samba - Jun 2013 - Samba3 capable of AD auth. without matching Linux users?

My goal is to share a CIFS volume from Linux, to Windows clients, using
Samba 3.6 and only authenticate users over AD.

I do not want one local Linux user for each AD user, in other words. I want
all users connecting to CIFS to use one shared local user for FS
operations. So the CIFS share will be owned by one local user that all AD
users will use when they use the CIFS volume.

Is this possible in Samba 3.6?

I ask because I can't make heads nor tails of the documentation. I've
managed to piece together a winbind/krb5 configuration that allows me to do
the following.

 * Get kerberos token from Windows 2008 AD server (not r2)
 * net ads join my Linux host into the Windows 2008 AD
 * List users and groups in the AD using wbinfo, and getent -s winbind

But whenever I try to login to my share from a Windows server in the same
AD, it says the user "is invalid on this system". Unless I keep a
local
user matching that same AD sAMAccountName as the user logging in.

Here is my current smb.conf

[global]
 workgroup = DOMAIN
 realm = DOMAIN.LOCAL
 server string = %h server
 security = ads
 allow trusted domains = no
 local master = no
 domain master = no
 interfaces = eth0 10.221.111.51/24
 bind interfaces only = yes
 log level = 0 auth:10 smb:10
 log file = /var/log/samba/log.%m
 max log size = 1000
#syslog only = no
 syslog = 0
 load printers = no
 printing = bsd
 printcap name = /etc/printcap

# Bug #8676 workaround
 idmap config * : backend = tdb
 idmap config * : range = 2000-4999
 idmap config DOMAIN : backend = rid
 idmap config DOMAIN : range = 10000-49999
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes
 encrypt passwords = yes
 valid users = @"Domain Users"

[www]
 comment = HTML share
 path = /var/www/website.domain.local
 valid users = share
 writable = yes
 force user = share
 force group = share
 force directory mode = 0775
 force create mode = 0664

Here is my current krb5.conf

[libdefaults]
 default_realm = DOMAIN.LOCAL
 ticket_lifetime = 24000
 clock-skew = 300

[realms]
 DOMAIN.LOCAL = {
  kdc = DC02.DOMAIN.LOCAL:88
  admin_server = DC02.DOMAIN.LOCAL:464
  default_domain = DOMAIN.LOCAL
 }

[domain_realm]
 .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
 DOMAIN.LOCAL = DC02.DOMAIN.LOCAL

There are several DC's but I picked one because the docs I was reading made
it seem like you had to pick one for kerberos.

The machine is using the DC DNS so all domains involved here, all the DC's,
the machines domain, the clients, can be resolved. However, I have despite
this added some domains to /etc/hosts.

127.0.0.1       webb04.domain.local webb04
10.221.111.51   webb04.domain.local     webb04

10.221.111.16 DC02.DOMAIN.LOCAL DC02

10.221.111.10 DOMAIN.LOCAL

My /etc/resolv.conf reflects the AD setup in the network.

domain domain.local
search domain.local
nameserver 10.221.111.10
nameserver 10.221.111.16

With this configuration on Debian Wheezy I can run kinit to get a token
using an AD administrator account.

Then I can run net ads join -U Administrator and enter the same accounts
password, to join the domain.

After that I can run wbinfo -u to list all users in the Windows AD servers.
I can also run getent -s winbind passwd username to see information for
that user like this.
stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false

Of course this is meta information, that user does not exist on my Linux
server. At least that is my understanding.

-- 
H?lsningar / Greetings

http://Stefan.Midjich.name

I eventually got it working with the following configuration, in case any
googlers find it helpful.

I wrote it all down here on this wiki
http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I
would not forget until tomorrow. :)

It's in Swedish but all the configuration files are recognizable.

I'm not sure about many of the options, like idmap backend, so I will
investigate them in the morning when I write a proper installation manual.
Just to remove things I don't need.


2013/6/23 Stefan Midjich <swehack at gmail.com>
> My goal is to share a CIFS volume from Linux, to Windows clients, using
> Samba 3.6 and only authenticate users over AD.
>
> I do not want one local Linux user for each AD user, in other words. I
> want all users connecting to CIFS to use one shared local user for FS
> operations. So the CIFS share will be owned by one local user that all AD
> users will use when they use the CIFS volume.
>
> Is this possible in Samba 3.6?
>
> I ask because I can't make heads nor tails of the documentation.
I've
> managed to piece together a winbind/krb5 configuration that allows me to do
> the following.
>
>  * Get kerberos token from Windows 2008 AD server (not r2)
>  * net ads join my Linux host into the Windows 2008 AD
>  * List users and groups in the AD using wbinfo, and getent -s winbind
>
> But whenever I try to login to my share from a Windows server in the same
> AD, it says the user "is invalid on this system". Unless I keep a
local
> user matching that same AD sAMAccountName as the user logging in.
>
> Here is my current smb.conf
>
> [global]
>  workgroup = DOMAIN
>  realm = DOMAIN.LOCAL
>  server string = %h server
>  security = ads
>  allow trusted domains = no
>  local master = no
>  domain master = no
>  interfaces = eth0 10.221.111.51/24
>  bind interfaces only = yes
>  log level = 0 auth:10 smb:10
>  log file = /var/log/samba/log.%m
>  max log size = 1000
> #syslog only = no
>  syslog = 0
>  load printers = no
>  printing = bsd
>  printcap name = /etc/printcap
>
> # Bug #8676 workaround
>  idmap config * : backend = tdb
>  idmap config * : range = 2000-4999
>  idmap config DOMAIN : backend = rid
>  idmap config DOMAIN : range = 10000-49999
>  winbind use default domain = yes
>  winbind enum users = yes
>  winbind enum groups = yes
>  encrypt passwords = yes
>  valid users = @"Domain Users"
>
> [www]
>  comment = HTML share
>  path = /var/www/website.domain.local
>  valid users = share
>  writable = yes
>  force user = share
>  force group = share
>  force directory mode = 0775
>  force create mode = 0664
>
> Here is my current krb5.conf
>
> [libdefaults]
>  default_realm = DOMAIN.LOCAL
>  ticket_lifetime = 24000
>  clock-skew = 300
>
> [realms]
>  DOMAIN.LOCAL = {
>   kdc = DC02.DOMAIN.LOCAL:88
>   admin_server = DC02.DOMAIN.LOCAL:464
>   default_domain = DOMAIN.LOCAL
>  }
>
> [domain_realm]
>  .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
>  DOMAIN.LOCAL = DC02.DOMAIN.LOCAL
>
> There are several DC's but I picked one because the docs I was reading
> made it seem like you had to pick one for kerberos.
>
> The machine is using the DC DNS so all domains involved here, all the
> DC's, the machines domain, the clients, can be resolved. However, I
have
> despite this added some domains to /etc/hosts.
>
> 127.0.0.1       webb04.domain.local webb04
> 10.221.111.51   webb04.domain.local     webb04
>
> 10.221.111.16 DC02.DOMAIN.LOCAL DC02
>
> 10.221.111.10 DOMAIN.LOCAL
>
> My /etc/resolv.conf reflects the AD setup in the network.
>
> domain domain.local
> search domain.local
> nameserver 10.221.111.10
> nameserver 10.221.111.16
>
> With this configuration on Debian Wheezy I can run kinit to get a token
> using an AD administrator account.
>
> Then I can run net ads join -U Administrator and enter the same accounts
> password, to join the domain.
>
> After that I can run wbinfo -u to list all users in the Windows AD
> servers. I can also run getent -s winbind passwd username to see
> information for that user like this.
> stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false
>
> Of course this is meta information, that user does not exist on my Linux
> server. At least that is my understanding.
>
> --
> H?lsningar / Greetings
>
> http://Stefan.Midjich.name
>


-- 
H?lsningar / Greetings

http://Stefan.Midjich.name