Hello all, I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS. Since I installed and set up the AD DC, local user authentication for shares is not working anymore. Before: Simple Samba shares with authentication against local samba users -> worked After: Only domain user authentication works. The global section of smb.conf: [global] include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf printcap name = cups winbind enum groups = yes include = /var/tmp/nginx/smb.netbios.aliases.conf workgroup = <MYDOMAIN> server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate local master = no realm = <FQDN_IF_MYDOMAIN> netbios name = SYNOLOGY private dir = /var/packages/ActiveDirectoryServer/target/private server role = active directory domain controller printing = cups max protocol = SMB2 winbind enum users = yes load printers = yes log level = 10 I am trying to mount a share like so from another Linux box (using both Linux and Windows boxes on the network): mount --verbose -t cifs -o user=MYUSER,ro //NAS_IP/Share ./localMountPath which is prompting me for a passwd and then displaying: mount.cifs kernel mount options: ip=NAS_IP,unc=\\NAS_IP\Share,user=MYUSER,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Checking out the logfiles on the Synology, I can see that apparently the (local) user is being mapped to the domain, and authenticated against the domain, which does not work because that user is not a domain user: auth_check_password_send: Checking password for unmapped user []\[MYUSER]@[10.8.0.10] auth_check_password_send: mapped user is: [MYDOMAIN]\[MYUSER]@[10.8.0.10] ../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327940, all 3, pid=17177] auth_check_password_async_trigger anonymous want_check [NT_STATUS_NOT_IMPLEMENTED] ../source4/auth/ntlm/auth.c:369: [2019/05/19 10:24:30.327982, all 3, pid=17177] auth_check_password_async_trigger sam_ignoredomain want_check [NT_STATUS_OK] ../source4/auth/ntlm/auth_sam.c:63: [2019/05/19 10:24:30.328291, all 3, pid=17177] authsam_search_account sam_search_user: Couldn't find user [MYUSER] in samdb, under DC=MYDOMAIN,DC=DOMAIN,DC=TLD,DC=TLD ../source4/auth/ntlm/auth.c:388: [2019/05/19 10:24:30.328320, all 3, pid=17177] auth_check_password_async_trigger sam_ignoredomain check_password [NT_STATUS_NO_SUCH_USER] How would I force Samba to authenticate against the local user db (which worked before setting up Samba as AD domain controller)? I did try specifying the domain= option for the mount.cifs command (with values “.”, “localhost”, “NAS-Hostname”, “127.0.0.01”), all to no avail. What am I missing? Appreciating any help! best, David
On Sun, 2019-05-19 at 10:27 +0200, David Puffer via samba wrote:> Hello all, > > I have been breaking my head about this for several days now - what > seems to be something “easy” to do (or at least I suppose others > would also encounter this problem) simply does not work: I am running > a Samba Active Directory Domain Controller on my Synology NAS. > Since I installed and set up the AD DC, local user authentication for > shares is not working anymore. > > Before: Simple Samba shares with authentication against local samba > users -> worked > After: Only domain user authentication works.Perhaps the Sonology NAS is not migrating the Samba users between the two modes? Samba uses a different password DB as an AD DC. You may need to re-create the users. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On 19/05/2019 09:27, David Puffer via samba wrote:> Hello all, > > I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.How did you create the AD DC ? Did you provision it ?> Since I installed and set up the AD DC, local user authentication for shares is not working anymore.Define 'local user authentication'> > Before: Simple Samba shares with authentication against local samba users -> workedSounds like it was a standalone server> After: Only domain user authentication works.Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.> > The global section of smb.conf: > > [global] > include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf > printcap name = cups > winbind enum groups = yes > include = /var/tmp/nginx/smb.netbios.aliases.conf > workgroup = <MYDOMAIN> > server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate > local master = no > realm = <FQDN_IF_MYDOMAIN> > netbios name = SYNOLOGY > private dir = /var/packages/ActiveDirectoryServer/target/private > server role = active directory domain controller > printing = cups > max protocol = SMB2 > winbind enum users = yes > load printers = yes > log level = 10Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf' ? Are you aware that there is no network browsing with a Samba AD DC ? Fix your smb.conf, understand that your users will now need to be stored in AD and you should get things to work. Rowland
Hello Rowland, thanks for your reply - please find my answers below:> On 19.05.2019, at 10:59, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 19/05/2019 09:27, David Puffer via samba wrote: >> Hello all, >> >> I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS. > > How did you create the AD DC ? > > Did you provision it ?This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.> >> Since I installed and set up the AD DC, local user authentication for shares is not working anymore. > Define 'local user authentication’Authentication of samba users that correspond to local Linux system users (/etc/passwd).>> >> Before: Simple Samba shares with authentication against local samba users -> worked > Sounds like it was a standalone serverYes exactly..>> After: Only domain user authentication works. > Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore? There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication methods (in my case: local users first, then AD users). Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication> is describing the behavior I would like to use.>> >> The global section of smb.conf: >> >> [global] >> include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf >> printcap name = cups >> winbind enum groups = yes >> include = /var/tmp/nginx/smb.netbios.aliases.conf >> workgroup = <MYDOMAIN> >> server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate >> local master = no >> realm = <FQDN_IF_MYDOMAIN> >> netbios name = SYNOLOGY >> private dir = /var/packages/ActiveDirectoryServer/target/private >> server role = active directory domain controller >> printing = cups >> max protocol = SMB2 >> winbind enum users = yes >> load printers = yes >> log level = 10 > > Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?I haven’t, this file was auto-generated by the Synology NAS GUI.> > Are you aware that there is no network browsing with a Samba AD DC ? > > Fix your smb.conf, understand that your users will now need to be stored in AD and you should get things to work. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba