Ralph Boehme
2024-Oct-28 09:13 UTC
[Samba] Member server plus local accounts - can it be done?
On 10/28/24 9:51 AM, lists--- via samba wrote:> But we also have ancient systems, that use a local useraccount from the > dataserver to put data on it. > So, is something like: > ??????? realm = REALM.TLD > ??????? security = ADS > ??????? server role = member server > ??????? username map = /etc/samba/user.map > ??????? winbind refresh tickets = Yes > ??????? winbind use default domain = Yes > ??????? workgroup = REALM > ??????? idmap config REALM : backend = rid > ??????? idmap config REALM : range = 10000-9999999 > ??????? idmap config * : backend = tdb > ??????? idmap config * : range = 3000-7999 > possible? > I would then create the local useraccount with smbpasswd ...yes. As you're using "winbind use default domain" I guess those local users will have to authenticate with the local SAM name as prefix ("${netbiosname}\username"), otherwise they will be treated as REALM users and REALM doesn't know about them. Or the other way around, remove "winbind use default domain = Yes", but then domain users must specify the domain prefix. You'll have to die one death... -slow -- SerNet Samba Team Lead https://sernet.de/ Samba Team Member https://samba.org/ SAMBA+ packages https://samba.plus/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20241028/d21f4362/OpenPGP_signature.sig>
Rowland Penny
2024-Oct-28 10:21 UTC
[Samba] Member server plus local accounts - can it be done?
On Mon, 28 Oct 2024 10:13:53 +0100 Ralph Boehme via samba <samba at lists.samba.org> wrote:> On 10/28/24 9:51 AM, lists--- via samba wrote: > > But we also have ancient systems, that use a local useraccount from > > the dataserver to put data on it. > > So, is something like: > > ??????? realm = REALM.TLD > > ??????? security = ADS > > ??????? server role = member server > > ??????? username map = /etc/samba/user.map > > ??????? winbind refresh tickets = Yes > > ??????? winbind use default domain = Yes > > ??????? workgroup = REALM > > ??????? idmap config REALM : backend = rid > > ??????? idmap config REALM : range = 10000-9999999 > > ??????? idmap config * : backend = tdb > > ??????? idmap config * : range = 3000-7999 > > possible? > > I would then create the local useraccount with smbpasswd ... > > yes. As you're using "winbind use default domain" I guess those local > users will have to authenticate with the local SAM name as prefix > ("${netbiosname}\username"), otherwise they will be treated as REALM > users and REALM doesn't know about them.Never thought about it that way, but yes it works.> > Or the other way around, remove "winbind use default domain = Yes", > but then domain users must specify the domain prefix. You'll have to > die one death... >But that doesn't, well it does and it doesn't. Without 'winbind use default domain' in smb.conf on the server, this happens: rowland at devstation:~$ smbclient //rocky9/data -U rowland%xxxxxxxxxxxxxxxxxxxxx Try "help" to get a list of possible commands. smb: \> rowland at devstation:~$ smbclient //rocky9/data -U SAMDOM\\rowland%xxxxxxxxxxxxxxxxxxxxx Try "help" to get a list of possible commands. smb: \> So it seems that I do not require the NetBIOS domain name to login via smbclient, but trying to login to the server via the GUI (gdm) it is required. Rowland