samba - Mar 2019 - When ad domain machine shutdown, samba can not auth with unix local user

Hi，

My smb.conf as below, my ad domain name is HIKAD1.

[global]
   browseable = no
   guest ok = no
   security = ADS
   map to guest = bad user
   # disable printers
   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes
   encrypt passwords = yes
   winbind enum groups = yes
   winbind enum users = yes
   #acl check permissions = no
   #acl map full control = no
   create mask = 0775
   force create mode = 0775
   winbind use default domain = no
   winbind offline logon = false
   winbind nss info = template
   winbind cache time = 60
   template shell = /sbin/nologin
   template homedir = /var/naslocalhome
   idmap config * : backend = tdb
   idmap config * : range = 3000-7999
   idmap config HIKAD1 : backend = rid
   idmap config HIKAD1 : range = 100000-999999
   realm = HIKAD1.COM <http://hikad1.com/>
   workgroup = HIKAD1
   netbios name = numb2

[gltest]
   comment = 
   path = /hdcfs/gltest
   public = no
   writable = no
   valid users = "HIKAD1\aduser",gluser
   write list = "HIKAD1\aduser",gluser
   directory mask = 0755

On Thu, 7 Mar 2019 18:58:41 +0800
谷雷 <guleicarter at gmail.com> wrote:
> Hi，
> 
> My smb.conf as below, my ad domain name is HIKAD1.
> 
> [global]
>    browseable = no
>    guest ok = no
>    security = ADS
>    map to guest = bad user
>    # disable printers
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>    encrypt passwords = yes
>    winbind enum groups = yes
>    winbind enum users = yes
>    #acl check permissions = no
>    #acl map full control = no
>    create mask = 0775
>    force create mode = 0775
>    winbind use default domain = no
>    winbind offline logon = false
>    winbind nss info = template
>    winbind cache time = 60
>    template shell = /sbin/nologin
>    template homedir = /var/naslocalhome
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
>    idmap config HIKAD1 : backend = rid
>    idmap config HIKAD1 : range = 100000-999999
>    realm = HIKAD1.COM <http://hikad1.com/>
>    workgroup = HIKAD1
>    netbios name = numb2
> 
> [gltest]
>    comment = 
>    path = /hdcfs/gltest
>    public = no
>    writable = no
>    valid users = "HIKAD1\aduser",gluser
>    write list = "HIKAD1\aduser",gluser
>    directory mask = 0755
Try changing 'winbind offline logon = false' to 'winbind offline
logon = yes'

This will cache your logon credentials.

I also hope by 'unix local user' that you mean an AD user that has
become a local user via Samba and not a user that exists in /etc/passwd.

Rowland

Thanks a lot, i will try this. What i mean ‘unix local user’ is samba user in
tdbsam.

And I have another question: Can I set the sequence of auth method when samba is
a domain member?

I want make samba auth samba user first, if failed, then auth ad user.