[Samba] username map with “security = ads”

Rowland Penny rpenny at samba.org
Thu May 2 12:12:41 UTC 2019

On Thu, 2 May 2019 13:34:01 +0200
Philipp Gesang <philipp.gesang at intra2net.com> wrote:

> Hi Rowland,

> >   
> > > Now our use case requires for the machine to be joined but also
> > > grant access to shares to local users.  
> > 
> > Not going to happen, because your local users will be unknown to the
> > domain.  
> That’s the point: The shares aren’t intended for domain users to
> access.

If this is a domain member, then ONLY the domain users will be allowed
access to the shares.

> > Have you considered setting Samba up a standalone server ?  
> Samba is currently functioning as a standalone server.
> Additionally we wish to leverage the AD member functionality to
> join those boxes to AD domains. The credentials acquired that way
> (keytabs) are then used by other services to have domain accounts
> (people and hosts) authenticate against AD. The shares however
> have a different purpose and can’t be switched to require AD
> without breaking existing deployments.
> A second smb.conf is an acceptable workaround, I think.

The only thing that I think that might work is not just one
smb.conf, but double everything (except nmbd), one joined to the
domain and one not.

I personally wouldn't do anything like this, it is fraught with
potential problems and dangers.

Whilst you do not want to put your local users into AD, this might be
your easiest and best way out of your problem. Create an AD group and
add all your 'local unix users' to this group, then only allow access
to the Samba shares to members of this group.


More information about the samba mailing list