[Samba] samba 4 in AD 2008R2 without winbind

Rowland Penny rpenny at samba.org
Wed May 24 12:14:53 UTC 2017 

On Wed, 24 May 2017 14:02:49 +0200 (CEST)
Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:

> 
> 
> ----- Messaggio originale -----
> > Da: "Rowland Penny" <rpenny at samba.org>
> > A: samba at lists.samba.org
> > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it>
> > Inviato: Mercoledì, 24 maggio 2017 13:12:07
> > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind
> > 
> > On Wed, 24 May 2017 12:54:48 +0200 (CEST)
> > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:
> > 
> > > 
> > > So far for standalone server, Rowland, but is not possible to
> > > authenticate (just autenticate) on active directory? This
> > > configuration is now working on another server with samba 3 ...
> > > access is allowed to users declared in /etc/passwd (these users do
> > > not have a unix password) and the client use transparently the
> > > password they supplied at login time. I am not able to reply this
> > > configuration in samba 4
> > > 
> > 
> > I cannot see how this will work, to authenticate to AD your computer
> > would have to be joined to the domain, at which point your user
> > would have to only be in AD. I am not saying it will not work, I
> > just don't understand how it can.
> > 
> > Can you post the smb.conf from the Samba 3 machine ?
> > 
> > Rowland
> > 
> > 
> > 
> 
> Samba servers (ver 3 or 4) and clients are all joined to domain.
> 
> Here's the global of smb.conf version 3:
> 
> [global]
> 	workgroup = CED
> 	realm = CED.AOS
> 	server string = file sharing server
> 	security = ADS
> 	allow trusted domains = No
> 	map to guest = Bad User
> 	obey pam restrictions = Yes
> 	pam password change = Yes
> 	passwd program = /usr/bin/passwd %u
> 	passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> unix password sync = Yes log level = 1
> 	syslog = 0
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	load printers = No
> 	printcap name = /dev/null
> 	domain master = No
> 	dns proxy = No
> 	panic action = /usr/share/samba/panic-action %d
> 	idmap config * : range = 
> 	idmap config * : backend = tdb
> 	printing = bsd
> 	print command = lpr -r -P'%p' %s
> 	lpq command = lpq -P'%p'
> 	lprm command = lprm -P'%p' %j

Are you sure your windows users are connecting as local Unix users ?
You have this: map to guest = Bad User

This means that anybody who connects that Samba doesn't know silently
gets mapped to guest and is allowed access.

Rowland

More information about the samba mailing list