[Samba] Samba3 capable of AD auth. without matching Linux users?

Stefan Midjich swehack at gmail.com
Sun Jun 23 08:52:01 MDT 2013

My goal is to share a CIFS volume from Linux, to Windows clients, using
Samba 3.6 and only authenticate users over AD.

I do not want one local Linux user for each AD user, in other words. I want
all users connecting to CIFS to use one shared local user for FS
operations. So the CIFS share will be owned by one local user that all AD
users will use when they use the CIFS volume.

Is this possible in Samba 3.6?

I ask because I can't make heads nor tails of the documentation. I've
managed to piece together a winbind/krb5 configuration that allows me to do
the following.

 * Get kerberos token from Windows 2008 AD server (not r2)
 * net ads join my Linux host into the Windows 2008 AD
 * List users and groups in the AD using wbinfo, and getent -s winbind

But whenever I try to login to my share from a Windows server in the same
AD, it says the user "is invalid on this system". Unless I keep a local
user matching that same AD sAMAccountName as the user logging in.

Here is my current smb.conf

 workgroup = DOMAIN
 server string = %h server
 security = ads
 allow trusted domains = no
 local master = no
 domain master = no
 interfaces = eth0
 bind interfaces only = yes
 log level = 0 auth:10 smb:10
 log file = /var/log/samba/log.%m
 max log size = 1000
#syslog only = no
 syslog = 0
 load printers = no
 printing = bsd
 printcap name = /etc/printcap

# Bug #8676 workaround
 idmap config * : backend = tdb
 idmap config * : range = 2000-4999
 idmap config DOMAIN : backend = rid
 idmap config DOMAIN : range = 10000-49999
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 encrypt passwords = yes
 valid users = @"Domain Users"

 comment = HTML share
 path = /var/www/website.domain.local
 valid users = share
 writable = yes
 force user = share
 force group = share
 force directory mode = 0775
 force create mode = 0664

Here is my current krb5.conf

 default_realm = DOMAIN.LOCAL
 ticket_lifetime = 24000
 clock-skew = 300

  kdc = DC02.DOMAIN.LOCAL:88
  admin_server = DC02.DOMAIN.LOCAL:464
  default_domain = DOMAIN.LOCAL


There are several DC's but I picked one because the docs I was reading made
it seem like you had to pick one for kerberos.

The machine is using the DC DNS so all domains involved here, all the DC's,
the machines domain, the clients, can be resolved. However, I have despite
this added some domains to /etc/hosts.       webb04.domain.local webb04   webb04.domain.local     webb04 DC02.DOMAIN.LOCAL DC02 DOMAIN.LOCAL

My /etc/resolv.conf reflects the AD setup in the network.

domain domain.local
search domain.local

With this configuration on Debian Wheezy I can run kinit to get a token
using an AD administrator account.

Then I can run net ads join -U Administrator and enter the same accounts
password, to join the domain.

After that I can run wbinfo -u to list all users in the Windows AD servers.
I can also run getent -s winbind passwd username to see information for
that user like this.

Of course this is meta information, that user does not exist on my Linux
server. At least that is my understanding.

Hälsningar / Greetings


More information about the samba mailing list