谷雷
2019-Mar-07 09:13 UTC
[Samba] When ad domain machine shutdown, samba can not auth with unix local user
Hi, I config my samba join a ad domain(security = ADS), using samba 4.7.1 in CentOS7.5. Everything gone well, I can login with ad user and local user at the same time. But when the ad domain get down, I can not login with local user. wbinfo -t prompt: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, smbclient login with NT_STATUS_NO_LOGON_SERVER error. I lookup the debug message, and found auth method winbind break in auth_check_ntlm_password, and not try sam_ignoredomain method. May there some way make samba can auth with unix local when ad domain get down?
Rowland Penny
2019-Mar-07 09:48 UTC
[Samba] When ad domain machine shutdown, samba can not auth with unix local user
On Thu, 7 Mar 2019 17:13:36 +0800 谷雷 via samba <samba at lists.samba.org> wrote:> Hi, > I config my samba join a ad domain(security = ADS), using > samba 4.7.1 in CentOS7.5. > > Everything gone well, I can login with ad user and local user > at the same time.Do you have the same users in AD as in /etc/passwd ?> > But when the ad domain get down, I can not login with local > user. > > wbinfo -t prompt: NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, > smbclient login with NT_STATUS_NO_LOGON_SERVER error. > > I lookup the debug message, and found auth method winbind > break in auth_check_ntlm_password, and not try sam_ignoredomain > method. > > May there some way make samba can auth with unix local when > ad domain get down?It sort of depends how you are running Samba, can you post your smb.conf Rowland
谷雷
2019-Mar-07 10:58 UTC
[Samba] When ad domain machine shutdown, samba can not auth with unix local user
Hi, My smb.conf as below, my ad domain name is HIKAD1. [global] browseable = no guest ok = no security = ADS map to guest = bad user # disable printers load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes encrypt passwords = yes winbind enum groups = yes winbind enum users = yes #acl check permissions = no #acl map full control = no create mask = 0775 force create mode = 0775 winbind use default domain = no winbind offline logon = false winbind nss info = template winbind cache time = 60 template shell = /sbin/nologin template homedir = /var/naslocalhome idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HIKAD1 : backend = rid idmap config HIKAD1 : range = 100000-999999 realm = HIKAD1.COM <http://hikad1.com/> workgroup = HIKAD1 netbios name = numb2 [gltest] comment = path = /hdcfs/gltest public = no writable = no valid users = "HIKAD1\aduser",gluser write list = "HIKAD1\aduser",gluser directory mask = 0755