[Samba] samba 4 in AD 2008R2 without winbind
Daniele Bernazzi
daniele at ao-siena.toscana.it
Wed May 24 12:30:32 UTC 2017
----- Messaggio originale -----
> Da: "Rowland Penny via samba" <samba at lists.samba.org>
> A: samba at lists.samba.org
> Inviato: Mercoledì, 24 maggio 2017 14:14:53
> Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind
>
> On Wed, 24 May 2017 14:02:49 +0200 (CEST)
> Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:
>
> >
> >
> > ----- Messaggio originale -----
> > > Da: "Rowland Penny" <rpenny at samba.org>
> > > A: samba at lists.samba.org
> > > Cc: "Daniele Bernazzi" <daniele at ao-siena.toscana.it>
> > > Inviato: Mercoledì, 24 maggio 2017 13:12:07
> > > Oggetto: Re: [Samba] samba 4 in AD 2008R2 without winbind
> > >
> > > On Wed, 24 May 2017 12:54:48 +0200 (CEST)
> > > Daniele Bernazzi <daniele at ao-siena.toscana.it> wrote:
> > >
> > > >
> > > > So far for standalone server, Rowland, but is not possible to
> > > > authenticate (just autenticate) on active directory? This
> > > > configuration is now working on another server with samba 3 ...
> > > > access is allowed to users declared in /etc/passwd (these users do
> > > > not have a unix password) and the client use transparently the
> > > > password they supplied at login time. I am not able to reply this
> > > > configuration in samba 4
> > > >
> > >
> > > I cannot see how this will work, to authenticate to AD your computer
> > > would have to be joined to the domain, at which point your user
> > > would have to only be in AD. I am not saying it will not work, I
> > > just don't understand how it can.
> > >
> > > Can you post the smb.conf from the Samba 3 machine ?
> > >
> > > Rowland
> > >
> > >
> > >
> >
> > Samba servers (ver 3 or 4) and clients are all joined to domain.
> >
> > Here's the global of smb.conf version 3:
> >
> > [global]
> > workgroup = CED
> > realm = CED.AOS
> > server string = file sharing server
> > security = ADS
> > allow trusted domains = No
> > map to guest = Bad User
> > obey pam restrictions = Yes
> > pam password change = Yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> > unix password sync = Yes log level = 1
> > syslog = 0
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > load printers = No
> > printcap name = /dev/null
> > domain master = No
> > dns proxy = No
> > panic action = /usr/share/samba/panic-action %d
> > idmap config * : range =
> > idmap config * : backend = tdb
> > printing = bsd
> > print command = lpr -r -P'%p' %s
> > lpq command = lpq -P'%p'
> > lprm command = lprm -P'%p' %j
>
> Are you sure your windows users are connecting as local Unix users ?
> You have this: map to guest = Bad User
>
> This means that anybody who connects that Samba doesn't know silently
> gets mapped to guest and is allowed access.
>
> Rowland
>
in this system (samba 3) there are about 3.000 users with 150 shares (apart home shares), so I am sure this is not happening.
The manual about map to guest is saying: "This parameter can take four different values, which tell smbd(8) what to do with user login requests that don't match a valid UNIX user in some way.".
Daniele
More information about the samba
mailing list