[Samba] Samba as AD controller and local auth

Rowland penny rpenny at samba.org
Sun May 19 08:59:36 UTC 2019

On 19/05/2019 09:27, David Puffer via samba wrote:
> Hello all,
> I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.

How did you create the AD DC ?

Did you provision it ?

> Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
Define 'local user authentication'
> Before: Simple Samba shares with authentication against local samba users -> worked
Sounds like it was a standalone server
> After: Only domain user authentication works.
Now here is the thing, it is now an AD DC, so any user that connects 
will need to be a Domain user.
> The global section of smb.conf:
> [global]
> 	include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
> 	printcap name = cups
> 	winbind enum groups = yes
> 	include = /var/tmp/nginx/smb.netbios.aliases.conf
> 	workgroup = <MYDOMAIN>
> 	server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
> 	local master = no
> 	realm = <FQDN_IF_MYDOMAIN>
> 	netbios name = SYNOLOGY
> 	private dir = /var/packages/ActiveDirectoryServer/target/private
> 	server role = active directory domain controller
> 	printing = cups
> 	max protocol = SMB2
> 	winbind enum users = yes
> 	load printers = yes
> 	log level = 10

Why have you mangled your smb.conf, for instance, what is in 
'smb.netbios.aliases.conf' ?

Are you aware that there is no network browsing with a Samba AD DC ?

Fix your smb.conf, understand that your users will now need to be stored 
in AD and you should get things to work.


More information about the samba mailing list