[Samba] How to use AD authentication for normal Samba file sharing
Mark Foley
mfoley at ohprs.org
Tue Nov 28 05:08:42 UTC 2017
I guess I'm answering my own questions on this thread!
I believe I've found the answer to my last issue on this. To my smb.conf (message below), add:
force user ohprso
force group ohprs
I've tested it and the Domain user 10001.10001 was able to create a file on the samba share as
1001.103.
If that seems wrong to anyone on this list, please advise. Even if it looks right, perhaps post
a "Yes, that looks right", so I know these messages are making it to the list!
--Mark
-----Original Message-----
Date: Mon, 27 Nov 2017 18:22:47 -0500
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
Subject: Re: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>
With help from kjhambrick at linuxquestions.org I did figure out how to authenticate from a
Window domain member to a samba share using AD credentials. My smb.conf is listed below. I
was able to map the share from Windows using domain credentials and create a file on the share.
Here's my next challenge: All the UID.GIDs on the share (287G and +105K files) are currently
the non-AD values of 1001.301. For the time being, I'd like to keep all files, and all newly
created files with this UID.GID.
How can I do this? On the "classic" samba share (not AD authentication) this was accomplished
by:
guest account = ohprso # where ohprso's UID = 1001
I've seen the smb.conf setting:
!<server user> = <client user>
but I'm not sure that's appropriate in this case.
Is there such a mechanism for AD authenticated clients?
Thanks --Mark
my AD Authenticating smb.conf:
[global]
netbios name = OHPRSSTORAGE
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash
max log size = 10000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
path = /mnt/RAID/public
hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>
I have a Linux host used for file sharing. Although I have a Samba4 AD/DC configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on
this server does not require any ID or passwords from Windows client workstations. The current
smb.conf is shown below, only one of the shares is listed.
I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would like it to
authenticate with the domain credentials and not require the user to enter ID/PW on the Map
Network Drive dialog.
Is this possible?
If so, I know how to make the Linux file-sharing host a domain member. What would I have to do
to get Samba to authenticate the user's domain credentials?
My smb.conf:
[deleted]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list