Mark Foley
2017-Nov-27 23:22 UTC
[Samba] How to use AD authentication for normal Samba file sharing
With help from kjhambrick at linuxquestions.org I did figure out how to
authenticate from a
Window domain member to a samba share using AD credentials. My smb.conf is
listed below. I
was able to map the share from Windows using domain credentials and create a
file on the share.
Here's my next challenge: All the UID.GIDs on the share (287G and +105K
files) are currently
the non-AD values of 1001.301. For the time being, I'd like to keep all
files, and all newly
created files with this UID.GID.
How can I do this? On the "classic" samba share (not AD
authentication) this was accomplished
by:
guest account = ohprso # where ohprso's UID = 1001
I've seen the smb.conf setting:
!<server user> = <client user>
but I'm not sure that's appropriate in this case.
Is there such a mechanism for AD authenticated clients?
Thanks --Mark
my AD Authenticating smb.conf:
[global]
netbios name = OHPRSSTORAGE
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash
max log size = 10000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
path = /mnt/RAID/public
hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>
I have a Linux host used for file sharing. Although I have a Samba4 AD/DC
configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the
smb.conf set up on
this server does not require any ID or passwords from Windows client
workstations. The current
smb.conf is shown below, only one of the shares is listed.
I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would
like it to
authenticate with the domain credentials and not require the user to enter ID/PW
on the Map
Network Drive dialog.
Is this possible?
If so, I know how to make the Linux file-sharing host a domain member. What
would I have to do
to get Samba to authenticate the user's domain credentials?
My smb.conf:
[deleted]
Mark Foley
2017-Nov-28 05:08 UTC
[Samba] How to use AD authentication for normal Samba file sharing
I guess I'm answering my own questions on this thread!
I believe I've found the answer to my last issue on this. To my smb.conf
(message below), add:
force user ohprso
force group ohprs
I've tested it and the Domain user 10001.10001 was able to create a file on
the samba share as
1001.103.
If that seems wrong to anyone on this list, please advise. Even if it looks
right, perhaps post
a "Yes, that looks right", so I know these messages are making it to
the list!
--Mark
-----Original Message-----
Date: Mon, 27 Nov 2017 18:22:47 -0500
Organization: Ohio Highway Patrol Retirement System
To: samba at lists.samba.org
Subject: Re: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>
With help from kjhambrick at linuxquestions.org I did figure out how to
authenticate from a
Window domain member to a samba share using AD credentials. My smb.conf is
listed below. I
was able to map the share from Windows using domain credentials and create a
file on the share.
Here's my next challenge: All the UID.GIDs on the share (287G and +105K
files) are currently
the non-AD values of 1001.301. For the time being, I'd like to keep all
files, and all newly
created files with this UID.GID.
How can I do this? On the "classic" samba share (not AD
authentication) this was accomplished
by:
guest account = ohprso # where ohprso's UID = 1001
I've seen the smb.conf setting:
!<server user> = <client user>
but I'm not sure that's appropriate in this case.
Is there such a mechanism for AD authenticated clients?
Thanks --Mark
my AD Authenticating smb.conf:
[global]
netbios name = OHPRSSTORAGE
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes # Do I need this?
usershare max shares = 10
security = ADS
template shell = /bin/bash
max log size = 10000
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
path = /mnt/RAID/public
hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
-----Original Message-----
Date: Mon, 20 Nov 2017 15:21:40 -0500
To: samba at lists.samba.org
User-Agent: Heirloom mailx 12.5 7/5/10
Subject: [Samba] How to use AD authentication for normal Samba file sharing
From: Mark Foley via samba <samba at lists.samba.org>
I have a Linux host used for file sharing. Although I have a Samba4 AD/DC
configured in the
LAN, this file-sharing host is not currently a domain member. Right now, the
smb.conf set up on
this server does not require any ID or passwords from Windows client
workstations. The current
smb.conf is shown below, only one of the shares is listed.
I would like to have this file-sharing host authenticate using Active Directory
authentication. That is, when the Windows user maps the shared drive, I would
like it to
authenticate with the domain credentials and not require the user to enter ID/PW
on the Map
Network Drive dialog.
Is this possible?
If so, I know how to make the Linux file-sharing host a domain member. What
would I have to do
to get Samba to authenticate the user's domain credentials?
My smb.conf:
[deleted]
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2017-Nov-28 08:51 UTC
[Samba] How to use AD authentication for normal Samba file sharing
See inline comments: On Tue, 28 Nov 2017 00:08:42 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> I guess I'm answering my own questions on this thread! > > I believe I've found the answer to my last issue on this. To my > smb.conf (message below), add: > > force user ohprso > force group ohprs > > I've tested it and the Domain user 10001.10001 was able to create a > file on the samba share as 1001.103.Of course this works, you are forcing everybody and every group to be just one user and just one group.> > If that seems wrong to anyone on this list, please advise. Even if it > looks right, perhaps post a "Yes, that looks right", so I know these > messages are making it to the list! > > --Mark > > -----Original Message----- > Date: Mon, 27 Nov 2017 18:22:47 -0500 > Organization: Ohio Highway Patrol Retirement System > To: samba at lists.samba.org > Subject: Re: [Samba] How to use AD authentication for normal Samba > file sharing From: Mark Foley via samba <samba at lists.samba.org> > > With help from kjhambrick at linuxquestions.org I did figure out how > to authenticate from a Window domain member to a samba share using AD > credentials. My smb.conf is listed below. I was able to map the > share from Windows using domain credentials and create a file on the > share. > > Here's my next challenge: All the UID.GIDs on the share (287G and > +105K files) are currently the non-AD values of 1001.301. For the > time being, I'd like to keep all files, and all newly created files > with this UID.GID. > > How can I do this? On the "classic" samba share (not AD > authentication) this was accomplished by: > > guest account = ohprso # where ohprso's UID = 1001 > > I've seen the smb.conf setting: > > !<server user> = <client user>I have never seen such lines in smb.conf, it is a line from a user.map .e.g. !root = Administrator> > but I'm not sure that's appropriate in this case. > > Is there such a mechanism for AD authenticated clients? > > Thanks --Mark > > my AD Authenticating smb.conf: > > [global] > netbios name = OHPRSSTORAGE > > server string = HPRS NAS server > > domain master = no > prefered master = no > > realm = HPRS.LOCAL > workgroup = HPRS > usershare allow guests = Yes # Do I need this?Do you use usershares ?> usershare max shares = 10 > security = ADS > template shell = /bin/bash > > max log size = 10000 > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config HPRS:backend = ad > idmap config HPRS:schema_mode = rfc2307 > idmap config HPRS:range = 10000-10099 > > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > winbind offline logon = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > > [public] > path = /mnt/RAID/public > > hide dot files = yes > map hidden = yes > hide files = /Outlook/outlook/~*/ > > veto oplock files = /OfficeCalendar.pst/ > > inherit acls = yes > valid users = @"domain users" > > locking = yes > public = yes > writeable = yes > browseable= yes > printable = no > create mask = 0660 > force create mode = 0660 > directory mask = 0771Nice Unix domain member smb.conf you have got there, you might as well go the whole hog now and run 'net ads join -U Administrator' and have all the benefits of being a domain member, because what you have now is, for all intents and purposes, a Unix domain member. Rowland
Apparently Analagous Threads
- How to use AD authentication for normal Samba file sharing
- How to Samba share with mixed Active Directory 'Classic' authentication
- How to Samba share with mixed Active Directory 'Classic' authentication
- Authenticating Samba Share with Domain Administrator
- Authenticating Samba Share with Domain Administrator