[Samba] Users and groups on member server without ssh
Rowland Penny
rpenny at samba.org
Wed Sep 27 14:10:55 UTC 2017
On Wed, 27 Sep 2017 15:46:42 +0200
Daniel Carrasco via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I've a member server that is working fine as shared folder server (all
> shares works and it permissions). My problem is that when I add the
> nsswitch winbind entries then the server uses the DC to authenticate
> even when I use ssh, so if Samba DC server fails I have problems to
> login into the member server.
>
> My nsswitch:
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
>
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> Is there any way to avoid that authentication method and use only the
> local one? (I use tools like setfacl to change permissions so I need
> access to domain users/groups).
>
> Thanks and greetings!!
>
Try adding 'winbind offline logon = yes', this will allow
authentication even when the DC cannot be reached.
I would also remove the 'winbind enum' lines, you do not need them,
they only really allow the printing of all the users and groups.
Rowland
More information about the samba
mailing list