[Samba] Samba3 capable of AD auth. without matching Linux users?
My goal is to share a CIFS volume from Linux, to Windows clients, using Samba 3.6 and only authenticate users over AD. I do not want one local Linux user for each AD user, in other words. I want all users connecting to CIFS to use one shared local user for FS operations. So the CIFS share will be owned by one local user that all AD users will use when they use the CIFS volume. Is this possible in Samba 3.6? I ask because I can't make heads nor tails of the documentation. I've managed to piece together a winbind/krb5 configuration that allows me to do the following. * Get kerberos token from Windows 2008 AD server (not r2) * net ads join my Linux host into the Windows 2008 AD * List users and groups in the AD using wbinfo, and getent -s winbind But whenever I try to login to my share from a Windows server in the same AD, it says the user is invalid on this system. Unless I keep a local user matching that same AD sAMAccountName as the user logging in. Here is my current smb.conf [global] workgroup = DOMAIN realm = DOMAIN.LOCAL server string = %h server security = ads allow trusted domains = no local master = no domain master = no interfaces = eth0 10.221.111.51/24 bind interfaces only = yes log level = 0 auth:10 smb:10 log file = /var/log/samba/log.%m max log size = 1000 #syslog only = no syslog = 0 load printers = no printing = bsd printcap name = /etc/printcap # Bug #8676 workaround idmap config * : backend = tdb idmap config * : range = 2000-4999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1-4 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes valid users = @Domain Users [www] comment = HTML share path = /var/www/website.domain.local valid users = share writable = yes force user = share force group = share force directory mode = 0775 force create mode = 0664 Here is my current krb5.conf [libdefaults] default_realm = DOMAIN.LOCAL ticket_lifetime = 24000 clock-skew = 300 [realms] DOMAIN.LOCAL = { kdc = DC02.DOMAIN.LOCAL:88 admin_server = DC02.DOMAIN.LOCAL:464 default_domain = DOMAIN.LOCAL } [domain_realm] .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL DOMAIN.LOCAL = DC02.DOMAIN.LOCAL There are several DC's but I picked one because the docs I was reading made it seem like you had to pick one for kerberos. The machine is using the DC DNS so all domains involved here, all the DC's, the machines domain, the clients, can be resolved. However, I have despite this added some domains to /etc/hosts. 127.0.0.1 webb04.domain.local webb04 10.221.111.51 webb04.domain.local webb04 10.221.111.16 DC02.DOMAIN.LOCAL DC02 10.221.111.10 DOMAIN.LOCAL My /etc/resolv.conf reflects the AD setup in the network. domain domain.local search domain.local nameserver 10.221.111.10 nameserver 10.221.111.16 With this configuration on Debian Wheezy I can run kinit to get a token using an AD administrator account. Then I can run net ads join -U Administrator and enter the same accounts password, to join the domain. After that I can run wbinfo -u to list all users in the Windows AD servers. I can also run getent -s winbind passwd username to see information for that user like this. stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false Of course this is meta information, that user does not exist on my Linux server. At least that is my understanding. -- Hälsningar / Greetings http://Stefan.Midjich.name -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 capable of AD auth. without matching Linux users?
I eventually got it working with the following configuration, in case any googlers find it helpful. I wrote it all down here on this wiki http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I would not forget until tomorrow. :) It's in Swedish but all the configuration files are recognizable. I'm not sure about many of the options, like idmap backend, so I will investigate them in the morning when I write a proper installation manual. Just to remove things I don't need. 2013/6/23 Stefan Midjich sweh...@gmail.com My goal is to share a CIFS volume from Linux, to Windows clients, using Samba 3.6 and only authenticate users over AD. I do not want one local Linux user for each AD user, in other words. I want all users connecting to CIFS to use one shared local user for FS operations. So the CIFS share will be owned by one local user that all AD users will use when they use the CIFS volume. Is this possible in Samba 3.6? I ask because I can't make heads nor tails of the documentation. I've managed to piece together a winbind/krb5 configuration that allows me to do the following. * Get kerberos token from Windows 2008 AD server (not r2) * net ads join my Linux host into the Windows 2008 AD * List users and groups in the AD using wbinfo, and getent -s winbind But whenever I try to login to my share from a Windows server in the same AD, it says the user is invalid on this system. Unless I keep a local user matching that same AD sAMAccountName as the user logging in. Here is my current smb.conf [global] workgroup = DOMAIN realm = DOMAIN.LOCAL server string = %h server security = ads allow trusted domains = no local master = no domain master = no interfaces = eth0 10.221.111.51/24 bind interfaces only = yes log level = 0 auth:10 smb:10 log file = /var/log/samba/log.%m max log size = 1000 #syslog only = no syslog = 0 load printers = no printing = bsd printcap name = /etc/printcap # Bug #8676 workaround idmap config * : backend = tdb idmap config * : range = 2000-4999 idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 1-4 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes encrypt passwords = yes valid users = @Domain Users [www] comment = HTML share path = /var/www/website.domain.local valid users = share writable = yes force user = share force group = share force directory mode = 0775 force create mode = 0664 Here is my current krb5.conf [libdefaults] default_realm = DOMAIN.LOCAL ticket_lifetime = 24000 clock-skew = 300 [realms] DOMAIN.LOCAL = { kdc = DC02.DOMAIN.LOCAL:88 admin_server = DC02.DOMAIN.LOCAL:464 default_domain = DOMAIN.LOCAL } [domain_realm] .DOMAIN.LOCAL = DC02.DOMAIN.LOCAL DOMAIN.LOCAL = DC02.DOMAIN.LOCAL There are several DC's but I picked one because the docs I was reading made it seem like you had to pick one for kerberos. The machine is using the DC DNS so all domains involved here, all the DC's, the machines domain, the clients, can be resolved. However, I have despite this added some domains to /etc/hosts. 127.0.0.1 webb04.domain.local webb04 10.221.111.51 webb04.domain.local webb04 10.221.111.16 DC02.DOMAIN.LOCAL DC02 10.221.111.10 DOMAIN.LOCAL My /etc/resolv.conf reflects the AD setup in the network. domain domain.local search domain.local nameserver 10.221.111.10 nameserver 10.221.111.16 With this configuration on Debian Wheezy I can run kinit to get a token using an AD administrator account. Then I can run net ads join -U Administrator and enter the same accounts password, to join the domain. After that I can run wbinfo -u to list all users in the Windows AD servers. I can also run getent -s winbind passwd username to see information for that user like this. stemid:*:24750:10513::/home/DOMAIN/stemid:/bin/false Of course this is meta information, that user does not exist on my Linux server. At least that is my understanding. -- Hälsningar / Greetings http://Stefan.Midjich.name -- Hälsningar / Greetings http://Stefan.Midjich.name -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 capable of AD auth. without matching Linux users?
Hello Stefan, Am 23.06.2013 22:44, schrieb Stefan Midjich: I eventually got it working with the following configuration, in case any googlers find it helpful. I wrote it all down here on this wiki http://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_samba Just so I would not forget until tomorrow. :) I haven't fully compared, but isn't it widely the same like here: http://wiki.samba.org/index.php/Samba4/Domain_Member Is there a reason, why you use Idmap backend rid and don't take the UIDs from AD? I don't understand swedish and what you wrote in the sentence before, but I think setting 127.0.0.1 webb01.domain.local webb01 could maybe make problems somewhere sometime. 127.0.0.1 should be better resolved to localhost. If some program resolves webb01 /etc/hosts would return 127.0.0.1 instead of the IP of your NIC. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 capable of AD auth. without matching Linux users?
Thanks Marc. In fact the localhost was just a precaution and I was never sure of it, I even tried resolving localhost to make sure it worked after I made the change. I will test idmap backend ad later, because I think what made it all work for me was setting up NSS. Now that NSS is setup I can even run id ad-user in the cli and get all the information from AD. So it seems more integrated now and I have a better understanding of NSS. I was under the impression that rid converted the SIDs into valid UIDs and GIDs. But if I am, as now, only needing it for authentication and now for IO to the FS then I should logically not require the local UIDs/GIDs. 2013/6/23 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Stefan, Am 23.06.2013 22:44, schrieb Stefan Midjich: I eventually got it working with the following configuration, in case any googlers find it helpful. I wrote it all down here on this wiki http://wiki.sydit.se/teknik:**ad_autentisering_foer_cifs_**med_sambahttp://wiki.sydit.se/teknik:ad_autentisering_foer_cifs_med_sambaJust so I would not forget until tomorrow. :) I haven't fully compared, but isn't it widely the same like here: http://wiki.samba.org/index.**php/Samba4/Domain_Memberhttp://wiki.samba.org/index.php/Samba4/Domain_Member Is there a reason, why you use Idmap backend rid and don't take the UIDs from AD? I don't understand swedish and what you wrote in the sentence before, but I think setting 127.0.0.1 webb01.domain.local webb01 could maybe make problems somewhere sometime. 127.0.0.1 should be better resolved to localhost. If some program resolves webb01 /etc/hosts would return 127.0.0.1 instead of the IP of your NIC. Regards, Marc -- Hälsningar / Greetings http://Stefan.Midjich.name -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba