[Samba] username map with “security = ads”

Rowland Penny rpenny at samba.org
Thu May 2 13:04:14 UTC 2019

On Thu, 2 May 2019 14:27:32 +0200
Philipp Gesang <philipp.gesang at intra2net.com> wrote:

> with
>   server role = member server
>   security = user

The 'security = user' overrides the 'server role = member server'
It is a 'standalone server'
What is more, unless you have changed the workgroup, you now have a
'workgroup' and a 'domain' with the same name.

> I can logon with smbclient as local user using username%password.

Well, yes, you would be able to, because it is a standalone server.

> With
>   server role = member server
>   security = ads
> and all other things being equal, I can’t (“session setup failed:
> NT_STATUS_NO_LOGON_SERVERS”). This is from a client without any
> domain awareness whatsoever.

Just adding 'security = ads' doesn't make a computer a domain member,
you have to join it to the domain and if it isn't a domain member, it
wouldn't be able to find the DC.

> > Whilst you do not want to put your local users into AD, this might
> > be your easiest and best way out of your problem. Create an AD
> > group and add all your 'local unix users' to this group, then only
> > allow access to the Samba shares to members of this group.  
> Wouldn’t that also imply that accesses need to authenticate
> against AD?

Yes, but why would this be a problem ?


More information about the samba mailing list