[Samba] Samba 4.2 on RHEL7

Sketch smblist at rednsx.org
Thu Jun 23 17:15:04 UTC 2016

On Thu, 23 Jun 2016, Bedynek, Matthew J. wrote:

> I would first like to be able to provide user/password authentication 
> via Active directory simply because it would allow the user to access 
> shares without prompting a password if he is already logged into domain 
> from client.
> However, I would like to control security by using the user/group 
> information available from OpenLDAP server (not AD).
> I am fortunate that username / password in AD and OpenLDAP are 
> synchronized.  However, group membership is not.

As far as I know, smbd just uses standard system calls to look up file 
uid/gid ownership info.  So what you should be able to do is configure the 
system to use OpenLDAP with sssd.  This means all of your system logins 
and file permissions will be on OpenLDAP.  Then you can just do a "net ads 
join <yourdomain>" (you may need to set up kerberos too, for passwordless 
auth), and Samba will join your active directory domain.  Samba will 
always use active directory authentication, but it will use the system 
uid/gid lookup for user/group information.

That said, there is a possibility that using LDAP for user info would 
cause a problem with Kerberos, in which case you could use winbindd/active 
directory for the system lookups as well, but in nsswitch.conf, set 
"group: files sss", and leave passwd and shadow at "files winbind".  This 
way the system would only use sssd for group lookups, but use active 
directory for everything else.

I think where you might run into trouble is if you have Windows ACLs on 
your files, as I think smbd may use winbind to translate the sids into 
uid/gid in that case.  I believe Windows ACLs are disabled by default, so 
you should be fine as long as you don't enable them.

More information about the samba mailing list