[Samba] Samba3 capable of AD auth. without matching Linux users?
Stefan Midjich
swehack at gmail.com
Sun Jun 23 08:52:01 MDT 2013
My goal is to share a CIFS volume from Linux, to Windows clients, using
Samba 3.6 and only authenticate users over AD.
I do not want one local Linux user for each AD user, in other words. I want
all users connecting to CIFS to use one shared local user for FS
operations. So the CIFS share will be owned by one local user that all AD
users will use when they use the CIFS volume.
Is this possible in Samba 3.6?
I ask because I can't make heads nor tails of the documentation. I've
managed to piece together a winbind/krb5 configuration that allows me to do
the following.
* Get kerberos token from Windows 2008 AD server (not r2)
* net ads join my Linux host into the Windows 2008 AD
* List users and groups in the AD using wbinfo, and getent -s winbind
But whenever I try to login to my share from a Windows server in the same
AD, it says the user "is invalid on this system". Unless I keep a local
user matching that same AD sAMAccountName as the user logging in.
Here is my current smb.conf
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = %h server
security = ads
allow trusted domains = no
local master = no
domain master = no
interfaces = eth0 10.221.111.51/24
bind interfaces only = yes
log level = 0 auth:10 smb:10
log file = /var/log/samba/log.%m
max log size = 1000
#syslog only = no
syslog = 0
load printers = no
printing = bsd
printcap name = /etc/printcap
# Bug #8676 workaround
idmap config * : backend = tdb
idmap config * : range = 2000-4999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-49999
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
valid users = @"Domain Users"
[www]
comment = HTML share
path = /var/www/website.domain.local
valid users = share
writable = yes
force user = share
force group = share
force directory mode = 0775
force create mode = 0664
Here is my current krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
ticket_lifetime = 24000
clock-skew = 300
[realms]
DOMAIN.LOCAL = {
kdc = DC02.DOMAIN.LOCAL:88
admin_server = DC02.DOMAIN.LOCAL:464
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
There are several DC's but I picked one because the docs I was reading made
it seem like you had to pick one for kerberos.
The machine is using the DC DNS so all domains involved here, all the DC's,
the machines domain, the clients, can be resolved. However, I have despite
this added some domains to /etc/hosts.
127.0.0.1 webb04.domain.local webb04
10.221.111.51 webb04.domain.local webb04
10.221.111.16 DC02.DOMAIN.LOCAL DC02
10.221.111.10 DOMAIN.LOCAL
My /etc/resolv.conf reflects the AD setup in the network.
domain domain.local
search domain.local
nameserver 10.221.111.10
nameserver 10.221.111.16
With this configuration on Debian Wheezy I can run kinit to get a token
using an AD administrator account.
Then I can run net ads join -U Administrator and enter the same accounts
password, to join the domain.
After that I can run wbinfo -u to list all users in the Windows AD servers.
I can also run getent -s winbind passwd username to see information for
that user like this.
stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false
Of course this is meta information, that user does not exist on my Linux
server. At least that is my understanding.
--
Hälsningar / Greetings
http://Stefan.Midjich.name
More information about the samba
mailing list