[Samba] Samba on CentOS 8 with sssd and AD users/groups and local users/groups
Rowland Penny
rpenny at samba.org
Thu Jan 13 15:07:48 UTC 2022
On Thu, 2022-01-13 at 15:00 +0100, Martin Decker via samba wrote:
> Hello List,
>
> I am trying to set up Samba 4.14 on CentOS 8.
>
> The linux node is already joined to an AD domain with sssd for local
> SSH
> authentication and I can log on to the system with my AD account.
>
> Now, I need to set up Samba to share some directories with Windows
> Desktop
> Clients. Some of the shares should only be accessible with local
> Linux
> username/password credentials so that the client has to map network
> drive
> and put in username/password credentials of the local linux account.
>
> Other shares should take the AD account of the windows client user
> and map
> the share directly without asking for username/passwd.
>
> 1) Is such a mixture possible?
Not really, even red-hat admits that while you can use sssd with Samba,
they do not recommend it, see here:
https://access.redhat.com/articles/4355391
>
> 2) The "realm" String is the realm name from AD. What is the correct
> value
> for "WORKGROUP"? How can I find out which value to put there?
Run 'wbinfo --own-domain'
>
> 3) This is the current - no-working - smb.conf file:
>
> [global]
> realm = EXAMPLE.NET
> workgroup = EXAMPLE
> security = ads
> netbios name = myhostname
You do not actually need the above line
> os level = 20
> winbind enum users = yes
> winbind enum groups = yes
Or those
> server string = %m
> preferred master = no
Or that
> winbind refresh tickets = yes
> winbind separator = +
> kerberos method = secrets and keytab
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config EXAMPLE:backend = rid
> idmap config EXAMPLE:schema_mode = rfc2307
Not when using the 'rid' backend
> idmap config EXAMPLE:range = 10000-999999
> idmap config EXAMPLE:unix_nss_info = yes
Not when using the 'rid' backend
> winbind use default domain = yes
> dns proxy = no
> printing = cups
> printcap name = cups
> load printers = no
> cups options = raw
> winbind offline logon = yes
> max log size = 50
> log file = /var/log/samba/log.%m
> encrypt passwords = yes
Will someone tell red-hat that is a default setting
> read only = No
> template shell = /bin/bash
> template homedir = /home/%U
> passdb backend = tdbsam
As is that.
>
> [intranet]
> valid users = mylocaluser
> comment = Intranet
> path = /SHARES/intranet
> wide links = yes
> directory mask = 0775
> create mode = 0664
> directory mode = 0775
> write list = mylocaluser
> create mask = 0775
> force create mask = 0775
You might want to read this:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
It is a better way.
Also, are you aware that the share would be read only ?
Rowland
More information about the samba
mailing list