Aaron Clausen
2011-Sep-16 22:59 UTC
[Samba] Dual Authentication: Local and Active Directory
I was wondering if it was possible to get a Samba server that was acting as an AD member server to also be able to authenticate local users, or is stuck just serving AD users? -- Aaron Clausen mightymartianca at gmail.com
Christopher Whitehead
2011-Sep-17 10:08 UTC
[Samba] Dual Authentication: Local and Active Directory
I was wondering the exact same thing. I hadn't messed with it a bunch, since I have just set up my first Samba based PDC. Mainly just doing some testing and seeing how well Samba's implementation works as a DC. This probably isn't the appropriate place, but BIG clap to the guys putting all the work in to this project. I have been very impressed with what has been accomplished. On Fri, Sep 16, 2011 at 5:59 PM, Aaron Clausen <mightymartianca at gmail.com>wrote:> I was wondering if it was possible to get a Samba server that was > acting as an AD member server to also be able to authenticate local > users, or is stuck just serving AD users? > > -- > Aaron Clausen > mightymartianca at gmail.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Robert Freeman-Day
2011-Sep-18 14:35 UTC
[Samba] Dual Authentication: Local and Active Directory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, linux should be able to auth local and AD users. You would need to make sure "/etc/nsswitch.conf" and your pam modules are configured correctly. At the very least, nsswitch should look similar to this: passwd: compat winbind group: compat winbind shadow: compat winbind Pam is a bit more complicated and you should read up on your distribution's documentation or really know what you are doing. However if you are running RHEL/Fedora, you could get it going with one command (all on one line): authconfig --update --enablepamaccess --enablelocauthorize --enablekrb5 - --enablewinbind --enablewinbindauth --enablewinbindoffline --enablemkhomedir So, this command sets up pam access with local authentication/authorization as well as AD kerberized authentication and AD winbind authorizaton. New users will have a home directory created and it allows the opening for cached "offline" logins for AD people. Hope that gets you started, Robert On 09/16/2011 06:59 PM, Aaron Clausen wrote:> I was wondering if it was possible to get a Samba server that was > acting as an AD member server to also be able to authenticate local > users, or is stuck just serving AD users? >- -- ________ Robert Freeman-Day https://launchpad.net/~presgas GPG Public Key: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk52AaIACgkQup357T5MfTYGJgCdH5PcP2f6a9eGLqnwmnDrV8By 4rsAn3dYjulQzNfuvwCpW9/O9QHHONMq =esal -----END PGP SIGNATURE-----
TAKAHASHI Motonobu
2011-Sep-18 15:01 UTC
[Samba] Dual Authentication: Local and Active Directory
From: Aaron Clausen <mightymartianca at gmail.com> Date: Fri, 16 Sep 2011 15:59:32 -0700> I was wondering if it was possible to get a Samba server that was > acting as an AD member server to also be able to authenticate local > users, or is stuck just serving AD users?You mean that you want to make samba server authenticate users stored at local tdb file? To specify "SERVERNAME\Username" explicitly, an AD member server can authenticate its local users. If you speficy simply "Username", Samba 3.4.0 or later will authenticate as a local user for default, Samba 3.3.X or before will authenticate as an AD user. See "map untrusted to domain" parameter for the detail. --- TAKAHASHI Motonobu <monyo at samba.gr.jp>
Christopher Whitehead
2011-Sep-18 17:22 UTC
[Samba] Dual Authentication: Local and Active Directory
Thanks for the help both of you. I will attempt this a bit later and see how it turns out. Chris On Sun, Sep 18, 2011 at 10:01 AM, TAKAHASHI Motonobu <monyo at monyo.com>wrote:> From: Aaron Clausen <mightymartianca at gmail.com> > Date: Fri, 16 Sep 2011 15:59:32 -0700 > > > I was wondering if it was possible to get a Samba server that was > > acting as an AD member server to also be able to authenticate local > > users, or is stuck just serving AD users? > > You mean that you want to make samba server authenticate users stored > at local tdb file? > > To specify "SERVERNAME\Username" explicitly, an AD member server can > authenticate its local users. > > If you speficy simply "Username", Samba 3.4.0 or later will authenticate > as a local user for default, Samba 3.3.X or before will authenticate > as an AD user. See "map untrusted to domain" parameter for the detail. > > --- > TAKAHASHI Motonobu <monyo at samba.gr.jp> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >