[Samba] File server questions

Rowland penny rpenny at samba.org
Thu Jun 4 16:35:20 UTC 2020 

On 04/06/2020 17:00, mathias dufresne wrote:
>
>
> Yes, you're right. But I do believe this distinction as nothing to do 
> here. If some Samba server has local/system user declared with UID > 
> 1000 it is still a valid user for this system and as it a server, this 
> user and its UID has to be taken in consideration when preparing 
> smb.conf and "range *".
The '*' domain is meant for the Well Known SIDs and anything outside the 
'DOMAIN' domain
>
> Then, what's left? Samba user database and system users databases. So, 
> Samba users and system users. Sorry about that but that's the best way 
> I found to make this clear in my fellow colleagues heads.
If you are using 'security = ADS' then AD, just AD, store everything in 
AD (which is the whole point behind AD, one point of maintenance). You 
do not have Samba users, or local unix users, or Windows users, you just 
have AD users ;-)
>
>     >
>     > Now for these system users coming from AD, for they can
>     authenticate
>     > (ie use their AD password and log into the system, like having a
>     > shell) this is managed by pam_winbind.so and PAM configuration.
>     >
>     > Without PAM configured we can have winbindd generating users which
>     > will be available in "getent passwd" commands (with the need of
>     > username mentioned if enumeration is not permitted into
>     smb.conf) but
>     > these users won't be usable in interactive sessions, they won't be
>     > able to authenticate in system side.
>     No, Samba will know and use them, but the underlying OS wouldn't.
>
>
> So, that's a yes :D
No, that's a NO. Samba might know about them (see wbinfo -u) but the 
underlying OS wouldn't and it would have too, to allow files to be 
created or read.
> I just reconnect on my client's VPN and they are using CentOS 7 and 
> Samba 4.10.4-10.el7.
>
> Samba authentication is in ADS mode, only smbd is running, all works 
> like a charm.
You sure that sssd isn't running ? and if it is, you should either use 
idmap_sss or winbind.
>
>
>
>
>
> This configuration which uses local /etc/passwd is not what I 
> recommend to them. Pkus they don't want to have Samba/MS domain user 
> able to connect on Samba server system. So, no winbind keyword in NSS 
> configuration.
>
> I just wrote this paragraph to show you your misunderstanding about 
> Linux/NSS/winbind behaviour ; )
No, I do understand it, I have seen a few lash-ups like this and they 
have all ended in tears. If you just want authentication, use sssd, 
preferably without Samba, red-hat has some good documentation on doing 
this. If you need shares, then use Samba (with winbind) and set up Samba 
correctly.

Rowland

More information about the samba mailing list