How to use AD authentication for normal Samba file sharing
 

I have a Linux Slackware64 14.2 host used for file sharing in my Active Directory domain. Although I have a Samba4 AD/DC server configured in the LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on this server does not require any ID or passwords from Windows client workstations. The current smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory authentication. That is, when the Windows user maps the shared drive, I would like it to authenticate with his/her domain credentials and not require the user to enter ID/PW on the Map Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member and do all the proper krb5 and PAM stuff (Thanks to Ivandi https://www.linuxquestions.org/quest...ba-4175583996/). What would I have to do to get the Samba file-sharing server to authenticate the user's domain credentials?

My smb.conf:

I recall samba having a "password server" parameter in [global].
I'm not sure if it can be used per share but i guess it is worth a look

mfoley --

Yes, it is possible.

You'll need to join the Samba Server Box to your Domain.

Then once it is a member of the Domain, something like the following should work.

-- kjh

Thanks for the feedback. I also found this: https://www.howtoforge.com/samba_active_directory, but in addition to the similar items in your example smb.conf it has:
I'm not entirely sure what @"DOMAIN+Domain Users is supposed to look like. Sometimes I wish example givers would use actual examples instead of meta-language. My domain is OHPRS, so perhaps the string would be:

valid users = @"OHPRS+Domain Users"

What do you think? "domain users" is what ls shows for the group:
`samba-tool group list` shows "Domain Users" capitalized, but the `ls` does not. Hopefully, it doesn't matter.

mfoley --

Our smb.conf file includes winbind use default domain = Yes so users can log in by name only ( no domain necessary ).

In that case valid users = @"domain users"

EDIT[1]: Case does not matter.

EDIT[2]: If you've already joined the domain, wbinfo -g will show groups as it sees them

example:
without winbind use default domain = Yes you would see:
What you see is what you use in smb.conf ...

-- kjh

kjhambrick: As it turns out, the comments in my domain-member smb.conf file have "Adapted from kjhambrick's smb.conf"! That reference is from September, 2016. So, I'm using your basic config anyway.

I've joined the samba file sharing host to the domain. All wbinfo and getent tests check out OK. I've updated my smb.conf (see below), but when I try to map the drive from Windows I get "X:\ is not accessible. Access is denied." But, the mapped drive "shows" on the My Computer screen and gives the correct size and availability, but I can't see any files. If I switch the workgroup from OHPRS to WORKGROUP, I get an ID/PW dialog on the Map Network drive function, but the domain credentials don't work. I also get a "domain_client_validate: Domain password server not available" message in the SAMBASERVER:/var/log/samba/log.smbd which I don't get when the workgroup is HPRS.

I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is:
Do you agree this is the problem? If so, is there a way to change the client user to be UID/GID ophrso.ohprs (kind of like the anonuid/anongid settings of nfs)?

Current smb.conf

mfoley --

I assume kerberos is set up and you've got a ticket ?

One thing we had to add to /etc/samba/smb.conf is password server = ADDC.MYDOMAIN.COM ( substitute your AD DC Password Server :) )

testparm complains but it had to be in /etc/samba/smb.conf to get logged in and to map shares.

Another thing we added was this line to smb.conf root preexec = /usr/local/sbin/mkhomedir.sh %U

Script and instructions are below.

This way, the user's $HOME is auto-created on the Linux Side when the user successfully authenticates against the AD DC.

The script came from John Terpstra of SAMBA fame ...

If you type: id ohprso do you get back a list of Windows Ids ?

Are you able to log in as ohprso via ssh ( say via a putty client on a windows box ) ?

If you've got your ids and you can log in via ssh with a windows Domain User, samba should work too ...

HTH ...

-- kjh

This is /usr/local/sbin/mkhomedir.sh

mfoley --

Oops ... I missed that Q and a line from your smb.conf for your public share ...

What are Permissions and ownership of the /mnt/RAID/public directory ( ls -lad /mnt/RAID/public/ ) ?

Your smb.conf file says: valid users = @"domain users" so that may be your problem ...

HTH

-- kjh

Lotta comments! Thanks ...
Well, I assume so. I can wbinfo and getpwent OK.
Hmmm, even without this I *think* it's validating the domain credentials OK. But my permission is denied. Otherwise, I'm not familiar with a password server, would that simple be my AD/DC server? In my case mail.hprs.local? I'll try that.
No domain users actually log into this server. They only access the file share. Therefore, I don't think I need or want that. (I do something similar on actual domain members for users with automount).
I'm just now experimenting with this AD authentication on this server. User ohprso and group ohprs is not a domain user/group. With the traditional Samba sharing, the guest account was set up with this UID.GID so users, regardless of their actual UID.GID, were mapped as ohprso.ohprs. I'm trying to accomplish something similar now as I'd still like the whole share to stay owned by ohprso.ohprs.
Well, yes I can, but as mentioned ohprso is not a domain user. Its info is in /etc/passwd. Perhaps a point of confusion. ohprso.ohprs is the owner of the files in the share. It is not an actual user. actual domain users will be e.g. mark.domain users and multiple others like that. The share is a NAS office file server so everyone accesses it and has (should have) permission to r/w all files on the share. With "classic" Samba, users connected as the guest and all files read/written to the share received ohprso.ohprs ownership.
# ls -lad /mnt/RAID/public/
drwxrws--x 21 ohprso ohprs 8192 2017-11-22 20:44 /mnt/RAID/public//
But, that was your suggestion in your 11-21-17 03:00 PM post.

Personally, I think I'm authenticating OK, and I believe the Windows map sees the share since it gets the space and usage info. I think I've got a permission problem. I'll do more experimenting with that once I get access to the server later today.

mfoley --

What happens if you: chown -R mark:'domain users' /mnt/RAID/public/

Are you able to access the share from your Windows PeeCee ?

-- kjh

YES! I didn't do a chown -R since this is the main office shared network drive and that might mess everybody up. But I did do:
Then I tried mounting from a domain workstation and it worked! It used the AD credentials to map the drive and did not ask for ID/PW. I could see all files on the drive. I created a file on the drive from the workstation and that worked too:
Because of the 's' bit in the group permission it created it with the group ohprs, which is good. However and as expected, it created the file with the domain user's ID: 10001.

So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ...

OK, I believe I've figured this out!
That appeared to work!

Does anyone see a problem?

mfoley --

That shouldn't be a problem -- it works for us in a similar setup.

We do the same sort of force * for 'secured shares' ( shares where only members of a select group are allowed access )

-- kjh

mfoley --

One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ?

Could it be the idmap ranges in the smb.conf you posted earlier ?
I dunno ... but if it's working and if you're going to 'force user' / 'force group' then good enough ...
-- kjh

Good eye! The reason is that my `ls` is done on another server (the webserver) that mounts this directory as nfs. webserver is not currently a domain member, so these domain Ids are not known on this server. This is one reason why I wanted to map all the domain Ids to ohprso.ohprs.

We've been gradually migrating everything in the office from MS Small Business Server to Linux and Samba4. Originally, the webserver, NAS (hosting the Samba shares) and other Linux servers were not in the Windows AD domain. A couple of Linux workstations have been added to the domain (thanks in large part to your help in a much earlier thread) and now this NAS server is migrated. Eventually, the webserver will join the domain as well and perhaps then I can let Samba shared files be created with the actual user's Id as long as we retain g+rw.

With the small staff (me) and limited testing time, it would have been too fraught with peril to attempt to join multiple hosts to the domain and possibly change shared file ownership, etc. In fact, my next mission is getting all users as AD users - which only a few currently are. Gotta do that before I make this Samba AD athentication real. Baby steps!