[Samba] username map with “security = ads”

Rowland Penny rpenny at samba.org
Thu May 2 10:41:15 UTC 2019

On Thu, 2 May 2019 11:59:45 +0200
Philipp Gesang via samba <samba at lists.samba.org> wrote:

> Hey guys,
> on a machine with the role “member server”, joining AD requires
> setting “security = ads”.

This would make your computer a Unix domain member of an active
directory domain

> Access to shares using local users set up through smbpasswd requires
> “security = user”.

You cannot have 'local' users in an AD domain, they are are either
domain users or they are unknown to the domain.

> As I understand the man page, these are mutually exclusive.


> Now our use case requires for the machine to be joined but also grant
> access to shares to local users.

Not going to happen, because your local users will be unknown to the

> Share access for domain users is not desirable as clients are mostly
> automated remote services that needn’t be AD aware.

Might not be desirable, but you might have to do it.

> I guess handing net a different smb.conf to perform the join is
> the obvious quick'n'dirty fix.

I cannot see how this would work, yes you could use a very small
smb.conf to join the domain and then expand on it, but you would still
have local users that would not be known to the domain.

> I’m wondering though if there is a parameter that would make this
> unnecessary.

No, there is nothing you can do that would allow what you want to do.

Have you considered setting Samba up a standalone server ?


More information about the samba mailing list