[Samba] username map with “security = ads”
rpenny at samba.org
Thu May 2 10:41:15 UTC 2019
On Thu, 2 May 2019 11:59:45 +0200
Philipp Gesang via samba <samba at lists.samba.org> wrote:
> Hey guys,
> on a machine with the role “member server”, joining AD requires
> setting “security = ads”.
This would make your computer a Unix domain member of an active
> Access to shares using local users set up through smbpasswd requires
> “security = user”.
You cannot have 'local' users in an AD domain, they are are either
domain users or they are unknown to the domain.
> As I understand the man page, these are mutually exclusive.
> Now our use case requires for the machine to be joined but also grant
> access to shares to local users.
Not going to happen, because your local users will be unknown to the
> Share access for domain users is not desirable as clients are mostly
> automated remote services that needn’t be AD aware.
Might not be desirable, but you might have to do it.
> I guess handing net a different smb.conf to perform the join is
> the obvious quick'n'dirty fix.
I cannot see how this would work, yes you could use a very small
smb.conf to join the domain and then expand on it, but you would still
have local users that would not be known to the domain.
> I’m wondering though if there is a parameter that would make this
No, there is nothing you can do that would allow what you want to do.
Have you considered setting Samba up a standalone server ?
More information about the samba