Accessing Samba shares from a Domain Workstation
 

Our office is one location of approximately 8 in our enterprise. Our location is currently a "Workgroup" or "Peer to Peer" network at this time, however we are in the process of transitioning to the enterprise Microsoft AD domain.

We have some files that we're currently sharing on older machines to multiple users on our network. Those older machines need to be transitioned to something different. So my thought was to replace those aging computers with a single CentOS instance on our ESX box.

I have a CentOS 6.6 server running Samba 3.6.23-14.el6_6

I want to keep that CentOS/Samba server off of the domain.

I have configured Samba with a few 'public' shares, and a couple that are restricted to 'known' users.

I have been testing with the shares from both 'workgroup' and domain computers.

For a moment, assume I have not run the 'smbpasswd -a [username]' command and configured a Samba password for a linux user.

From my 'workgroup' computer, I can access the public shares without issue.
From my 'domain' computer, I can access the public shares without issue.

Attempting to access the 'known' user shares from either computer results in Windows asking for credentials. This is as expected, however because I haven't created a samba account for a user, none of the credentials are accepted from either computer.

Now, assume I run the 'smbpasswd -a [username]' command to create a Samba password for a linux user.

From my 'workgroup' computer, I can access the public shares, and when attempting to connect to the 'known user' shares, I am presented with a request for credentials. I enter the username and password and it works no problem.

From my 'domain' computer, I had the list of shares showing in an Explorer window. I clicked on one of the 'known user' shares to browse to the folder and it asked for credentials and it failed at every turn. I attempted to use "username", "\\server\username" and "\\server_ip\username" with the proper password. It fails across the board. I then tried to back up to the server's IP to see a list of all the shares and it also fails. So now I can't access any shares at all from the domain connected computer.

If I remove the Samba user that I configured earlier, I am again able to access the public shares using my domain connected computer.

So is there a way that I can configure Samba to NOT be part of a domain, but get my domain connected computers to access password protected shares?

what does log files say? AD uses DNS to locate services on network and to authentocate user. so it is pointing to domain controller. does logs say that domain member machine tried to authenticate against samba server?

I managed to resolve this myself the other day and forgot to post. I apologize for that.

First, I was reading a how-to on Samba 4 and looking at the sample configuration that writer used.

I had been using and the writer used so I decided to try that.

This caused the server to request user credentials anytime a user attempts to view the shared resources on the box. It doesn't matter if Samba is configured for public access or individual user access. Changing the security mode to user forces Samba to require a valid user account in order to access anything on the box.

So then I added my user account to the samba user's list, assigning myself the same samba password as my domain password and it let me view the server's shared resources. On my non-domain workstation, it asked for user credentials so I gave it my username / password for Samba and it let me see stuff too.

So every user that needs to access the box will have to have an account on the box. But at least I can get them access, and I can set them to a nologin shell and they can still get to the shared files.

This makes things slightly more complicated for me in a few ways. First, I have to manually add the users to the linux box, and second have to manually add their passwords to Samba. Then, if a user ever changes their domain password, I will have to update their credentials on the linux box.

I'm still testing some of this, but at least I have managed to get access from both domain and non-domain computers.

Ideally, I'd like to be able to set it up so that I can assign a 'generic' user and allow multiple people use the same username / password to access the shared resources. But with the domain computers that doesn't seem to be possible to this point. But as I said, I'm still testing.