Web lists-archives.com

Re: [Samba] Authenticating AD users and Local users




On Mon, 18 Feb 2019 14:35:38 +0000
"Paquin, Brian" <brian.paquin@xxxxxxxx> wrote:

> Thank you for replying!
> I can login with my Active Directory credentials, but I can’t login
> using the local CentOS “svc_dictations” account. I created the local
> account usingusing “adduser”, “smbpasswd”, and then updating my
> smb.conf file (below).
> 
> Thank you,
> 
> Brian
> 
> [global]
>    workgroup = YALE
>    password server = ad1.yu.yale.edu
> ad2.yu.yale.edu<http://ad2.yu.yale.edu>

You shouldn't set 'password server', you should allow Samba to find
them.
 
>realm = YU.YALE.EDU<http://YU.YALE.EDU> security = ads
>    idmap config * : range = 16777216-33554431
>    template shell = /sbin/nologin
>    kerberos method = system keytab
>    winbind use default domain = true
>    winbind offline logon = true
> 
> idmap config YU:schema_mode = rfc2307

Remove the line above

> idmap config YU:range = 100000-199999
> idmap config YU:backend = rid

'YU' is not your workgroup, so change it in the two lines above to
'YALE'

> idmap config * : range = 16777216-33554431

You have the above line twice.

> idmap * : backend = tbd
> dedicated keytab file = /etc/krb5.keytab
> log level = 4
> guest account = nobody
> guest ok = no
> log file = /var/log/samba/log.%m
> 
> printing = cups
> printcap name = cups
> load printers = yes
> cups options = raw
> store dos attributes = yes
> vfs objects = acl_xattr
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> 
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> 
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @printadmin root
> force group = @printadmin
> create mask = 0664
> directory mask = 0775
> 
> [testshare]
> comment = testshare
> path = /testshare
> valid users = @pathology_its svc_dictations
> writable = yes
> read only = No

OK, you created 'svc_dictations' as a local Unix user with 'adduser'
and then ran 'smbpasswd' to make it a Samba user.
This is so wrong, mainly because it is the old way of doing things. You
will need to delete 'svc_dictations' as a Unix user and then create it
as an AD user.
On a Samba Unix domain member, a local Unix user is always just that, a
local user who can log into the computer directly, but is unknown to
AD. Samba takes AD users and extends them to be Unix users as well.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba