How to use AD authentication for normal Samba file sharing
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to use AD authentication for normal Samba file sharing
I have a Linux Slackware64 14.2 host used for file sharing in my Active Directory domain. Although I have a Samba4 AD/DC server configured in the LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on this server does not require any ID or passwords from Windows client workstations. The current smb.conf is shown below, only one of the shares is listed.
I would like to have this file-sharing host authenticate using Active Directory authentication. That is, when the Windows user maps the shared drive, I would like it to authenticate with his/her domain credentials and not require the user to enter ID/PW on the Map Network Drive dialog.
Is this possible?
If so, I know how to make the Linux file-sharing host a domain member and do all the proper krb5 and PAM stuff (Thanks to Ivandi https://www.linuxquestions.org/quest...ba-4175583996/). What would I have to do to get the Samba file-sharing server to authenticate the user's domain credentials?
My smb.conf:
Code:
[global]
netbios name = OHPRSSTORAGE
workgroup = WORKGROUP
server string = HPRS NAS server
domain master = no
prefered master = no
security = user
map to guest = Bad User
hosts allow = 192.168.0. 127.
load printers = no
printcap name = /dev/null
printing = bsd
disable spoolss = yes
guest account = nevermind
log file = /var/log/samba.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
[public]
path = /mnt/RAID/public
hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/
veto oplock files = /OfficeCalendar.pst/
locking = yes
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
You'll need to join the Samba Server Box to your Domain.
Then once it is a member of the Domain, something like the following should work.
-- kjh
Code:
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = LinuxBox
security = ADS
password server = ADDC.MYDOMAIN.COM
log file = /var/log/samba/log.%m
max log size = 50
unix extensions = No
client signing = required
local master = No
domain master = No
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind use default domain = Yes
idmap config * : range = 16777216-33554431
idmap config * : backend = tdb
cups options = raw
root preexec = /usr/local/sbin/mkhomedir.sh %U
[homes]
comment = Home Directories
read only = No
delete veto files = Yes
veto files = /.bash_history/.bashrc/.bash_profile/.bash_logout/.vimrc/
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No
[exampleshare]
comment = a comment
path = /home/exampleshare
browseable = yes
read only = no
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = @"DOMAIN+Domain Users" <-- define your ADS groups
admin users = @"DOMAIN+Domain Admins" <-- define your ads groups with admin rights
I'm not entirely sure what @"DOMAIN+Domain Users is supposed to look like. Sometimes I wish example givers would use actual examples instead of meta-language. My domain is OHPRS, so perhaps the string would be:
valid users = @"OHPRS+Domain Users"
What do you think? "domain users" is what ls shows for the group:
Code:
# ls -l /home/HPRS/mark
total 104
drwxrwx--- 15 mark domain users 4096 2017-11-14 14:08 Desktop/
drwxr-x--- 2 mark domain users 4096 2016-10-25 19:00 Documents/
drwxr-x--- 2 mark domain users 4096 2017-05-20 14:17 Downloads/
drwxrwx--- 10 mark domain users 4096 2017-09-14 10:54 Favorites/
drwxr-x--- 2 mark domain users 4096 2015-10-16 15:46 Music/
drwxrwx--- 14 mark domain users 4096 2017-11-14 14:14 My\ Documents/
`samba-tool group list` shows "Domain Users" capitalized, but the `ls` does not. Hopefully, it doesn't matter.
kjhambrick: As it turns out, the comments in my domain-member smb.conf file have "Adapted from kjhambrick's smb.conf"! That reference is from September, 2016. So, I'm using your basic config anyway.
I've joined the samba file sharing host to the domain. All wbinfo and getent tests check out OK. I've updated my smb.conf (see below), but when I try to map the drive from Windows I get "X:\ is not accessible. Access is denied." But, the mapped drive "shows" on the My Computer screen and gives the correct size and availability, but I can't see any files. If I switch the workgroup from OHPRS to WORKGROUP, I get an ID/PW dialog on the Map Network drive function, but the domain credentials don't work. I also get a "domain_client_validate: Domain password server not available" message in the SAMBASERVER:/var/log/samba/log.smbd which I don't get when the workgroup is HPRS.
I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is:
Do you agree this is the problem? If so, is there a way to change the client user to be UID/GID ophrso.ohprs (kind of like the anonuid/anongid settings of nfs)?
Current smb.conf
Code:
# Adapted from kjhambrick's smb.conf 2017-09-23
# Global parameters
[global]
netbios name = OHPRSSTORAGE
# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
# workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public
# for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes
# set o+x to mark a file as hidden (doesn't work for folders)
map hidden = yes
# User's outlook .pst files are in a folder named "outlook"
hide files = /Outlook/outlook/~*/
# locking: https://www.samba.org/samba/docs/using_samba/ch08.html
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
# guest ok = yes
# guest only = yes
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is:
Oops ... I missed that Q and a line from your smb.conf for your public share ...
Quote:
Do you agree this is the problem? If so, is there a way to change the client user to be UID/GID ophrso.ohprs (kind of like the anonuid/anongid settings of nfs)?
What are Permissions and ownership of the /mnt/RAID/public directory ( ls -lad /mnt/RAID/public/ ) ?
Your smb.conf file says: valid users = @"domain users" so that may be your problem ...
HTH
-- kjh
Quote:
Current smb.conf
Code:
# Adapted from kjhambrick's smb.conf 2017-09-23
# Global parameters
[global]
netbios name = OHPRSSTORAGE
# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
# workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = HPRS NAS server
domain master = no
prefered master = no
realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public
# for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes
# set o+x to mark a file as hidden (doesn't work for folders)
map hidden = yes
# User's outlook .pst files are in a folder named "outlook"
hide files = /Outlook/outlook/~*/
# locking: https://www.samba.org/samba/docs/using_samba/ch08.html
veto oplock files = /OfficeCalendar.pst/
inherit acls = yes
valid users = @"domain users"
# guest ok = yes
# guest only = yes
locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771
mfoley --
I assume kerberos is set up and you've got a ticket ?
Well, I assume so. I can wbinfo and getpwent OK.
Quote:
One thing we had to add to /etc/samba/smb.conf is password server = ADDC.MYDOMAIN.COM ( substitute your AD DC Password Server )
testparm complains but it had to be in /etc/samba/smb.conf to get logged in and to map shares.
Hmmm, even without this I *think* it's validating the domain credentials OK. But my permission is denied. Otherwise, I'm not familiar with a password server, would that simple be my AD/DC server? In my case mail.hprs.local? I'll try that.
Quote:
Another thing we added was this line to smb.conf root preexec = /usr/local/sbin/mkhomedir.sh %U
Script and instructions are below.
This way, the user's $HOME is auto-created on the Linux Side when the user successfully authenticates against the AD DC.
The script came from John Terpstra of SAMBA fame ...
No domain users actually log into this server. They only access the file share. Therefore, I don't think I need or want that. (I do something similar on actual domain members for users with automount).
Quote:
If you type: id ohprso do you get back a list of Windows Ids ?
Code:
# id ohprso
uid=1001(ohprso) gid=301(ohprs) groups=301(ohprs)
I'm just now experimenting with this AD authentication on this server. User ohprso and group ohprs is not a domain user/group. With the traditional Samba sharing, the guest account was set up with this UID.GID so users, regardless of their actual UID.GID, were mapped as ohprso.ohprs. I'm trying to accomplish something similar now as I'd still like the whole share to stay owned by ohprso.ohprs.
Quote:
Are you able to log in as ohprso via ssh ( say via a putty client on a windows box ) ?
If you've got your ids and you can log in via ssh with a windows Domain User, samba should work too ...
Well, yes I can, but as mentioned ohprso is not a domain user. Its info is in /etc/passwd. Perhaps a point of confusion. ohprso.ohprs is the owner of the files in the share. It is not an actual user. actual domain users will be e.g. mark.domain users and multiple others like that. The share is a NAS office file server so everyone accesses it and has (should have) permission to r/w all files on the share. With "classic" Samba, users connected as the guest and all files read/written to the share received ohprso.ohprs ownership.
Quote:
Originally Posted by kjhambrick
mfoley --
Oops ... I missed that Q and a line from your smb.conf for your public share ...
What are Permissions and ownership of the /mnt/RAID/public directory ( ls -lad /mnt/RAID/public/ ) ?
Your smb.conf file says: valid users = @"domain users" so that may be your problem ...
But, that was your suggestion in your 11-21-17 03:00 PM post.
Personally, I think I'm authenticating OK, and I believe the Windows map sees the share since it gets the space and usage info. I think I've got a permission problem. I'll do more experimenting with that once I get access to the server later today.
Then I tried mounting from a domain workstation and it worked! It used the AD credentials to map the drive and did not ask for ID/PW. I could see all files on the drive. I created a file on the drive from the workstation and that worked too:
Because of the 's' bit in the group permission it created it with the group ohprs, which is good. However and as expected, it created the file with the domain user's ID: 10001.
So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ...
Then I tried mounting from a domain workstation and it worked! It used the AD credentials to map the drive and did not ask for ID/PW. I could see all files on the drive. I created a file on the drive from the workstation and that worked too:
Because of the 's' bit in the group permission it created it with the group ohprs, which is good. However and as expected, it created the file with the domain user's ID: 10001.
So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ...
mfoley --
One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ?
Could it be the idmap ranges in the smb.conf you posted earlier ?
Code:
# this ?
idmap config *:range = 2000-9999
# vs this ?
idmap config HPRS:range = 10000-10099
I dunno ... but if it's working and if you're going to 'force user' / 'force group' then good enough ...
-- kjh
mfoley --
One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ?
Good eye! The reason is that my `ls` is done on another server (the webserver) that mounts this directory as nfs. webserver is not currently a domain member, so these domain Ids are not known on this server. This is one reason why I wanted to map all the domain Ids to ohprso.ohprs.
We've been gradually migrating everything in the office from MS Small Business Server to Linux and Samba4. Originally, the webserver, NAS (hosting the Samba shares) and other Linux servers were not in the Windows AD domain. A couple of Linux workstations have been added to the domain (thanks in large part to your help in a much earlier thread) and now this NAS server is migrated. Eventually, the webserver will join the domain as well and perhaps then I can let Samba shared files be created with the actual user's Id as long as we retain g+rw.
With the small staff (me) and limited testing time, it would have been too fraught with peril to attempt to join multiple hosts to the domain and possibly change shared file ownership, etc. In fact, my next mission is getting all users as AD users - which only a few currently are. Gotta do that before I make this Samba AD athentication real. Baby steps!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.