Hi Rob, thank you for your answer.
>Depends on where you're talking about your users authenticating My users should authenticate when they try to access a samba share. I don’t want to reconfigure every mapped samba share on the clients, because of this I want to use the "old" local accounts (like "peter", not "SAMBASERVER\peter"). I already tried "winbind use default domain = yes" and after winbind restart authentication failed for every user. I think the problem is that the users in the Active Directory have the same names (and UIDs) as the local users (because they are mapped with "idmap backend = ad"). Cheers, Philipp >Von: [email protected] [mailto:[email protected]] Im >Auftrag von Rob Moser >Gesendet: Dienstag, 13. Juli 2010 17:09 >An: [email protected] >Betreff: Re: [Samba] winbind and authentication with local accounts > >Depends on where you're talking about your users authenticating, but it >sounds like you need a: > >winbind use default domain = yes > >in your smb.conf. > > - rob. > >On 07/13/2010 02:00 AM, Philipp Braband wrote: > Hi everyone, > > I have a problem with my samba and winbind configuration: > > before I switched the config (from local user authentication to AD > authentication using winbind) my users were able to authenticate for example > as “peter”. Now, after switching, they are forced to use > SAMBASERVERNAME\peter. If they use only “peter” winbind tries to authenticate > them against the AD which fails. Is there a way to “teach” winbind to try to > authenticate every user locally if they dont use DOMAIN\peter ? > Hope you understand my problem in spite of my bad English ☺ > > > My configuration: > > SLES11 SP0 > samba-3.2.7-11.6 > samba-winbind-3.2.7-11.6 > krb5-1.6.3-133.10 > > > smb.conf: > > [global] > workgroup = DOMAIN > netbios aliases = SAMBASERVER > interfaces = eth0, 127.0.0.1/8 > bind interfaces only = Yes > ;security = ADS > security = ADS > password server = 192.168.1.1 > load printers = No > disable spoolss = Yes > show add printer wizard = No > ;printcap name = cups > logon path = \\%L\profiles\.msprofile > logon drive = P: > logon home = \\%L\%U\.9xprofile > encrypt passwords = Yes > smb passwd file = /etc/samba/smbpasswd > username map = /etc/samba/smbusers > kernel oplocks = No > ldap ssl = no > printing = bsd > ;cups options = raw > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > include = /etc/samba/dhcp.conf > log level = 1 > realm = DOMAIN.DE > template homedir = /home/%D/%U > template shell = /bin/bash > usershare allow guests = No > winbind refresh tickets = yes > winbind offline logon = yes > idmap gid = 10000-20000 > idmap uid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > idmap backend = ad > idmap config DOMAIN : backend = ad > winbind nss info = rfc2307 > > > > krb5.conf > > > [libdefaults] > default_realm = DOMAIN.DE > clockskew = 300 > > > [realms] > DOMAIN.DE = { > kdc = 192.168.1.1 > admin_server = 192.168.1.1 > default_domain = domain.de > } > > > > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > > > > [domain_realm] > .domain.de = DOMAIN.DE > > > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > minimum_uid = 1 > } > > > Cheers, > Philipp > > ________________________________________________ > S&L Netzwerktechnik GmbH > Philipp Braband > Networking Team > > Florinstrasse 18 > 56218 Muelheim-Kaerlich > > Telefon: +49 261 92736 308 > Fax: > Email: [email protected] > www: http://www.sul.de > www: http://www.controlseries.de > www: http://www.monitoring-solution.de > ________________________________________________ > > > S&L Netzwerktechnik GmbH - Geschaeftsfuehrer Goetz Schmitt, Oliver Schmitt > Sitz der Gesellschaft: Muelheim-Kaerlich - Amtsgericht Koblenz HRB 135 53 > USt-ID: DE 171698897 - USt-ID: Luxembourg LU 18934643 > > Diese E-Mail kann vertrauliche und/oder rechtlich geschuetzte Informationen > enthalten. Wenn Sie nicht der beabsichtigte Empfaenger sind oder diese E-Mail > irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender > telefonisch oder per E-Mail und loeschen Sie diese E-Mail aus Ihrem System. > Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht > gestattet. Wir haften nicht fuer die Unversehrtheit von E-Mails, nachdem sie > unseren Einflussbereich verlassen haben. > > This e -mail may contain confidential and/or privileged information. If you > are not the intended recipient (or have received this e-mail in error) please > notify the sender immediately by call or e-mail and destroy this e-mail. Any > unauthorised copying, disclosure or distribution of the material in this > e-mail is strictly forbidden. We are not responsible for the integrity of > e-mails after they have left our sphere of control. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
