[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups

Rowland Penny rpenny at samba.org
Thu Jan 13 15:07:48 UTC 2022


On Thu, 2022-01-13 at 15:00 +0100, Martin Decker via samba wrote:
> Hello List,
> 
> I am trying to set up Samba 4.14 on CentOS 8.
> 
> The linux node is already joined to an AD domain with sssd for local
> SSH
> authentication and I can log on to the system with my AD account.
> 
> Now, I need to set up Samba to share some directories with Windows
> Desktop
> Clients. Some of the shares should only be accessible with local
> Linux
> username/password credentials so that the client has to map network
> drive
> and put in username/password credentials of the local linux account.
> 
> Other shares should take the AD account of the windows client user
> and map
> the share directly without asking for username/passwd.
> 
> 1) Is such a mixture possible?

Not really, even red-hat admits that while you can use sssd with Samba,
they do not recommend it, see here:

https://access.redhat.com/articles/4355391

> 
> 2) The "realm" String is the realm name from AD. What is the correct
> value
> for "WORKGROUP"? How can I find out which value to put there?

Run 'wbinfo --own-domain'

> 
> 3) This is the current - no-working - smb.conf file:
> 
> [global]
>     realm = EXAMPLE.NET
>     workgroup = EXAMPLE
>     security = ads
>     netbios name = myhostname

You do not actually need the above line
>     os level = 20
>     winbind enum users = yes
>     winbind enum groups = yes

Or those

>     server string = %m
>     preferred master = no

Or that

>     winbind refresh tickets = yes
>     winbind separator = +
>     kerberos method = secrets and keytab
>     idmap config * : backend = tdb
>     idmap config * : range = 3000-7999
>     idmap config EXAMPLE:backend = rid
>     idmap config EXAMPLE:schema_mode = rfc2307

Not when using the 'rid' backend

>     idmap config EXAMPLE:range = 10000-999999
>     idmap config EXAMPLE:unix_nss_info = yes

Not when using the 'rid' backend

>     winbind use default domain = yes
>     dns proxy = no
>     printing = cups
>     printcap name = cups
>     load printers = no
>     cups options = raw
>     winbind offline logon = yes
>     max log size = 50
>     log file = /var/log/samba/log.%m
>     encrypt passwords = yes

Will someone tell red-hat that is a default setting

>     read only = No
>     template shell = /bin/bash
>     template homedir = /home/%U
>     passdb backend = tdbsam

As is that.

> 
> [intranet]
>         valid users = mylocaluser
>         comment = Intranet
>         path = /SHARES/intranet
>         wide links = yes
>         directory mask = 0775
>         create mode = 0664
>         directory mode = 0775
>         write list = mylocaluser
>         create mask = 0775
>         force create mask = 0775

You might want to read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It is a better way.
Also, are you aware that the share would be read only ?

Rowland





More information about the samba mailing list