[Samba] Authenticating AD users and Local users

Rowland Penny rpenny at samba.org
Mon Feb 18 16:40:20 UTC 2019 

On Mon, 18 Feb 2019 14:35:38 +0000
"Paquin, Brian" <brian.paquin at yale.edu> wrote:

> Thank you for replying!
> I can login with my Active Directory credentials, but I can’t login
> using the local CentOS “svc_dictations” account. I created the local
> account usingusing “adduser”, “smbpasswd”, and then updating my
> smb.conf file (below).
> 
> Thank you,
> 
> Brian
> 
> [global]
>    workgroup = YALE
>    password server = ad1.yu.yale.edu
> ad2.yu.yale.edu<http://ad2.yu.yale.edu>

You shouldn't set 'password server', you should allow Samba to find
them.
 
>realm = YU.YALE.EDU<http://YU.YALE.EDU> security = ads
>    idmap config * : range = 16777216-33554431
>    template shell = /sbin/nologin
>    kerberos method = system keytab
>    winbind use default domain = true
>    winbind offline logon = true
> 
> idmap config YU:schema_mode = rfc2307

Remove the line above

> idmap config YU:range = 100000-199999
> idmap config YU:backend = rid

'YU' is not your workgroup, so change it in the two lines above to
'YALE'

> idmap config * : range = 16777216-33554431

You have the above line twice.

> idmap * : backend = tbd
> dedicated keytab file = /etc/krb5.keytab
> log level = 4
> guest account = nobody
> guest ok = no
> log file = /var/log/samba/log.%m
> 
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> store dos attributes = yes
> vfs objects = acl_xattr
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> 
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> 
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @printadmin root
> force group = @printadmin
> create mask = 0664
> directory mask = 0775
> 
> [testshare]
> comment = testshare
> path = /testshare
> valid users = @pathology_its svc_dictations
> writable = yes
> read only = No

OK, you created 'svc_dictations' as a local Unix user with 'adduser'
and then ran 'smbpasswd' to make it a Samba user.
This is so wrong, mainly because it is the old way of doing things. You
will need to delete 'svc_dictations' as a Unix user and then create it
as an AD user.
On a Samba Unix domain member, a local Unix user is always just that, a
local user who can log into the computer directly, but is unknown to
AD. Samba takes AD users and extends them to be Unix users as well.

Rowland

More information about the samba mailing list