[Samba] Samba as AD controller and local auth

Rowland penny rpenny at samba.org
Sun May 19 09:23:44 UTC 2019 

On 19/05/2019 10:09, David Puffer via samba wrote:
> Hello Rowland, thanks for your reply - please find my answers below:
>
>> On 19.05.2019, at 10:59, Rowland penny via samba <samba at lists.samba.org> wrote:
>>
>> On 19/05/2019 09:27, David Puffer via samba wrote:
>>> Hello all,
>>>
>>> I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
>> How did you create the AD DC ?
>>
>> Did you provision it ?
> This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.

So synology must have scripted the provision.

>
>>> Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
>> Define 'local user authentication’
> Authentication of samba users that correspond to local Linux system users (/etc/passwd).
You do not have the same users in /etc/passwd and AD any more, but, on a 
Samba DC, all users in AD should be known to the OS, provided 
nsswitch.conf is set up correctly.
>
>>> Before: Simple Samba shares with authentication against local samba users -> worked
>> Sounds like it was a standalone server
> Yes exactly..
>
>>> After: Only domain user authentication works.
>> Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.
> So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore?
Not from Samba, you need to add any local users to AD that you want to 
connect to shares and remove them from /etc/passwd.
> There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication
> methods (in my case: local users first, then AD users).
>
> Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication>
> is describing the behavior I would like to use.
You could try it, but that was written quite sometime ago and I don't 
think it will work.
>
>>> The global section of smb.conf:
>>>
>>> [global]
>>> 	include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
>>> 	printcap name = cups
>>> 	winbind enum groups = yes
>>> 	include = /var/tmp/nginx/smb.netbios.aliases.conf
>>> 	workgroup = <MYDOMAIN>
>>> 	server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
>>> 	local master = no
>>> 	realm = <FQDN_IF_MYDOMAIN>
>>> 	netbios name = SYNOLOGY
>>> 	private dir = /var/packages/ActiveDirectoryServer/target/private
>>> 	server role = active directory domain controller
>>> 	printing = cups
>>> 	max protocol = SMB2
>>> 	winbind enum users = yes
>>> 	load printers = yes
>>> 	log level = 10
>> Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?
> I haven’t, this file was auto-generated by the Synology NAS GUI.
Then, in my opinion, Synology has mangled it ;-)

Rowland

More information about the samba mailing list