![]() |
How to use AD authentication for normal Samba file sharing
I have a Linux Slackware64 14.2 host used for file sharing in my Active Directory domain. Although I have a Samba4 AD/DC server configured in the LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on this server does not require any ID or passwords from Windows client workstations. The current smb.conf is shown below, only one of the shares is listed.
I would like to have this file-sharing host authenticate using Active Directory authentication. That is, when the Windows user maps the shared drive, I would like it to authenticate with his/her domain credentials and not require the user to enter ID/PW on the Map Network Drive dialog. Is this possible? If so, I know how to make the Linux file-sharing host a domain member and do all the proper krb5 and PAM stuff (Thanks to Ivandi https://www.linuxquestions.org/quest...ba-4175583996/). What would I have to do to get the Samba file-sharing server to authenticate the user's domain credentials? My smb.conf: Code:
[global] |
I recall samba having a "password server" parameter in [global].
I'm not sure if it can be used per share but i guess it is worth a look |
mfoley --
Yes, it is possible. You'll need to join the Samba Server Box to your Domain. Then once it is a member of the Domain, something like the following should work. -- kjh Code:
# testparm |
Thanks for the feedback. I also found this: https://www.howtoforge.com/samba_active_directory, but in addition to the similar items in your example smb.conf it has:
Code:
[exampleshare] valid users = @"OHPRS+Domain Users" What do you think? "domain users" is what ls shows for the group: Code:
# ls -l /home/HPRS/mark |
mfoley --
Our smb.conf file includes winbind use default domain = Yes so users can log in by name only ( no domain necessary ). In that case valid users = @"domain users" EDIT[1]: Case does not matter. EDIT[2]: If you've already joined the domain, wbinfo -g will show groups as it sees them example: Code:
# wbinfo -g |grep -i domain Code:
# wbinfo -g |grep -i domain -- kjh |
kjhambrick: As it turns out, the comments in my domain-member smb.conf file have "Adapted from kjhambrick's smb.conf"! That reference is from September, 2016. So, I'm using your basic config anyway.
I've joined the samba file sharing host to the domain. All wbinfo and getent tests check out OK. I've updated my smb.conf (see below), but when I try to map the drive from Windows I get "X:\ is not accessible. Access is denied." But, the mapped drive "shows" on the My Computer screen and gives the correct size and availability, but I can't see any files. If I switch the workgroup from OHPRS to WORKGROUP, I get an ID/PW dialog on the Map Network drive function, but the domain credentials don't work. I also get a "domain_client_validate: Domain password server not available" message in the SAMBASERVER:/var/log/samba/log.smbd which I don't get when the workgroup is HPRS. I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is: Code:
# ls -l /mnt/RAID/public/ Current smb.conf Code:
# Adapted from kjhambrick's smb.conf 2017-09-23 |
mfoley --
I assume kerberos is set up and you've got a ticket ? One thing we had to add to /etc/samba/smb.conf is password server = ADDC.MYDOMAIN.COM ( substitute your AD DC Password Server :) ) testparm complains but it had to be in /etc/samba/smb.conf to get logged in and to map shares. Another thing we added was this line to smb.conf root preexec = /usr/local/sbin/mkhomedir.sh %U Script and instructions are below. This way, the user's $HOME is auto-created on the Linux Side when the user successfully authenticates against the AD DC. The script came from John Terpstra of SAMBA fame ... If you type: id ohprso do you get back a list of Windows Ids ? Are you able to log in as ohprso via ssh ( say via a putty client on a windows box ) ? If you've got your ids and you can log in via ssh with a windows Domain User, samba should work too ... HTH ... -- kjh This is /usr/local/sbin/mkhomedir.sh Code:
#!/bin/bash |
Quote:
Oops ... I missed that Q and a line from your smb.conf for your public share ... Quote:
Your smb.conf file says: valid users = @"domain users" so that may be your problem ... HTH -- kjh Quote:
|
Lotta comments! Thanks ...
Quote:
Quote:
Quote:
Quote:
Code:
# id ohprso Quote:
Quote:
drwxrws--x 21 ohprso ohprs 8192 2017-11-22 20:44 /mnt/RAID/public// Quote:
Personally, I think I'm authenticating OK, and I believe the Windows map sees the share since it gets the space and usage info. I think I've got a permission problem. I'll do more experimenting with that once I get access to the server later today. |
mfoley --
What happens if you: chown -R mark:'domain users' /mnt/RAID/public/ Are you able to access the share from your Windows PeeCee ? -- kjh |
YES! I didn't do a chown -R since this is the main office shared network drive and that might mess everybody up. But I did do:
Code:
# chmod o+rw /mnt/RAID/public Code:
ls -l /mnt/public/rainInSpain.txt So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ... |
OK, I believe I've figured this out!
Code:
force user ohprso Does anyone see a problem? |
Quote:
That shouldn't be a problem -- it works for us in a similar setup. We do the same sort of force * for 'secured shares' ( shares where only members of a select group are allowed access ) -- kjh |
Quote:
One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ? Could it be the idmap ranges in the smb.conf you posted earlier ? Code:
# this ? -- kjh |
Quote:
We've been gradually migrating everything in the office from MS Small Business Server to Linux and Samba4. Originally, the webserver, NAS (hosting the Samba shares) and other Linux servers were not in the Windows AD domain. A couple of Linux workstations have been added to the domain (thanks in large part to your help in a much earlier thread) and now this NAS server is migrated. Eventually, the webserver will join the domain as well and perhaps then I can let Samba shared files be created with the actual user's Id as long as we retain g+rw. With the small staff (me) and limited testing time, it would have been too fraught with peril to attempt to join multiple hosts to the domain and possibly change shared file ownership, etc. In fact, my next mission is getting all users as AD users - which only a few currently are. Gotta do that before I make this Samba AD athentication real. Baby steps! |
All times are GMT -5. The time now is 06:35 PM. |