[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups

Martin Decker martin.decker at ora-solutions.net
Thu Jan 13 14:00:31 UTC 2022 

Hello List,

I am trying to set up Samba 4.14 on CentOS 8.

The linux node is already joined to an AD domain with sssd for local SSH
authentication and I can log on to the system with my AD account.

Now, I need to set up Samba to share some directories with Windows Desktop
Clients. Some of the shares should only be accessible with local Linux
username/password credentials so that the client has to map network drive
and put in username/password credentials of the local linux account.

Other shares should take the AD account of the windows client user and map
the share directly without asking for username/passwd.

1) Is such a mixture possible?

2) The "realm" String is the realm name from AD. What is the correct value
for "WORKGROUP"? How can I find out which value to put there?

3) This is the current - no-working - smb.conf file:

[global]
    realm = EXAMPLE.NET
    workgroup = EXAMPLE
    security = ads
    netbios name = myhostname
    os level = 20
    winbind enum users = yes
    winbind enum groups = yes
    server string = %m
    preferred master = no
    winbind refresh tickets = yes
    winbind separator = +
    kerberos method = secrets and keytab
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999
    idmap config EXAMPLE:backend = rid
    idmap config EXAMPLE:schema_mode = rfc2307
    idmap config EXAMPLE:range = 10000-999999
    idmap config EXAMPLE:unix_nss_info = yes
    winbind use default domain = yes
    dns proxy = no
    printing = cups
    printcap name = cups
    load printers = no
    cups options = raw
    winbind offline logon = yes
    max log size = 50
    log file = /var/log/samba/log.%m
    encrypt passwords = yes
    read only = No
    template shell = /bin/bash
    template homedir = /home/%U
    passdb backend = tdbsam

[intranet]
        valid users = mylocaluser
        comment = Intranet
        path = /SHARES/intranet
        wide links = yes
        directory mask = 0775
        create mode = 0664
        directory mode = 0775
        write list = mylocaluser
        create mask = 0775
        force create mask = 0775


Any ideas would be greatly appreciated.

Regards,
 Martin

More information about the samba mailing list