp.conf
>         log level = 1
>         realm = DOMAIN.DE
>         template homedir = /home/%D/%U
>         template shell = /bin/bash
>         usershare allow guests = No
>         winbind refresh tickets = yes
>         winbind offline logon = yes
>         idmap gid = 10000-20000
>         idmap uid = 10000-20000
>         winbind enum users = yes
>         winbind enum groups = yes
> 
>         idmap backend = ad
>         idmap config DOMAIN : backend = ad
>         winbind nss info = rfc2307
> 
> 
> 
> krb5.conf
> 
> 
> [libdefaults]
>         default_realm = DOMAIN.DE
>         clockskew = 300
> 
> 
> [realms]
> DOMAIN.DE = {
>         kdc = 192.168.1.1
>         admin_server = 192.168.1.1
>         default_domain = domain.de
> }
> 
> 
> 
> 
> [logging]
>         kdc = FILE:/var/log/krb5/krb5kdc.log
>         admin_server = FILE:/var/log/krb5/kadmind.log
>         default = SYSLOG:NOTICE:DAEMON
> 
> 
> 
> [domain_realm]
>         .domain.de = DOMAIN.DE
> 
> 
> 
> [appdefaults]
> pam = {
>         ticket_lifetime = 1d
>         renew_lifetime = 1d
>         forwardable = true
>         proxiable = false
>         minimum_uid = 1
> }
> 
> 
> Cheers,
> Philipp
> 
> ________________________________________________
> S&L Netzwerktechnik GmbH
> Philipp Braband
> Networking Team
> 
> Florinstrasse 18
> 56218 Muelheim-Kaerlich
> 
> Telefon: +49 261 92736 308
> Fax:
> Email:   PBraband at sul.de
> www:     http://www.sul.de
> www:     http://www.controlseries.de
> www:     http://www.monitoring-solution.de
> ________________________________________________
> 
> 
> S&L Netzwerktechnik GmbH - Geschaeftsfuehrer Goetz Schmitt, Oliver Schmitt
> Sitz der Gesellschaft: Muelheim-Kaerlich - Amtsgericht Koblenz HRB 135 53
> USt-ID: DE 171698897 - USt-ID: Luxembourg LU 18934643
> 
> Diese E-Mail kann vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht der beabsichtigte Empfaenger sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender telefonisch oder per E-Mail und loeschen Sie diese E-Mail aus Ihrem System. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Wir haften nicht fuer die Unversehrtheit von E-Mails, nachdem sie unseren Einflussbereich verlassen haben.
> 
> This e -mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately by call or e-mail and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. We are not responsible for the integrity of e-mails after they have left our sphere of control.
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list