[Samba] Samba3 capable of AD auth. without matching Linux users?
Stefan Midjich
swehack at gmail.com
Sun Jun 23 14:44:33 MDT 2013
I eventually got it working with the following configuration, in case any
googlers find it helpful.
I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I
would not forget until tomorrow. :)
It's in Swedish but all the configuration files are recognizable.
I'm not sure about many of the options, like idmap backend, so I will
investigate them in the morning when I write a proper installation manual.
Just to remove things I don't need.
2013/6/23 Stefan Midjich <swehack at gmail.com>
> My goal is to share a CIFS volume from Linux, to Windows clients, using
> Samba 3.6 and only authenticate users over AD.
>
> I do not want one local Linux user for each AD user, in other words. I
> want all users connecting to CIFS to use one shared local user for FS
> operations. So the CIFS share will be owned by one local user that all AD
> users will use when they use the CIFS volume.
>
> Is this possible in Samba 3.6?
>
> I ask because I can't make heads nor tails of the documentation. I've
> managed to piece together a winbind/krb5 configuration that allows me to do
> the following.
>
> * Get kerberos token from Windows 2008 AD server (not r2)
> * net ads join my Linux host into the Windows 2008 AD
> * List users and groups in the AD using wbinfo, and getent -s winbind
>
> But whenever I try to login to my share from a Windows server in the same
> AD, it says the user "is invalid on this system". Unless I keep a local
> user matching that same AD sAMAccountName as the user logging in.
>
> Here is my current smb.conf
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> server string = %h server
> security = ads
> allow trusted domains = no
> local master = no
> domain master = no
> interfaces = eth0 10.221.111.51/24
> bind interfaces only = yes
> log level = 0 auth:10 smb:10
> log file = /var/log/samba/log.%m
> max log size = 1000
> #syslog only = no
> syslog = 0
> load printers = no
> printing = bsd
> printcap name = /etc/printcap
>
> # Bug #8676 workaround
> idmap config * : backend = tdb
> idmap config * : range = 2000-4999
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000-49999
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> encrypt passwords = yes
> valid users = @"Domain Users"
>
> [www]
> comment = HTML share
> path = /var/www/website.domain.local
> valid users = share
> writable = yes
> force user = share
> force group = share
> force directory mode = 0775
> force create mode = 0664
>
> Here is my current krb5.conf
>
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> ticket_lifetime = 24000
> clock-skew = 300
>
> [realms]
> DOMAIN.LOCAL = {
> kdc = DC02.DOMAIN.LOCAL:88
> admin_server = DC02.DOMAIN.LOCAL:464
> default_domain = DOMAIN.LOCAL
> }
>
> [domain_realm]
> .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
> DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
>
> There are several DC's but I picked one because the docs I was reading
> made it seem like you had to pick one for kerberos.
>
> The machine is using the DC DNS so all domains involved here, all the
> DC's, the machines domain, the clients, can be resolved. However, I have
> despite this added some domains to /etc/hosts.
>
> 127.0.0.1 webb04.domain.local webb04
> 10.221.111.51 webb04.domain.local webb04
>
> 10.221.111.16 DC02.DOMAIN.LOCAL DC02
>
> 10.221.111.10 DOMAIN.LOCAL
>
> My /etc/resolv.conf reflects the AD setup in the network.
>
> domain domain.local
> search domain.local
> nameserver 10.221.111.10
> nameserver 10.221.111.16
>
> With this configuration on Debian Wheezy I can run kinit to get a token
> using an AD administrator account.
>
> Then I can run net ads join -U Administrator and enter the same accounts
> password, to join the domain.
>
> After that I can run wbinfo -u to list all users in the Windows AD
> servers. I can also run getent -s winbind passwd username to see
> information for that user like this.
> stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false
>
> Of course this is meta information, that user does not exist on my Linux
> server. At least that is my understanding.
>
> --
> Hälsningar / Greetings
>
> http://Stefan.Midjich.name
>
--
Hälsningar / Greetings
http://Stefan.Midjich.name
More information about the samba
mailing list