[Samba] Samba3 capable of AD auth. without matching Linux users?

Stefan Midjich swehack at gmail.com
Sun Jun 23 14:44:33 MDT 2013 

I eventually got it working with the following configuration, in case any
googlers find it helpful.

I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I
would not forget until tomorrow. :)

It's in Swedish but all the configuration files are recognizable.

I'm not sure about many of the options, like idmap backend, so I will
investigate them in the morning when I write a proper installation manual.
Just to remove things I don't need.


2013/6/23 Stefan Midjich <swehack at gmail.com>

> My goal is to share a CIFS volume from Linux, to Windows clients, using
> Samba 3.6 and only authenticate users over AD.
>
> I do not want one local Linux user for each AD user, in other words. I
> want all users connecting to CIFS to use one shared local user for FS
> operations. So the CIFS share will be owned by one local user that all AD
> users will use when they use the CIFS volume.
>
> Is this possible in Samba 3.6?
>
> I ask because I can't make heads nor tails of the documentation. I've
> managed to piece together a winbind/krb5 configuration that allows me to do
> the following.
>
>  * Get kerberos token from Windows 2008 AD server (not r2)
>  * net ads join my Linux host into the Windows 2008 AD
>  * List users and groups in the AD using wbinfo, and getent -s winbind
>
> But whenever I try to login to my share from a Windows server in the same
> AD, it says the user "is invalid on this system". Unless I keep a local
> user matching that same AD sAMAccountName as the user logging in.
>
> Here is my current smb.conf
>
> [global]
>  workgroup = DOMAIN
>  realm = DOMAIN.LOCAL
>  server string = %h server
>  security = ads
>  allow trusted domains = no
>  local master = no
>  domain master = no
>  interfaces = eth0 10.221.111.51/24
>  bind interfaces only = yes
>  log level = 0 auth:10 smb:10
>  log file = /var/log/samba/log.%m
>  max log size = 1000
> #syslog only = no
>  syslog = 0
>  load printers = no
>  printing = bsd
>  printcap name = /etc/printcap
>
> # Bug #8676 workaround
>  idmap config * : backend = tdb
>  idmap config * : range = 2000-4999
>  idmap config DOMAIN : backend = rid
>  idmap config DOMAIN : range = 10000-49999
>  winbind use default domain = yes
>  winbind enum users = yes
>  winbind enum groups = yes
>  encrypt passwords = yes
>  valid users = @"Domain Users"
>
> [www]
>  comment = HTML share
>  path = /var/www/website.domain.local
>  valid users = share
>  writable = yes
>  force user = share
>  force group = share
>  force directory mode = 0775
>  force create mode = 0664
>
> Here is my current krb5.conf
>
> [libdefaults]
>  default_realm = DOMAIN.LOCAL
>  ticket_lifetime = 24000
>  clock-skew = 300
>
> [realms]
>  DOMAIN.LOCAL = {
>   kdc = DC02.DOMAIN.LOCAL:88
>   admin_server = DC02.DOMAIN.LOCAL:464
>   default_domain = DOMAIN.LOCAL
>  }
>
> [domain_realm]
>  .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
>  DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
>
> There are several DC's but I picked one because the docs I was reading
> made it seem like you had to pick one for kerberos.
>
> The machine is using the DC DNS so all domains involved here, all the
> DC's, the machines domain, the clients, can be resolved. However, I have
> despite this added some domains to /etc/hosts.
>
> 127.0.0.1       webb04.domain.local webb04
> 10.221.111.51   webb04.domain.local     webb04
>
> 10.221.111.16 DC02.DOMAIN.LOCAL DC02
>
> 10.221.111.10 DOMAIN.LOCAL
>
> My /etc/resolv.conf reflects the AD setup in the network.
>
> domain domain.local
> search domain.local
> nameserver 10.221.111.10
> nameserver 10.221.111.16
>
> With this configuration on Debian Wheezy I can run kinit to get a token
> using an AD administrator account.
>
> Then I can run net ads join -U Administrator and enter the same accounts
> password, to join the domain.
>
> After that I can run wbinfo -u to list all users in the Windows AD
> servers. I can also run getent -s winbind passwd username to see
> information for that user like this.
> stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false
>
> Of course this is meta information, that user does not exist on my Linux
> server. At least that is my understanding.
>
> --
> Hälsningar / Greetings
>
> http://Stefan.Midjich.name
>



-- 
Hälsningar / Greetings

http://Stefan.Midjich.name

More information about the samba mailing list