[Samba] Automatic creation of local users

L.P.H. van Belle belle at bazuin.nl
Tue Dec 20 09:03:28 UTC 2016


> When I commented out the ?idmap config SUBDOMAIN:range = 1000 ? 20000?
> line, I was able to connect, even with a username that didn?t already
> exist on the Samba server.
About that 

>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000

>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>         idmap config SUBDOMAIN:range = 1000 - 20000

So you fixed it and not disable-ing it. 

You system used id range 0-1000+   ( and first user gets 1000 ) 
The Windows | BUILDIN matches : idmap config *: 
But is set to wide, it also matched the linux id's. 

Now Samba AD (with AD BACKEND) starts with idmap config DOMAIN 10000-999999 by default.

A prefferded layout for idmap config. 

	# maps to windows  BUILDIN/LOCAL ID's  
         idmap config *:backend = tdb
         idmap config *:range = 2000 - 9999
	# the AD has as start 10000-99999
         idmap config SUBDOMAIN:backend = ad
         idmap config SUBDOMAIN:schema_mode = rfc2307
         idmap config SUBDOMAIN:range = 10000 - 99999

with this setup you have the followin options. 
1) Linux ids only , range 0-1999
2) Linux id + Windows BUILDIN/Windows local id's. 
3) Windows AD id's

Now thew problem you had with your user was not because it did not exixt in linux, but it mismatched its id. 

If you want a "linux only users" create an user and keep its id below 1999.
If you want a linux user with but with some windows abilities, create a linux user with id between 2000-9999 

And windows users which need linux access, gets id's between 10000-999999

And if you change the id's, dont forget to clear the idmap cache files. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens dadoo dadoo via
> samba
> Verzonden: maandag 19 december 2016 22:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Automatic creation of local users
> 
> 
> I?ve actually found a solution to my problem, but I wanted to post it
> here, since someone else might have the problem in the future, and I think
> it would be nice if I could spare them the week of Googling I needed.
> 
> Basically, I have an AD member server, running Samba 4.2.10 (on Centos
> 7.2.1511). Here?s my smb.conf:
> 
> [global]
>         workgroup = SUBDOMAIN
>         server string = Samba Server Version %v
>         netbios name = SERVER
>         server signing = mandatory
>        client signing = mandatory
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         log level = idmap:10 auth:10
>         security = ADS
>         realm = SUBDOMAIN.MYDOMAIN.COM
>         encrypt passwords = yes
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind normalize names = yes
>         guest account = pcguest
>         idmap config *:backend = tdb
>         idmap config *:range = 30000 - 40000
>         idmap config SUBDOMAIN:backend = ad
>         idmap config SUBDOMAIN:schema_mode = rfc2307
>        idmap config SUBDOMAIN:range = 1000 - 20000
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         preferred master = no
>         name resolve order = bcast host lmhosts
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>         wide links = yes
>         unix extensions = no
> [images]
>         comment = Images
>         path = /u1/images
>         writable = yes
>         read only = no
>         case sensitive = True
>         default case = lower
>         preserve case = no
>         short preserve case = no
>         wide links = yes
>         create mask = 664
>         directory mask = 775
> 
> (I?m guessing some of that is unnecessary, since this is actually a
> hacked-up Samba 3 configuration I carried over from an earlier server.)
> 
> When I tried to map a drive, I?d get a username/password prompt from
> Windows, even though I was logged in as a valid domain user. In the Samba
> logs, I?d get:
> 
> [2016/12/16 13:24:21.264668,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:378(load_auth_module)
>   load_auth_module: Attempting to find an auth method to match ntdomain
> [2016/12/16 13:24:21.264673,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
>   load_auth_module: auth method ntdomain has a valid init
> [2016/12/16 13:24:21.264679,  5, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/auth.c:403(load_auth_module)
>   load_auth_module: auth method winbind has a valid init
> [2016/12/16 13:24:21.391184,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [myuser at SUBDOMAIN.MYDOMAIN.COM]
> [2016/12/16 13:24:21.391203, 10, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
>   Domain is [SUBDOMAIN] (using PAC)
> [2016/12/16 13:24:22.630245,  3, pid=19073, effective(0, 0), real(0, 0),
> class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   Username SUBDOMAIN\myuser is invalid on this system
> 
> It occurred to me that the username I was using didn?t exist on this
> system, yet, since I hadn?t connected to it before, so I tried creating
> the user manually (using ?useradd? on the Samba server). Then, I was able
> to connect. I didn?t believe Samba wouldn?t automatically create the users
> for you, so I kept looking, and finally came across this post:
> 
> https://lists.samba.org/archive/samba/2013-February/171720.html
> 
> When I commented out the ?idmap config SUBDOMAIN:range = 1000 ? 20000?
> line, I was able to connect, even with a username that didn?t already
> exist on the Samba server.
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list