[Samba] Samba as AD controller and local auth

David Puffer cherok at gmx.net
Sun May 19 08:27:47 UTC 2019 

Hello all,

I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
Since I installed and set up the AD DC, local user authentication for shares is not working anymore.

Before: Simple Samba shares with authentication against local samba users -> worked
After: Only domain user authentication works.

The global section of smb.conf:

[global]
	include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
	printcap name = cups
	winbind enum groups = yes
	include = /var/tmp/nginx/smb.netbios.aliases.conf
	workgroup = <MYDOMAIN>
	server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
	local master = no
	realm = <FQDN_IF_MYDOMAIN>
	netbios name = SYNOLOGY
	private dir = /var/packages/ActiveDirectoryServer/target/private
	server role = active directory domain controller
	printing = cups
	max protocol = SMB2
	winbind enum users = yes
	load printers = yes
	log level = 10


I am trying to mount a share like so from another Linux box (using both Linux and Windows boxes on the network):

mount --verbose -t cifs -o user=MYUSER,ro //NAS_IP/Share ./localMountPath

which is prompting me for a passwd and then displaying:

mount.cifs kernel mount options: ip=NAS_IP,unc=\\NAS_IP\Share,user=MYUSER,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Checking out the logfiles on the Synology, I can see that apparently the (local) user is being mapped to the domain, and authenticated against the domain, which does not work because that user is not a domain user:

auth_check_password_send: Checking password for unmapped user []\[MYUSER]@[10.8.0.10]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[MYUSER]@[10.8.0.10]
../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327940, all 3, pid=17177] auth_check_password_async_trigger
  anonymous want_check [NT_STATUS_NOT_IMPLEMENTED]
../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327982, all 3, pid=17177] auth_check_password_async_trigger
  sam_ignoredomain want_check [NT_STATUS_OK]
../source4/auth/ntlm/auth_sam.c:63: [2019/05/19 10:24:30.328291, all 3, pid=17177] authsam_search_account
  sam_search_user: Couldn't find user [MYUSER] in samdb, under DC=MYDOMAIN,DC=DOMAIN,DC=TLD,DC=TLD
../source4/auth/ntlm/auth.c:388: [2019/05/19 10:24:30.328320, all 3, pid=17177] auth_check_password_async_trigger
  sam_ignoredomain check_password [NT_STATUS_NO_SUCH_USER]

How would I force Samba to authenticate against the local user db (which worked before setting up Samba as AD domain controller)?

I did try specifying the domain= option for the mount.cifs command (with values “.”, “localhost”, “NAS-Hostname”, “127.0.0.01”), all to no avail. What am I missing?

Appreciating any help!

best,

David

More information about the samba mailing list