[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
Rowland Penny
rowlandpenny at googlemail.com
Thu Jan 22 11:32:41 MST 2015
On 22/01/15 18:19, francis picabia wrote:
> We run AD on Windows servers and have Linux systems
> authenticate against AD with pam, for shares, cyrus mail, or shell logins.
> For shares on a Linux system we often have no local account.
>
> We've had success with Samba 3.5.10 and prior versions using
> security = ads with winbind, pam, nsswitch.conf, krb5.conf
> while there is no local Unix account.
>
> Starting after this version, possibly 3.6.0 and above, I can only get
> shares to work by using an AD account and auth
> which maps to a local shell account name.
>
> Here are very minimal settings, not ideal, just trying to get this to
> work...
>
> /etc/pam.d/samba:
>
> auth sufficient pam_winbind.so use_first_pass
> auth required pam_deny.so
> account required pam_permit.so
>
> /etc/nsswitch.conf
>
> passwd: files winbind
> group: files winbind
> shadow: files winbind
>
> If I use an account having a local shell and the AD password, the
> share works. If I use another AD account which does appear
> in wbinfo -u output, it cannot login to the share. If I add the
> AD user with a shell of /bin/false the login works.
>
> I've gone through many howtos trying for a formula, but the unmatched
> user issue remains. Here is the last attempt in smb.conf:
>
> security = ads
> password server = adc2.mydom.ca
> loglevel = 3
> template shell = /bin/false
> encrypt passwords = yes
>
> realm = AD.MYDOM.CA
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config MYDOM:backend = ad
> idmap config MYDOM:schema_mode = rfc2307
> idmap config MYDOM:range=10000-19000000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = Yes
>
> I've only changed the actual domain to mydom in that config.
>
> krb5.conf must be alright otherwise my shell account user
> would fail to login to the share with the AD credentials.
>
> I had a thought on how to make non-local accounts access
> the share by using map to guest = Bad Uid
> but the comments in man page for smb.conf make it sound
> like I still shouldn't need that with winbind and nsswitch.
>
> If anyone has seen a sample for non-local accounts and Samba 3.6
> it might be useful.
OK, you have three options.
Use the winbind 'ad' backend (this is what you are using), but your
users must have a 'uidNumber' in AD.
Use the 'rid' backend, your users will get a uid number automatically.
Use 'map to guest = bad user', only problem with the last one, all
unknown users end up as 'nobody'
If you want to try the rid backend, change 'idmap config MYDOM:backend =
ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config
MYDOM:schema_mode = rfc2307'
Rowland
More information about the samba
mailing list