[Samba] username map with “security = ads”
Philipp Gesang
philipp.gesang at intra2net.com
Thu May 2 12:27:32 UTC 2019
-<| Quoting Rowland Penny via samba <rpenny at samba.org>, on Thursday, 2019-05-02 01:12:41 PM |>-
> On Thu, 2 May 2019 13:34:01 +0200
> Philipp Gesang <philipp.gesang at intra2net.com> wrote:
>
> > Hi Rowland,
>
> > >
> > > > Now our use case requires for the machine to be joined but also
> > > > grant access to shares to local users.
> > >
> > > Not going to happen, because your local users will be unknown to the
> > > domain.
> >
> > That’s the point: The shares aren’t intended for domain users to
> > access.
>
> If this is a domain member, then ONLY the domain users will be allowed
> access to the shares.
with
server role = member server
security = user
I can logon with smbclient as local user using username%password.
With
server role = member server
security = ads
and all other things being equal, I can’t (“session setup failed:
NT_STATUS_NO_LOGON_SERVERS”). This is from a client without any
domain awareness whatsoever.
> > > Have you considered setting Samba up a standalone server ?
> >
> > Samba is currently functioning as a standalone server.
> > Additionally we wish to leverage the AD member functionality to
> > join those boxes to AD domains. The credentials acquired that way
> > (keytabs) are then used by other services to have domain accounts
> > (people and hosts) authenticate against AD. The shares however
> > have a different purpose and can’t be switched to require AD
> > without breaking existing deployments.
> >
> > A second smb.conf is an acceptable workaround, I think.
>
> The only thing that I think that might work is not just one
> smb.conf, but double everything (except nmbd), one joined to the
> domain and one not.
Namspacing the two sambas could be an option.
> I personally wouldn't do anything like this, it is fraught with
> potential problems and dangers.
>
> Whilst you do not want to put your local users into AD, this might be
> your easiest and best way out of your problem. Create an AD group and
> add all your 'local unix users' to this group, then only allow access
> to the Samba shares to members of this group.
Wouldn’t that also imply that accesses need to authenticate
against AD?
Philipp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20190502/d41109be/signature.sig>
More information about the samba
mailing list