Younger Liu
2018-Jan-15 06:29 UTC
[Samba] the relationship between AD domain users and local users
Hi! I have some doubts. I have a AD server and join samba server into AD. Configuration looks like as follows: [global] workgroup = ENAS server string = SmbSrvVers log file = /var/log/samba/log.%m map to guest = bad user max log size = 50 encrypt passwords = yes security = domain idmap config * : range = 16777216-33554431 winbind enum groups = yes winbind enum users = yes winbind separator = / winbind use default domain = true winbind offline logon = false template shell = /bin/bash template homedir = /home/%U realm = ENAS.COM netbios name = node0 .... NSS config: ... passwd: files winbind sss shadow: files winbind sss group: files winbind sss ... 1. Create a local samba user "testuser"; 2. Create the same name AD user "testuser" 3. Add "testuser" in read list of one samba share. On the client side, I only access samba share with ad user, rather than local user. Why? How can i use local user to access samba share? Best Regards!
Rowland Penny
2018-Jan-15 09:57 UTC
[Samba] the relationship between AD domain users and local users
On Mon, 15 Jan 2018 14:29:55 +0800 Younger Liu via samba <samba at lists.samba.org> wrote:> Hi! > I have some doubts. I have a AD server and join samba server into > AD. Configuration looks like as follows: > [global] > workgroup = ENAS > server string = SmbSrvVers > log file = /var/log/samba/log.%m > map to guest = bad user > max log size = 50 > encrypt passwords = yes > security = domain > idmap config * : range = 16777216-33554431 > winbind enum groups = yes > winbind enum users = yes > winbind separator = / > winbind use default domain = true > winbind offline logon = false > template shell = /bin/bash > template homedir = /home/%U > realm = ENAS.COM > netbios name = node0 > .... > > NSS config: > ... > passwd: files winbind sss > shadow: files winbind sss > group: files winbind sss > ... > > 1. Create a local samba user "testuser"; > 2. Create the same name AD user "testuser" > 3. Add "testuser" in read list of one samba share. > > On the client side, I only access samba share with ad user, rather > than local user. Why? > > How can i use local user to access samba share? > > Best Regards!Doesn't anybody ever read the Samba wiki ????? https://wiki.samba.org/index.php/Main_Page Specifically: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Your smb.conf is so wrong, I find it hard to know where to start. Lets start with, it isn't for a Unix AD domain member, the line 'security = domain' should be 'security = ads' The 'idmap config' lines are not correct, there should be more of them. You shouldn't use both 'winbind' and 'sssd', use one or the other. If you decide to go with 'sssd', then you will need to ask on the sssd-mailing, sssd is not part of Samba. Not sure what you mean about a local user accessing the share, local users are outside the domain and, as such, are unknown to the domain and will be denied access. Rowland