[Samba] Samba as AD controller and local auth

David Puffer cherok at gmx.net
Sun May 19 09:09:44 UTC 2019

Hello Rowland, thanks for your reply - please find my answers below:

> On 19.05.2019, at 10:59, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 19/05/2019 09:27, David Puffer via samba wrote:
>> Hello all,
>> I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
> How did you create the AD DC ?
> Did you provision it ?

This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.

>> Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
> Define 'local user authentication’

Authentication of samba users that correspond to local Linux system users (/etc/passwd).

>> Before: Simple Samba shares with authentication against local samba users -> worked
> Sounds like it was a standalone server

Yes exactly..

>> After: Only domain user authentication works.
> Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.

So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore?
There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication
methods (in my case: local users first, then AD users).

Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication>
is describing the behavior I would like to use.

>> The global section of smb.conf:
>> [global]
>> 	include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
>> 	printcap name = cups
>> 	winbind enum groups = yes
>> 	include = /var/tmp/nginx/smb.netbios.aliases.conf
>> 	workgroup = <MYDOMAIN>
>> 	server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
>> 	local master = no
>> 	realm = <FQDN_IF_MYDOMAIN>
>> 	netbios name = SYNOLOGY
>> 	private dir = /var/packages/ActiveDirectoryServer/target/private
>> 	server role = active directory domain controller
>> 	printing = cups
>> 	max protocol = SMB2
>> 	winbind enum users = yes
>> 	load printers = yes
>> 	log level = 10
> Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?

I haven’t, this file was auto-generated by the Synology NAS GUI.

> Are you aware that there is no network browsing with a Samba AD DC ?
> Fix your smb.conf, understand that your users will now need to be stored in AD and you should get things to work.
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list