[Samba] Samba 3.6.6, ADS, Winbind, no local Unix account

francis picabia fpicabia at gmail.com
Thu Jan 22 12:20:32 MST 2015

On Thu, Jan 22, 2015 at 2:32 PM, Rowland Penny <rowlandpenny at googlemail.com>

> On 22/01/15 18:19, francis picabia wrote:
>> We run AD on Windows servers and have Linux systems
>> authenticate against AD with pam, for shares, cyrus mail, or shell logins.
>> For shares on a Linux system we often have no local account.
>> We've had success with Samba 3.5.10 and prior versions using
>> security = ads with winbind, pam, nsswitch.conf, krb5.conf
>> while there is no local Unix account.
>> Starting after this version, possibly 3.6.0 and above, I can only get
>> shares to work by using an AD account and auth
>> which maps to a local shell account name.
>> Here are very minimal settings, not ideal, just trying to get this to
>> work...
>> /etc/pam.d/samba:
>> auth        sufficient    pam_winbind.so use_first_pass
>> auth        required      pam_deny.so
>> account     required      pam_permit.so
>> /etc/nsswitch.conf
>> passwd:         files winbind
>> group:          files winbind
>> shadow:         files winbind
>> If I use an account having a local shell and the AD password, the
>> share works.  If I use another AD account which does appear
>> in wbinfo -u output, it cannot login to the share.  If I add the
>> AD user with a shell of /bin/false the login works.
>> I've gone through many howtos trying for a formula, but the unmatched
>> user issue remains.  Here is the last attempt in smb.conf:
>>     security = ads
>>     password server = adc2.mydom.ca
>>     loglevel = 3
>>     template shell = /bin/false
>>     encrypt passwords = yes
>>     realm = AD.MYDOM.CA
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-9999
>>    idmap config MYDOM:backend = ad
>>    idmap config MYDOM:schema_mode = rfc2307
>>    idmap config MYDOM:range=10000-19000000
>>     winbind nss info = rfc2307
>>     winbind trusted domains only = no
>>     winbind use default domain = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>     winbind refresh tickets = Yes
>> I've only changed the actual domain to mydom in that config.
>> krb5.conf must be alright otherwise my shell account user
>> would fail to login to the share with the AD credentials.
>> I had a thought on how to make non-local accounts access
>> the share by using map to guest = Bad Uid
>> but the comments in man page for smb.conf make it sound
>> like I still shouldn't need that with winbind and nsswitch.
>> If anyone has seen a sample for non-local accounts and Samba 3.6
>> it might be useful.
> OK, you have three options.
> Use the winbind 'ad' backend (this is what you are using), but your users
> must have a 'uidNumber' in AD.
> Use the 'rid' backend, your users will get a uid number automatically.
> Use 'map to guest = bad user', only problem with the last one, all unknown
> users end up as 'nobody'
> If you want to try the rid backend, change 'idmap config MYDOM:backend =
> ad' to 'idmap config MYDOM:backend = rid' and remove 'idmap config
> MYDOM:schema_mode = rfc2307'
> Rowland

Thank you very much.  That was a clue to get the configuration solid so
I plugged along with that set up.  I didn't know what 'rid' handled, but I
had used it before in the multiple settings I've tried.  Good to know.

I finally found the solution.  I'm on Debian 7 and winbind did not include
the package  libpam-winbind.  I installed that, restarted winbind and samba
and now the unmatched user can connect.  It provided the file:
I should have been looking in /var/log/auth.log
rather than in /var/log/samba for my errors!

Thanks again...

More information about the samba mailing list