[Samba] Samba as AD controller and local auth
David Puffer
cherok at gmx.net
Sun May 19 08:27:47 UTC 2019
Hello all,
I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
Before: Simple Samba shares with authentication against local samba users -> worked
After: Only domain user authentication works.
The global section of smb.conf:
[global]
include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
printcap name = cups
winbind enum groups = yes
include = /var/tmp/nginx/smb.netbios.aliases.conf
workgroup = <MYDOMAIN>
server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
local master = no
realm = <FQDN_IF_MYDOMAIN>
netbios name = SYNOLOGY
private dir = /var/packages/ActiveDirectoryServer/target/private
server role = active directory domain controller
printing = cups
max protocol = SMB2
winbind enum users = yes
load printers = yes
log level = 10
I am trying to mount a share like so from another Linux box (using both Linux and Windows boxes on the network):
mount --verbose -t cifs -o user=MYUSER,ro //NAS_IP/Share ./localMountPath
which is prompting me for a passwd and then displaying:
mount.cifs kernel mount options: ip=NAS_IP,unc=\\NAS_IP\Share,user=MYUSER,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Checking out the logfiles on the Synology, I can see that apparently the (local) user is being mapped to the domain, and authenticated against the domain, which does not work because that user is not a domain user:
auth_check_password_send: Checking password for unmapped user []\[MYUSER]@[10.8.0.10]
auth_check_password_send: mapped user is: [MYDOMAIN]\[MYUSER]@[10.8.0.10]
../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327940, all 3, pid=17177] auth_check_password_async_trigger
anonymous want_check [NT_STATUS_NOT_IMPLEMENTED]
../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327982, all 3, pid=17177] auth_check_password_async_trigger
sam_ignoredomain want_check [NT_STATUS_OK]
../source4/auth/ntlm/auth_sam.c:63: [2019/05/19 10:24:30.328291, all 3, pid=17177] authsam_search_account
sam_search_user: Couldn't find user [MYUSER] in samdb, under DC=MYDOMAIN,DC=DOMAIN,DC=TLD,DC=TLD
../source4/auth/ntlm/auth.c:388: [2019/05/19 10:24:30.328320, all 3, pid=17177] auth_check_password_async_trigger
sam_ignoredomain check_password [NT_STATUS_NO_SUCH_USER]
How would I force Samba to authenticate against the local user db (which worked before setting up Samba as AD domain controller)?
I did try specifying the domain= option for the mount.cifs command (with values “.”, “localhost”, “NAS-Hostname”, “127.0.0.01”), all to no avail. What am I missing?
Appreciating any help!
best,
David
More information about the samba
mailing list