Hi, I have some doubts. I have join samba server into AD domain whose contoller is Windows Server 2008 R2 Standard. Reference documents https://wiki.samba.org/index.php/Main_Page https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member /etc/samba/smb.conf looks like as follow: [global] workgroup = ENAS server string = SmbSrvVers log file = /var/log/samba/log.%m map to guest = bad user max log size = 50 encrypt passwords = yes security = ADS winbind enum groups = yes winbind enum users = yes winbind separator = / winbind use default domain = true winbind offline logon = false template shell = /bin/bash template homedir = /home/%U idmap config * : range = 3000-7999 idmap config ENAS: backend = ad idmap config ENAS: schema = template idmap config ENAS: range= 10000-99999 realm = ENAS.COM netbios name = node0 .... /etc/nsswitch.conf: ... passwd: files winbind group: files winbind ...>From wiki:Keep the files entry as first source for both databases. This enables NSS to look up domain users and groups from the /etc/passwd and /etc/group files before querying the Winbind service. But when I use the same user name in "passwd" as in the domain. local user could not access share directory. domain user name(likes "ENAS\testuser") could access the share directory Why "files winbind" in nsswitch.conf does not play a role? Best Regards!
On Fri, 19 Jan 2018 17:49:42 +0800 Younger Liu via samba <samba at lists.samba.org> wrote:> Hi, > I have some doubts. I have join samba server into AD domain whose > contoller is Windows Server 2008 R2 Standard. >> > From wiki: > Keep the files entry as first source for both databases. This enables > NSS to look up domain users and groups from the /etc/passwd and > /etc/group files before querying the Winbind service. > > But when I use the same user name in "passwd" as in the domain. local > user could not access share directory. domain user name(likes > "ENAS\testuser") could access the share directory > Why "files winbind" in nsswitch.conf does not play a role? >You are using the winbind 'ad' backend, have you added anything to the users AD object (a uidNumber attribute for instance) You also seem to saying that you have users with the same name in /etc/passwd and AD, this is NOT allowed, the user should only be in AD. What OS are you using. Rowland
On Sat, 20 Jan 2018 17:22:32 +0800 Younger Liu <younger.liucn at gmail.com> wrote:> 2018-01-19 18:11 GMT+08:00 Rowland Penny via samba > > You are using the winbind 'ad' backend, have you added anything to > > the users AD object (a uidNumber attribute for instance) > > > > You also seem to saying that you have users with the same name > > in /etc/passwd and AD, this is NOT allowed, the user should only be > > in AD. > > Yes, the local users in /etc/passwd has the same name as in the > domain. > > I do not add anything to users AD object. > If local users are not same to AD users, they could access the share > directory. > > Only local users which in /etc/passwd have same names in AD, local > users (such as: testuser) could not access share directory, But AD > users (such as: ENAS\testuser) could access share directory. Why? > > As you say, the same name in /etc/passwd and AD is not allowed. Why?Because the local user will always be found first and the AD user ignored. You do not need users in /etc/passwd on a Unix domain member, you just make the AD user into Unix users by using the winbind 'ad' backend and ADDING a unique uidNumber attribute to the user and a gidNumber attribute to Domain Users, OR you can use the winbind 'rid' backend and you do not need to add anything to AD. It is all explained here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland