[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account
francis picabia
fpicabia at gmail.com
Thu Jan 22 12:20:32 MST 2015
On Thu, Jan 22, 2015 at 2:32 PM, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 22/01/15 18:19, francis picabia wrote:
>
>> We run AD on Windows servers and have Linux systems
>> authenticate against AD with pam, for shares, cyrus mail, or shell logins.
>> For shares on a Linux system we often have no local account.
>>
>> We've had success with Samba 3.5.10 and prior versions using
>> security = ads with winbind, pam, nsswitch.conf, krb5.conf
>> while there is no local Unix account.
>>
>> Starting after this version, possibly 3.6.0 and above, I can only get
>> shares to work by using an AD account and auth
>> which maps to a local shell account name.
>>
>> Here are very minimal settings, not ideal, just trying to get this to
>> work...
>>
>> /etc/pam.d/samba:
>>
>> auth sufficient pam_winbind.so use_first_pass
>> auth required pam_deny.so
>> account required pam_permit.so
>>
>> /etc/nsswitch.conf
>>
>> passwd: files winbind
>> group: files winbind
>> shadow: files winbind
>>
>> If I use an account having a local shell and the AD password, the
>> share works. If I use another AD account which does appear
>> in wbinfo -u output, it cannot login to the share. If I add the
>> AD user with a shell of /bin/false the login works.
>>
>> I've gone through many howtos trying for a formula, but the unmatched
>> user issue remains. Here is the last attempt in smb.conf:
>>
>> security = ads
>> password server = adc2.mydom.ca
>> loglevel = 3
>> template shell = /bin/false
>> encrypt passwords = yes
>>
>> realm = AD.MYDOM.CA
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config MYDOM:backend = ad
>> idmap config MYDOM:schema_mode = rfc2307
>> idmap config MYDOM:range=10000-19000000
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>> I've only changed the actual domain to mydom in that config.
>>
>> krb5.conf must be alright otherwise my shell account user
>> would fail to login to the share with the AD credentials.
>>
>> I had a thought on how to make non-local accounts access
>> the share by using map to guest = Bad Uid
>> but the comments in man page for smb.conf make it sound
>> like I still shouldn't need that with winbind and nsswitch.
>>
>> If anyone has seen a sample for non-local accounts and Samba 3.6
>> it might be useful.
>>
>
> OK, you have three options.
> Use the winbind 'ad' backend (this is what you are using), but your users
> must have a 'uidNumber' in AD.
> Use the 'rid' backend, your users will get a uid number automatically.
> Use 'map to guest = bad user', only problem with the last one, all unknown
> users end up as 'nobody'
>
> If you want to try the rid backend, change 'idmap config MYDOM:backend =
> ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config
> MYDOM:schema_mode = rfc2307'
>
> Rowland
Thank you very much. That was a clue to get the configuration solid so
I plugged along with that set up. I didn't know what 'rid' handled, but I
had used it before in the multiple settings I've tried. Good to know.
I finally found the solution. I'm on Debian 7 and winbind did not include
the package libpam-winbind. I installed that, restarted winbind and samba
and now the unmatched user can connect. It provided the file:
/lib/x86_64-linux-gnu/security/pam_winbind.so
I should have been looking in /var/log/auth.log
rather than in /var/log/samba for my errors!
Thanks again...
More information about the samba
mailing list