[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
fpicabia at gmail.com
Thu Jan 22 11:19:38 MST 2015
We run AD on Windows servers and have Linux systems
authenticate against AD with pam, for shares, cyrus mail, or shell logins.
For shares on a Linux system we often have no local account.
We've had success with Samba 3.5.10 and prior versions using
security = ads with winbind, pam, nsswitch.conf, krb5.conf
while there is no local Unix account.
Starting after this version, possibly 3.6.0 and above, I can only get
shares to work by using an AD account and auth
which maps to a local shell account name.
Here are very minimal settings, not ideal, just trying to get this to
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_permit.so
passwd: files winbind
group: files winbind
shadow: files winbind
If I use an account having a local shell and the AD password, the
share works. If I use another AD account which does appear
in wbinfo -u output, it cannot login to the share. If I add the
AD user with a shell of /bin/false the login works.
I've gone through many howtos trying for a formula, but the unmatched
user issue remains. Here is the last attempt in smb.conf:
security = ads
password server = adc2.mydom.ca
loglevel = 3
template shell = /bin/false
encrypt passwords = yes
realm = AD.MYDOM.CA
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range=10000-19000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
I've only changed the actual domain to mydom in that config.
krb5.conf must be alright otherwise my shell account user
would fail to login to the share with the AD credentials.
I had a thought on how to make non-local accounts access
the share by using map to guest = Bad Uid
but the comments in man page for smb.conf make it sound
like I still shouldn't need that with winbind and nsswitch.
If anyone has seen a sample for non-local accounts and Samba 3.6
it might be useful.
More information about the samba