How to use AD authentication for normal Samba file sharing

mfoley · 11-20-2017, 08:25 PM

I have a Linux Slackware64 14.2 host used for file sharing in my Active Directory domain. Although I have a Samba4 AD/DC server configured in the LAN, this file-sharing host is not currently a domain member. Right now, the smb.conf set up on this server does not require any ID or passwords from Windows client workstations. The current smb.conf is shown below, only one of the shares is listed.

I would like to have this file-sharing host authenticate using Active Directory authentication. That is, when the Windows user maps the shared drive, I would like it to authenticate with his/her domain credentials and not require the user to enter ID/PW on the Map Network Drive dialog.

Is this possible?

If so, I know how to make the Linux file-sharing host a domain member and do all the proper krb5 and PAM stuff (Thanks to Ivandi https://www.linuxquestions.org/quest...ba-4175583996/). What would I have to do to get the Samba file-sharing server to authenticate the user's domain credentials?

My smb.conf:

Code:

[global]
netbios name = OHPRSSTORAGE
   workgroup = WORKGROUP
   server string = HPRS NAS server

domain master = no
prefered master = no

   security = user
   map to guest = Bad User

   hosts allow = 192.168.0. 127.

load printers = no
printcap name = /dev/null
printing = bsd
disable spoolss = yes

guest account = nevermind

   log file = /var/log/samba.%m
   max log size = 50

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   dns proxy = no 

[public]
path = /mnt/RAID/public

hide dot files = yes
map hidden = yes
hide files = /Outlook/outlook/~*/

veto oplock files = /OfficeCalendar.pst/
locking = yes
public = yes
guest ok = yes
guest only = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771

koloth · 11-21-2017, 06:00 AM

I recall samba having a "password server" parameter in [global].
I'm not sure if it can be used per share but i guess it is worth a look

kjhambrick · 11-21-2017, 07:35 AM

mfoley --

Yes, it is possible.

You'll need to join the Samba Server Box to your Domain.

Then once it is a member of the Domain, something like the following should work.

-- kjh

Code:

# testparm

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        server string = LinuxBox
        security = ADS
        password server = ADDC.MYDOMAIN.COM
        log file = /var/log/samba/log.%m
        max log size = 50
        unix extensions = No
        client signing = required
        local master = No
        domain master = No
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind use default domain = Yes
        idmap config * : range = 16777216-33554431
        idmap config * : backend = tdb
        cups options = raw
        root preexec = /usr/local/sbin/mkhomedir.sh %U

[homes]
        comment = Home Directories
        read only = No
        delete veto files = Yes
        veto files = /.bash_history/.bashrc/.bash_profile/.bash_logout/.vimrc/
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

mfoley · 11-21-2017, 12:27 PM

Thanks for the feedback. I also found this: https://www.howtoforge.com/samba_active_directory, but in addition to the similar items in your example smb.conf it has:

Code:

[exampleshare]         
	comment = a comment         
	path = /home/exampleshare         
	browseable = yes         
	read only = no         
	inherit acls = yes         
	inherit permissions = yes         
	create mask = 700         
	directory mask = 700         
	valid users = @"DOMAIN+Domain Users"   <-- define your ADS groups         
	admin users = @"DOMAIN+Domain Admins"  <-- define your ads groups with admin rights

I'm not entirely sure what @"DOMAIN+Domain Users is supposed to look like. Sometimes I wish example givers would use actual examples instead of meta-language. My domain is OHPRS, so perhaps the string would be:

valid users = @"OHPRS+Domain Users"

What do you think? "domain users" is what ls shows for the group:

Code:

# ls -l /home/HPRS/mark
total 104
drwxrwx--- 15 mark domain users 4096 2017-11-14 14:08 Desktop/
drwxr-x---  2 mark domain users 4096 2016-10-25 19:00 Documents/
drwxr-x---  2 mark domain users 4096 2017-05-20 14:17 Downloads/
drwxrwx--- 10 mark domain users 4096 2017-09-14 10:54 Favorites/
drwxr-x---  2 mark domain users 4096 2015-10-16 15:46 Music/
drwxrwx--- 14 mark domain users 4096 2017-11-14 14:14 My\ Documents/

`samba-tool group list` shows "Domain Users" capitalized, but the `ls` does not. Hopefully, it doesn't matter.

kjhambrick · 11-21-2017, 02:00 PM

mfoley --

Our smb.conf file includes winbind use default domain = Yes so users can log in by name only ( no domain necessary ).

In that case valid users = @"domain users"

EDIT[1]: Case does not matter.

EDIT[2]: If you've already joined the domain, wbinfo -g will show groups as it sees them

example:

Code:

# wbinfo -g |grep -i domain

domain computers
domain guests
domain users
domain admins
domain controllers
read-only domain controllers
cloneable domain controllers
enterprise read-only domain controllers

without winbind use default domain = Yes you would see:

Code:

# wbinfo -g |grep -i domain

MYDOMAIN+domain computers
MYDOMAIN+domain users
MYDOMAIN+domain guests
MYDOMAIN+domain admins
MYDOMAIN+domain controllers
MYDOMAIN+exchange domain servers
MYDOMAIN+read-only domain controllers
MYDOMAIN+enterprise read-only domain controllers

What you see is what you use in smb.conf ...

-- kjh

mfoley · 11-24-2017, 05:14 PM

kjhambrick: As it turns out, the comments in my domain-member smb.conf file have "Adapted from kjhambrick's smb.conf"! That reference is from September, 2016. So, I'm using your basic config anyway.

I've joined the samba file sharing host to the domain. All wbinfo and getent tests check out OK. I've updated my smb.conf (see below), but when I try to map the drive from Windows I get "X:\ is not accessible. Access is denied." But, the mapped drive "shows" on the My Computer screen and gives the correct size and availability, but I can't see any files. If I switch the workgroup from OHPRS to WORKGROUP, I get an ID/PW dialog on the Map Network drive function, but the domain credentials don't work. I also get a "domain_client_validate: Domain password server not available" message in the SAMBASERVER:/var/log/samba/log.smbd which I don't get when the workgroup is HPRS.

I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is:

Code:

# ls -l /mnt/RAID/public/
total 432512
-rw-rw----     1 ohprso ohprs    552110 2017-10-31 15:48 2017-10-31-Windows7x32.pdf
-rw-rw----     1 ohprso ohprs     38912 2017-10-31 01:24 2017.10.19\ Investment\ Committee\ Minutes\ (draft).doc
drwxrws--x     2 ohprso ohprs      4096 2017-03-01 13:06 AA\ Mark\ Foley\ doc/
-rw-rw----     1 ohprso ohprs    216576 2016-12-28 15:51 ActiveContribTotals.xls
drwxr-xr-x    17 ohprso ohprs      4096 2016-10-03 10:40 Archives/
drwxr-xr-x    28 ohprso ohprs      4096 2017-11-01 11:19 Board\ of\ Trustees/
-rw-rw----     1 ohprso ohprs   1329862 2017-01-31 10:56 CHARMAINE.png

Do you agree this is the problem? If so, is there a way to change the client user to be UID/GID ophrso.ohprs (kind of like the anonuid/anongid settings of nfs)?

Current smb.conf

Code:

# Adapted from kjhambrick's smb.conf 2017-09-23
# Global parameters
[global]
netbios name = OHPRSSTORAGE

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
#   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = HPRS NAS server

domain master = no
prefered master = no

        realm = HPRS.LOCAL
        workgroup = HPRS
        usershare allow guests = Yes
        usershare max shares = 10
        security = ADS
        template shell = /bin/bash

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

       winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes

[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public

# for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes
# set o+x to mark a file as hidden (doesn't work for folders)
map hidden = yes
# User's outlook .pst files are in a folder named "outlook"
hide files = /Outlook/outlook/~*/

# locking: https://www.samba.org/samba/docs/using_samba/ch08.html
veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

# guest ok = yes
# guest only = yes

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771

kjhambrick · 11-25-2017, 06:28 AM

mfoley --

I assume kerberos is set up and you've got a ticket ?

One thing we had to add to /etc/samba/smb.conf is password server = ADDC.MYDOMAIN.COM ( substitute your AD DC Password Server

)

testparm complains but it had to be in /etc/samba/smb.conf to get logged in and to map shares.

Another thing we added was this line to smb.conf root preexec = /usr/local/sbin/mkhomedir.sh %U

Script and instructions are below.

This way, the user's $HOME is auto-created on the Linux Side when the user successfully authenticates against the AD DC.

The script came from John Terpstra of SAMBA fame ...

If you type: id ohprso do you get back a list of Windows Ids ?

Are you able to log in as ohprso via ssh ( say via a putty client on a windows box ) ?

If you've got your ids and you can log in via ssh with a windows Domain User, samba should work too ...

HTH ...

-- kjh

This is /usr/local/sbin/mkhomedir.sh

Code:

#!/bin/bash
#
# from John Terpstra - http://lists.samba.org/archive/samba/2005-June/106958.html
#
# chown root:root          /usr/local/sbin/mkhomedir.sh
# chmod u=rwsx,g=rwx,o-rwx /usr/local/sbin/mkhomedir.sh
#
TheDir="/home/$1"

if [ ! -e "$TheDir" ]
then
   cp -pR /etc/skel "$TheDir"
   chown -R $1:"domain users" "$TheDir"
   chmod 700 "$TheDir"
fi

kjhambrick · 11-25-2017, 06:42 AM

Quote:

Originally Posted by mfoley

I suspect workgroup OHPRS is correct because it appears to successfully validate the A/D credentials. I further suspect that the "access denied" message is because the actual owner of the shared files is ohprso.ohprs, not whatever domain user has mapped from Windows. E.g. I'm mapping from user 'mark.Domain Users', the shared samba mount is:

Code:

# ls -l /mnt/RAID/public/
total 432512
-rw-rw----     1 ohprso ohprs    552110 2017-10-31 15:48 2017-10-31-Windows7x32.pdf
-rw-rw----     1 ohprso ohprs     38912 2017-10-31 01:24 2017.10.19\ Investment\ Committee\ Minutes\ (draft).doc
drwxrws--x     2 ohprso ohprs      4096 2017-03-01 13:06 AA\ Mark\ Foley\ doc/
-rw-rw----     1 ohprso ohprs    216576 2016-12-28 15:51 ActiveContribTotals.xls
drwxr-xr-x    17 ohprso ohprs      4096 2016-10-03 10:40 Archives/
drwxr-xr-x    28 ohprso ohprs      4096 2017-11-01 11:19 Board\ of\ Trustees/
-rw-rw----     1 ohprso ohprs   1329862 2017-01-31 10:56 CHARMAINE.png

mfoley --

Oops ... I missed that Q and a line from your smb.conf for your public share ...

Quote:

Do you agree this is the problem? If so, is there a way to change the client user to be UID/GID ophrso.ohprs (kind of like the anonuid/anongid settings of nfs)?

What are Permissions and ownership of the /mnt/RAID/public directory ( ls -lad /mnt/RAID/public/ ) ?

Your smb.conf file says: valid users = @"domain users" so that may be your problem ...

HTH

-- kjh

Quote:

Current smb.conf

Code:

# Adapted from kjhambrick's smb.conf 2017-09-23
# Global parameters
[global]
netbios name = OHPRSSTORAGE

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
#   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = HPRS NAS server

domain master = no
prefered master = no

        realm = HPRS.LOCAL
        workgroup = HPRS
        usershare allow guests = Yes
        usershare max shares = 10
        security = ADS
        template shell = /bin/bash

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

       winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes

[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public

# for the following settings see: https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes
# set o+x to mark a file as hidden (doesn't work for folders)
map hidden = yes
# User's outlook .pst files are in a folder named "outlook"
hide files = /Outlook/outlook/~*/

# locking: https://www.samba.org/samba/docs/using_samba/ch08.html
veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

# guest ok = yes
# guest only = yes

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force create mode = 0660
directory mask = 0771

mfoley · 11-25-2017, 11:06 AM

Lotta comments! Thanks ...

Quote:

Originally Posted by kjhambrick

mfoley --
I assume kerberos is set up and you've got a ticket ?

Well, I assume so. I can wbinfo and getpwent OK.

Quote:

One thing we had to add to /etc/samba/smb.conf is password server = ADDC.MYDOMAIN.COM ( substitute your AD DC Password Server

)
testparm complains but it had to be in /etc/samba/smb.conf to get logged in and to map shares.

Hmmm, even without this I *think* it's validating the domain credentials OK. But my permission is denied. Otherwise, I'm not familiar with a password server, would that simple be my AD/DC server? In my case mail.hprs.local? I'll try that.

Quote:

Another thing we added was this line to smb.conf root preexec = /usr/local/sbin/mkhomedir.sh %U

Script and instructions are below.

This way, the user's $HOME is auto-created on the Linux Side when the user successfully authenticates against the AD DC.

The script came from John Terpstra of SAMBA fame ...

No domain users actually log into this server. They only access the file share. Therefore, I don't think I need or want that. (I do something similar on actual domain members for users with automount).

Quote:

If you type: id ohprso do you get back a list of Windows Ids ?

Code:

# id ohprso
uid=1001(ohprso) gid=301(ohprs) groups=301(ohprs)

I'm just now experimenting with this AD authentication on this server. User ohprso and group ohprs is not a domain user/group. With the traditional Samba sharing, the guest account was set up with this UID.GID so users, regardless of their actual UID.GID, were mapped as ohprso.ohprs. I'm trying to accomplish something similar now as I'd still like the whole share to stay owned by ohprso.ohprs.

Quote:

Are you able to log in as ohprso via ssh ( say via a putty client on a windows box ) ?

If you've got your ids and you can log in via ssh with a windows Domain User, samba should work too ...

Well, yes I can, but as mentioned ohprso is not a domain user. Its info is in /etc/passwd. Perhaps a point of confusion. ohprso.ohprs is the owner of the files in the share. It is not an actual user. actual domain users will be e.g. mark.domain users and multiple others like that. The share is a NAS office file server so everyone accesses it and has (should have) permission to r/w all files on the share. With "classic" Samba, users connected as the guest and all files read/written to the share received ohprso.ohprs ownership.

Quote:

Originally Posted by kjhambrick

mfoley --
Oops ... I missed that Q and a line from your smb.conf for your public share ...

What are Permissions and ownership of the /mnt/RAID/public directory ( ls -lad /mnt/RAID/public/ ) ?

# ls -lad /mnt/RAID/public/
drwxrws--x 21 ohprso ohprs 8192 2017-11-22 20:44 /mnt/RAID/public//

Quote:

Your smb.conf file says: valid users = @"domain users" so that may be your problem ...

But, that was your suggestion in your 11-21-17 03:00 PM post.

Personally, I think I'm authenticating OK, and I believe the Windows map sees the share since it gets the space and usage info. I think I've got a permission problem. I'll do more experimenting with that once I get access to the server later today.

kjhambrick · 11-25-2017, 01:24 PM

mfoley --

What happens if you: chown -R mark:'domain users' /mnt/RAID/public/

Are you able to access the share from your Windows PeeCee ?

-- kjh

mfoley · 11-27-2017, 04:47 PM

YES! I didn't do a chown -R since this is the main office shared network drive and that might mess everybody up. But I did do:

Code:

# chmod o+rw /mnt/RAID/public

# ls -ld /mnt/RAID/public/
drwxrws--x 21 ohprso ohprs 8192 2017-11-27 17:29 /mnt/RAID/public//

Then I tried mounting from a domain workstation and it worked! It used the AD credentials to map the drive and did not ask for ID/PW. I could see all files on the drive. I created a file on the drive from the workstation and that worked too:

Code:

ls -l /mnt/public/rainInSpain.txt
-rw-rw----    1  10001 ohprs        19 2017-11-27 17:29 rainInSpain.txt

Because of the 's' bit in the group permission it created it with the group ohprs, which is good. However and as expected, it created the file with the domain user's ID: 10001.

So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ...

mfoley · 11-27-2017, 10:32 PM

OK, I believe I've figured this out!

Code:

force user ohprso
force group ohprs

That appeared to work!

Does anyone see a problem?

kjhambrick · 11-28-2017, 05:42 AM

Quote:

Originally Posted by mfoley

OK, I believe I've figured this out!

Code:

force user ohprso
force group ohprs

That appeared to work!

Does anyone see a problem?

mfoley --

That shouldn't be a problem -- it works for us in a similar setup.

We do the same sort of force * for 'secured shares' ( shares where only members of a select group are allowed access )

-- kjh

kjhambrick · 11-28-2017, 07:06 AM

Quote:

Originally Posted by mfoley

YES! I didn't do a chown -R since this is the main office shared network drive and that might mess everybody up. But I did do:

Code:

# chmod o+rw /mnt/RAID/public

# ls -ld /mnt/RAID/public/
drwxrws--x 21 ohprso ohprs 8192 2017-11-27 17:29 /mnt/RAID/public//

Then I tried mounting from a domain workstation and it worked! It used the AD credentials to map the drive and did not ask for ID/PW. I could see all files on the drive. I created a file on the drive from the workstation and that worked too:

Code:

ls -l /mnt/public/rainInSpain.txt
-rw-rw----    1  10001 ohprs        19 2017-11-27 17:29 rainInSpain.txt

Because of the 's' bit in the group permission it created it with the group ohprs, which is good. However and as expected, it created the file with the domain user's ID: 10001.

So, is there a way in samba to map ALL client users to ohprso? I'll do some more research ...

mfoley --

One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ?

Could it be the idmap ranges in the smb.conf you posted earlier ?

Code:

# this ?
  idmap config *:range = 2000-9999
# vs this ?
  idmap config HPRS:range = 10000-10099

I dunno ... but if it's working and if you're going to 'force user' / 'force group' then good enough ...
-- kjh

mfoley · 11-28-2017, 07:35 AM

Quote:

Originally Posted by kjhambrick

mfoley --
One thing I just now noticed that's a little confusing to me is why AD id = 10001 does not resolve to the AD User's Name ?

Good eye! The reason is that my `ls` is done on another server (the webserver) that mounts this directory as nfs. webserver is not currently a domain member, so these domain Ids are not known on this server. This is one reason why I wanted to map all the domain Ids to ohprso.ohprs.

We've been gradually migrating everything in the office from MS Small Business Server to Linux and Samba4. Originally, the webserver, NAS (hosting the Samba shares) and other Linux servers were not in the Windows AD domain. A couple of Linux workstations have been added to the domain (thanks in large part to your help in a much earlier thread) and now this NAS server is migrated. Eventually, the webserver will join the domain as well and perhaps then I can let Samba shared files be created with the actual user's Id as long as we retain g+rw.

With the small staff (me) and limited testing time, it would have been too fraught with peril to attempt to join multiple hosts to the domain and possibly change shared file ownership, etc. In fact, my next mission is getting all users as AD users - which only a few currently are. Gotta do that before I make this Samba AD athentication real. Baby steps!