Web lists-archives.com

Re: [Samba] Samba as AD controller and local auth




On 19/05/2019 10:09, David Puffer via samba wrote:
Hello Rowland, thanks for your reply - please find my answers below:

On 19.05.2019, at 10:59, Rowland penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

On 19/05/2019 09:27, David Puffer via samba wrote:
Hello all,

I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
How did you create the AD DC ?

Did you provision it ?
This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.

So synology must have scripted the provision.


Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
Define 'local user authentication’
Authentication of samba users that correspond to local Linux system users (/etc/passwd).
You do not have the same users in /etc/passwd and AD any more, but, on a Samba DC, all users in AD should be known to the OS, provided nsswitch.conf is set up correctly.

Before: Simple Samba shares with authentication against local samba users -> worked
Sounds like it was a standalone server
Yes exactly..

After: Only domain user authentication works.
Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.
So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore?
Not from Samba, you need to add any local users to AD that you want to connect to shares and remove them from /etc/passwd.
There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication
methods (in my case: local users first, then AD users).

Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication>
is describing the behavior I would like to use.
You could try it, but that was written quite sometime ago and I don't think it will work.

The global section of smb.conf:

[global]
	include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
	printcap name = cups
	winbind enum groups = yes
	include = /var/tmp/nginx/smb.netbios.aliases.conf
	workgroup = <MYDOMAIN>
	server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
	local master = no
	realm = <FQDN_IF_MYDOMAIN>
	netbios name = SYNOLOGY
	private dir = /var/packages/ActiveDirectoryServer/target/private
	server role = active directory domain controller
	printing = cups
	max protocol = SMB2
	winbind enum users = yes
	load printers = yes
	log level = 10
Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?
I haven’t, this file was auto-generated by the Synology NAS GUI.
Then, in my opinion, Synology has mangled it ;-)

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba