[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups

Christian Naumer cn at brain-biotech.de
Thu Jan 13 14:12:32 UTC 2022 

The way you have set up sssd now, this is not possible. You need to set 
this up with winbind to make it work.
See here:

https://access.redhat.com/solutions/4290501

You might get this to work:

https://access.redhat.com/solutions/3802321

Behind a login but the account does not cost anything.


But this leaves out the local users. There are some on this list who 
have tried this with various success.

REgards




Am 13.01.22 um 15:00 schrieb Martin Decker via samba:
> Hello List,
> 
> I am trying to set up Samba 4.14 on CentOS 8.
> 
> The linux node is already joined to an AD domain with sssd for local SSH
> authentication and I can log on to the system with my AD account.
> 
> Now, I need to set up Samba to share some directories with Windows Desktop
> Clients. Some of the shares should only be accessible with local Linux
> username/password credentials so that the client has to map network drive
> and put in username/password credentials of the local linux account.
> 
> Other shares should take the AD account of the windows client user and map
> the share directly without asking for username/passwd.
> 
> 1) Is such a mixture possible?
> 
> 2) The "realm" String is the realm name from AD. What is the correct value
> for "WORKGROUP"? How can I find out which value to put there?
> 
> 3) This is the current - no-working - smb.conf file:
> 
> [global]
>      realm = EXAMPLE.NET
>      workgroup = EXAMPLE
>      security = ads
>      netbios name = myhostname
>      os level = 20
>      winbind enum users = yes
>      winbind enum groups = yes
>      server string = %m
>      preferred master = no
>      winbind refresh tickets = yes
>      winbind separator = +
>      kerberos method = secrets and keytab
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config EXAMPLE:backend = rid
>      idmap config EXAMPLE:schema_mode = rfc2307
>      idmap config EXAMPLE:range = 10000-999999
>      idmap config EXAMPLE:unix_nss_info = yes
>      winbind use default domain = yes
>      dns proxy = no
>      printing = cups
>      printcap name = cups
>      load printers = no
>      cups options = raw
>      winbind offline logon = yes
>      max log size = 50
>      log file = /var/log/samba/log.%m
>      encrypt passwords = yes
>      read only = No
>      template shell = /bin/bash
>      template homedir = /home/%U
>      passdb backend = tdbsam
> 
> [intranet]
>          valid users = mylocaluser
>          comment = Intranet
>          path = /SHARES/intranet
>          wide links = yes
>          directory mask = 0775
>          create mode = 0664
>          directory mode = 0775
>          write list = mylocaluser
>          create mask = 0775
>          force create mask = 0775
> 
> 
> Any ideas would be greatly appreciated.
> 
> Regards,
>   Martin

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list