[Samba] Member server plus local accounts - can it be done?

Rowland Penny rpenny at samba.org
Mon Oct 28 09:20:34 UTC 2024


On Mon, 28 Oct 2024 09:51:33 +0100
lists--- via samba <samba at lists.samba.org> wrote:

> Good morning list,
> 
> due to several changes we have to move from a pure local-users
> scenario to a member server scenario for our "public" data servers
> ("public" in terms of "all members of the chair" and "all machines").
> 
> The member server is running, managing access via group memberships 
> works. We can't add any account to the ad, as we are only a user of
> that ad, and accounts are only created for real persons and machines.
> 
> But we also have ancient systems, that use a local useraccount from
> the dataserver to put data on it.
> So, is something like:
>          realm = REALM.TLD
>          security = ADS
>          server role = member server
>          username map = /etc/samba/user.map
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = REALM
>          idmap config REALM : backend = rid
>          idmap config REALM : range = 10000-9999999
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
> possible?

No ;-)

> I would then create the local useraccount with smbpasswd ...

No that wouldn't work, it would have to create the user in AD to work
and it will not do that.

Samba will need to know the user and the only way for Samba to know the
user is if the user is in AD.
Two ways out of this, allow the guest user to connect to the share, or
map your ancient user to an existing AD user.
 
Rowland





More information about the samba mailing list