Web lists-archives.com

Re: [Samba] Users and groups on member server without ssh




On Wed, 27 Sep 2017 15:46:42 +0200
Daniel Carrasco via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> I've a member server that is working fine as shared folder server (all
> shares works and it permissions). My problem is that when I add the
> nsswitch winbind entries then the server uses the DC to authenticate
> even when I use ssh, so if Samba DC server fails I have problems to
> login into the member server.
> 
> My nsswitch:
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> And my smb.conf:
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config DOMAIN:backend = rid
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 10000-99999
> 
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
> 
> Is there any way to avoid that authentication method and use only the
> local one? (I use tools like setfacl to change permissions so I need
> access to domain users/groups).
> 
> Thanks and greetings!!
> 

Try adding 'winbind offline logon = yes', this will allow
authentication even when the DC cannot be reached.

I would also remove the 'winbind enum' lines, you do not need them,
they only really allow the printing of all the users and groups.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba