[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 22 11:32:41 MST 2015 

On 22/01/15 18:19, francis picabia wrote:
> We run AD on Windows servers and have Linux systems
> authenticate against AD with pam, for shares, cyrus mail, or shell logins.
> For shares on a Linux system we often have no local account.
>
> We've had success with Samba 3.5.10 and prior versions using
> security = ads with winbind, pam, nsswitch.conf, krb5.conf
> while there is no local Unix account.
>
> Starting after this version, possibly 3.6.0 and above, I can only get
> shares to work by using an AD account and auth
> which maps to a local shell account name.
>
> Here are very minimal settings, not ideal, just trying to get this to
> work...
>
> /etc/pam.d/samba:
>
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_permit.so
>
> /etc/nsswitch.conf
>
> passwd:         files winbind
> group:          files winbind
> shadow:         files winbind
>
> If I use an account having a local shell and the AD password, the
> share works.  If I use another AD account which does appear
> in wbinfo -u output, it cannot login to the share.  If I add the
> AD user with a shell of /bin/false the login works.
>
> I've gone through many howtos trying for a formula, but the unmatched
> user issue remains.  Here is the last attempt in smb.conf:
>
>     security = ads
>     password server = adc2.mydom.ca
>     loglevel = 3
>     template shell = /bin/false
>     encrypt passwords = yes
>
>     realm = AD.MYDOM.CA
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-9999
>    idmap config MYDOM:backend = ad
>    idmap config MYDOM:schema_mode = rfc2307
>    idmap config MYDOM:range=10000-19000000
>
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
>     winbind refresh tickets = Yes
>
> I've only changed the actual domain to mydom in that config.
>
> krb5.conf must be alright otherwise my shell account user
> would fail to login to the share with the AD credentials.
>
> I had a thought on how to make non-local accounts access
> the share by using map to guest = Bad Uid
> but the comments in man page for smb.conf make it sound
> like I still shouldn't need that with winbind and nsswitch.
>
> If anyone has seen a sample for non-local accounts and Samba 3.6
> it might be useful.

OK, you have three options.
Use the winbind 'ad' backend (this is what you are using), but your 
users must have a 'uidNumber' in AD.
Use the 'rid' backend, your users will get a uid number automatically.
Use 'map to guest = bad user', only problem with the last one, all 
unknown users end up as 'nobody'

If you want to try the rid backend, change 'idmap config MYDOM:backend = 
ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config 
MYDOM:schema_mode = rfc2307'

Rowland

More information about the samba mailing list