Re: [Samba] Samba as AD controller and local auth
- Date: Sun, 19 May 2019 10:23:44 +0100
- From: Rowland penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba as AD controller and local auth
On 19/05/2019 10:09, David Puffer via samba wrote:
Hello Rowland, thanks for your reply - please find my answers below:
On 19.05.2019, at 10:59, Rowland penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
On 19/05/2019 09:27, David Puffer via samba wrote:
I have been breaking my head about this for several days now - what seems to be something “easy” to do (or at least I suppose others would also encounter this problem) simply does not work: I am running a Samba Active Directory Domain Controller on my Synology NAS.
How did you create the AD DC ?
Did you provision it ?
This was done fully automatically by the Synology packet install for Samba AD. There was no manual work involved, other than me creating the AD domain and users.
So synology must have scripted the provision.
You do not have the same users in /etc/passwd and AD any more, but, on a
Samba DC, all users in AD should be known to the OS, provided
nsswitch.conf is set up correctly.
Since I installed and set up the AD DC, local user authentication for shares is not working anymore.
Define 'local user authentication’
Authentication of samba users that correspond to local Linux system users (/etc/passwd).
Not from Samba, you need to add any local users to AD that you want to
connect to shares and remove them from /etc/passwd.
Before: Simple Samba shares with authentication against local samba users -> worked
Sounds like it was a standalone server
After: Only domain user authentication works.
Now here is the thing, it is now an AD DC, so any user that connects will need to be a Domain user.
So you are saying, once turned into an AD DC, it is not possible to authenticate server-local users anymore?
You could try it, but that was written quite sometime ago and I don't
think it will work.
There is an undocumented option for smb.conf (auth methods), which seems to make the behavior I would like possible: Specifying the sequence of attempted authentication
methods (in my case: local users first, then AD users).
Also, this post here: https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication <https://serverfault.com/questions/365257/how-do-i-configure-samba-to-use-ads-smbpasswd-authentication>
is describing the behavior I would like to use.
The global section of smb.conf:
include = /var/packages/ActiveDirectoryServer/conf/etc/smb.tls.conf
printcap name = cups
winbind enum groups = yes
include = /var/tmp/nginx/smb.netbios.aliases.conf
workgroup = <MYDOMAIN>
server services = rpc,nbt,wrepl,ldap,cldap,kdc,drepl,ntp_signd,kcc,dnsupdate
local master = no
realm = <FQDN_IF_MYDOMAIN>
netbios name = SYNOLOGY
private dir = /var/packages/ActiveDirectoryServer/target/private
server role = active directory domain controller
printing = cups
max protocol = SMB2
winbind enum users = yes
load printers = yes
log level = 10
Why have you mangled your smb.conf, for instance, what is in 'smb.netbios.aliases.conf’ ?
I haven’t, this file was auto-generated by the Synology NAS GUI.
Then, in my opinion, Synology has mangled it ;-)
To unsubscribe from this list go to the following URL and read the