[Samba] Automatic creation of local users
dadoo dadoo
dadoo3002 at yahoo.com
Mon Dec 19 21:46:21 UTC 2016
I’ve actually found a solution to my problem, but I wanted to post it here, since someone else might have the problem in the future, and I think it would be nice if I could spare them the week of Googling I needed.
Basically, I have an AD member server, running Samba 4.2.10 (on Centos 7.2.1511). Here’s my smb.conf:
[global]
workgroup = SUBDOMAIN
server string = Samba Server Version %v
netbios name = SERVER
server signing = mandatory
client signing = mandatory
log file = /var/log/samba/log.%m
max log size = 50
log level = idmap:10 auth:10
security = ADS
realm = SUBDOMAIN.MYDOMAIN.COM
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind normalize names = yes
guest account = pcguest
idmap config *:backend = tdb
idmap config *:range = 30000 - 40000
idmap config SUBDOMAIN:backend = ad
idmap config SUBDOMAIN:schema_mode = rfc2307
idmap config SUBDOMAIN:range = 1000 - 20000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
preferred master = no
name resolve order = bcast host lmhosts
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
wide links = yes
unix extensions = no
[images]
comment = Images
path = /u1/images
writable = yes
read only = no
case sensitive = True
default case = lower
preserve case = no
short preserve case = no
wide links = yes
create mask = 664
directory mask = 775
(I’m guessing some of that is unnecessary, since this is actually a hacked-up Samba 3 configuration I carried over from an earlier server.)
When I tried to map a drive, I’d get a username/password prompt from Windows, even though I was logged in as a valid domain user. In the Samba logs, I’d get:
[2016/12/16 13:24:21.264668, 5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:378(load_auth_module)
load_auth_module: Attempting to find an auth method to match ntdomain
[2016/12/16 13:24:21.264673, 5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method ntdomain has a valid init
[2016/12/16 13:24:21.264679, 5, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:403(load_auth_module)
load_auth_module: auth method winbind has a valid init
[2016/12/16 13:24:21.391184, 3, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
[2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
Domain is [SUBDOMAIN] (using PAC)
[2016/12/16 13:24:22.630245, 3, pid=19073, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
Username SUBDOMAIN\myuser is invalid on this system
It occurred to me that the username I was using didn’t exist on this system, yet, since I hadn’t connected to it before, so I tried creating the user manually (using “useradd” on the Samba server). Then, I was able to connect. I didn’t believe Samba wouldn’t automatically create the users for you, so I kept looking, and finally came across this post:
https://lists.samba.org/archive/samba/2013-February/171720.html
When I commented out the “idmap config SUBDOMAIN:range = 1000 – 20000” line, I was able to connect, even with a username that didn’t already exist on the Samba server.
More information about the samba
mailing list