[Samba] Samba as AD controller and local auth
cherok at gmx.net
Sun May 19 09:09:44 UTC 2019
Hello Rowland, thanks for your reply - please find my answers below:
> On 19.05.2019, at 10:59, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 19/05/2019 09:27, David Puffer via samba wrote:
>> Hello all,
>> I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
> How did you create the AD DC ?
> Did you provision it ?
This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.
>> Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
> Define 'local user authentication’
Authentication of samba users that correspond to local Linux system users (/etc/passwd).
>> Before: Simple Samba shares with authentication against local samba users -> worked
> Sounds like it was a standalone server
>> After: Only domain user authentication works.
> Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.
So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore?
There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication
methods (in my case: local users first, then AD users).
Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication>
is describing the behavior I would like to use.
>> The global section of smb.conf:
>> include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
>> printcap name = cups
>> winbind enum groups = yes
>> include = /var/tmp/nginx/smb.netbios.aliases.conf
>> workgroup = <MYDOMAIN>
>> server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
>> local master = no
>> realm = <FQDN_IF_MYDOMAIN>
>> netbios name = SYNOLOGY
>> private dir = /var/packages/ActiveDirectoryServer/target/private
>> server role = active directory domain controller
>> printing = cups
>> max protocol = SMB2
>> winbind enum users = yes
>> load printers = yes
>> log level = 10
> Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?
I haven’t, this file was auto-generated by the Synology NAS GUI.
> Are you aware that there is no network browsing with a Samba AD DC ?
> Fix your smb.conf, understand that your users will now need to be stored in AD and you should get things to work.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba