[Samba] File server questions

Rowland penny rpenny at samba.org
Fri Jun 5 17:51:47 UTC 2020 

On 05/06/2020 14:33, mathias dufresne via samba wrote:
> Le jeu. 4 juin 2020 à 15:43, Rowland penny via samba <samba at lists.samba.org>
> a écrit :
>
>> On 04/06/2020 14:13, mathias dufresne via samba wrote:
>> [...]
>>> smbd: the file server, at least for modern usage. It can also grab user
>>> information from AD but not for system users, only for Samba users (the
>>> applicative users, used to authenticate when accessing Samba and later,
>> to
>>> shares)
>>> Is that true or not?
>> Not any more, smbd used to be able to fallback to AD, but this was
>> removed at 4.8.0
>>
>> 'smbd' is the fileserver component of Samba and requires winbind when
>> running with 'security = ADS'
>>
>> [...]
>
> I was very surprised to read that as on CentOS 7 using Samba 4.10.4-10.el7
> and on Debian 10 using Samba 4.9.5+dfsg-5+deb10u1 I was able to get a
> working configuration were:
> - only smbd is running
> - Windows clients are using their AD account (and SSO mechanism)
> - once connected users can access to shares and contained files and
> directories for modification.
>
> Used smb.conf in both cases:
> ----------------------------------------------------------------------------
> [global]
>    # AD access
>    realm = AD.DOMAIN.TLD
>    workgroup = AD
>    security = ads
>    kerberos method = secrets and keytab
>    log level = 3
>    username map = /etc/samba/usermap
>    server string = serveur
> #============================ Share Definitions
> ==============================
> [sharename]
>          path = /sharename
>          writeable = yes
>          browseable = yes
>          guest ok = yes
>          create mask = 0644
> ----------------------------------------------------------------------------
>
> These two test systems are using /etc/passwd and /etc/group as users and
> groups databases.
>
> It seems the "requirement" is not so required and so I'm kind of puzzled.
>
> mathias

Well, blow me down, it sort of works, I can connect via smbclient, but 
not from a Linux GUI client. It appears that 'smbd' is using kerberos.
You have to create the AD users as local Unix users on the semi-AD 
machine, probably with the same password and there is no way to get the 
same ID's on multiple machines (not unless you created the users and 
groups in exactly the same order).

I cannot suggest that this method is used in production, there is too 
much chance for error.

I personally will not support using this method, Samba in the past 
supported some bad ways of working, there is no need to continue 
supporting bad ideas.

Rowland

More information about the samba mailing list