[Samba] the relationship between AD domain users and local users

Rowland Penny rpenny at samba.org
Mon Jan 15 09:57:58 UTC 2018


On Mon, 15 Jan 2018 14:29:55 +0800
Younger Liu via samba <samba at lists.samba.org> wrote:

> Hi!
>    I have some doubts.  I have a AD server and join samba server into
> AD. Configuration looks like as follows:
> [global]
> workgroup = ENAS
> server string = SmbSrvVers
> log file = /var/log/samba/log.%m
> map to guest = bad user
> max log size = 50
> encrypt passwords = yes
> security = domain
> idmap config * : range = 16777216-33554431
> winbind enum groups = yes
> winbind enum users = yes
> winbind separator = /
> winbind use default domain = true
> winbind offline logon = false
> template shell = /bin/bash
> template homedir = /home/%U
> realm = ENAS.COM
> netbios name = node0
> ....
> 
> NSS config:
> ...
> passwd: files winbind sss
> shadow: files winbind sss
> group: files winbind sss
> ...
> 
> 1. Create a local samba user "testuser";
> 2. Create the same name AD user "testuser"
> 3. Add "testuser" in read list of one samba share.
> 
> On the client side, I only access samba share with ad user, rather
> than local user. Why?
> 
> How can i use local user to access samba share?
> 
> Best Regards!

Doesn't anybody ever read the Samba wiki ?????

https://wiki.samba.org/index.php/Main_Page

Specifically:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Your smb.conf is so wrong, I find it hard to know where to start.

Lets start with, it isn't for a Unix AD domain member, the line
'security = domain' should be 'security = ads'

The 'idmap config' lines are not correct, there should be more of them.

You shouldn't use both 'winbind' and 'sssd', use one or the other. If
you decide to go with 'sssd', then you will need to ask on the
sssd-mailing, sssd is not part of Samba.

Not sure what you mean about a local user accessing the share,
local users are outside the domain and, as such, are unknown to the
domain and will be denied access. 

Rowland



More information about the samba mailing list