Samba with both domain and local users

Printable View

12-02-2010
cberger

Samba with both domain and local users

I've got a sticky problem that I can't seem to figure out. I have a server set up with samba on a windows domain. I have it working with security=ads, shares work fine with domain users.

However, I have a share which I want to be available to non domain users. Basically, I have some machines on the network which are not joined to the domain and must stay that way for security reasons. Ideally, they should connect to the samba share as a local user (local to the server). Unfortunately, it seems like samba in ads mode cannot support this - it always uses the ad server for authentication.

So I wanted to try using pam for authentication. I have pam working fine for ssh and gdm authentication, looking first for local users and then for domain users. However, when I set the same pam settings for samba, it doesn't seem to do anything at all. "obey pam restrictions = yes" is in my smb.conf file. I eventually figured out that if encrpyt passwords is on (which it is by default), then samba ignores pam authentication entirely. However, when I put "encrypt passwords = no", then I cannot seem to authenticate at all, either with a domain user or a local user, no matter what I set the security mode to.

Have googled the problem with no luck. Does anyone have a good link or advice for how to get samba to authenticate via pam? Or any other way to have samba allow connections for both domain and local users? I'd be content with having the share open (not requiring authentication), but that doesn't seem to work either. Allowing guests and setting the guest account doesn't work because even if the share allows any user to get to it, samba still needs to authenticate the user with the AD server (at least in ads mode), meaning guest access will only work if the AD guest account is set up, which it is not.
12-02-2010
cberger

My smb.conf:
[global]
security = ads
# obey pam restrictions = yes
# encrypt passwords = no
# guest account = nobody
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
password server = adserver.mydomain.com
server string = File Server
log file = /var/log/samba/%m.log
max log size = 1000
dns proxy = no
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind uid = 16777216-33554431
winbind gid = 16777216-33554431
create krb5 conf = no

template shell = /bin/bash
client use spnego = yes
domain master = no

admin users = @"MYDOMAIN/Domain Admins" MYDOMAIN/cberger
invalid users = root bin daemon adm sync shutdown halt mail news uucp operator gopher
inherit acls = yes
map acl inherit = yes
acl group control = yes

#share definitions (removed)

My /etc/pam.d/samba:
#%PAM-1.0
auth sufficient pam_unix2.so
auth sufficient pam_winbind.so use_first_pass use_authtok
auth required pam_nologin.so
account sufficient pam_unix2.so
account sufficient pam_winbind.so use_first_pass use_authtok
session sufficient pam_unix2.so
session sufficient pam_winbind.so use_first_pass use_authtok
session required pam_limits.so

(Basically, the exact same pam definitions work fine for sshd, gdm, and login... I have a few other lines in there for stuff like creating a home directory which shouldn't be necessary for samba.)
12-08-2010
F1Fish

ADS security only allows guest for the printers.

Pam allows guest logins
You should add
hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the entire 10.10.10/24 network as well as localhost.
hosts deny = all is to deny any host not listed in "hosts allow".
For some kind security.

[public]
comment = Public Folder
path = /home/public
public = yes
writable = yes
create mask = 0777
directory mask = 0777
force user = nobody
force group = no group

No authentication

Add these lines smb.conf
After removing authentication parameters
guest ok = yes allow "guest" access on the samba share. This mean users will _not_ have to log in.
guest only = yes all machines accessing the shares will be guests.
hosts allow =
hosts deny =
12-08-2010
F1Fish

On my file server. I setup samba passwords and restricted
area for users that login. The public folder are available to
both guest and domain users.

Standalone mode

#========================= Global Settings ====================

[global]

local master = no
preferred master = no
domain master = no

#### Networking ####

#hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the #entire 10.10.10/24 network as well as localhost.
#hosts deny = all is to deny any host not listed in "hosts allow".
#For some kind security.

####### Authentication #######

passdb backend = tdbsam
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
encrypt passwords = yes
map to guest = Bad Password

#======================= Share Definitions ====================

[Public]
path = /home/Public Folder
writable = yes
create mask = 0777
directory mask = 0777
guest ok = yes

then set dir permissions

chmod -R 0777 /home/Public Folder
12-13-2010
cberger

Thanks for the replies. I'm having trouble figuring out exactly what I should do based on your post (because some of it seems to contradict what I'm trying to do, some of it I've already tried and failed, and some of it is irrelevant (hosts denied or allowed are already set up in my hosts.allow and hosts.deny files)). I think that the "map to guest = Bad Password" line might just help, though. I'll give it a try. :D
12-13-2010
cberger

Hoo... this looks promising. I added the "map to guest = Bad Password" line and it *appears* to be working. I can't test with the non-domain machines until later tonight (or if I have time I'll set up a virtual machine based on one of those machines), but with the share set to guest only, connecting with a domain user and creating a new folder, the folder is owned by "nobody", so it looks good, thanks.

Not as ideal as being able to authenticate as a local user alongside domain authentications, but it works.
12-13-2010
F1Fish

At this time I found nothing that allows guests on an ADS network.
My network is set up in workgroup fashion with 5 windows
systems and a samba server. No domain controller. I mapped samba
shares as drives on all systems. Using my previous post in my smb.conf
file I was able access a guest share. I add or modded these lines in my
config file and set permissions to the share without adding users to my
linux system. My test windows guest had access to only the guest share.
The guest could login to the other shares with user and password.

map to guest = Bad Password
create mask = 0777
directory mask = 0777
guest ok = yes

chmod -R 0777 /home/Public Folder
12-13-2010
cberger

I'm so confused - your three posts all say different things. So, are you saying that you DON'T know of anyway to use active directory and either guests or local (server) users on the same samba config? It seems silly... there really should be a way to get it to work. For one thing, I can't figure out why pam won't work for it. Samba should definitely be able to use pam for authentication, and I can get along perfectly fine with pam for stuff like gdm (and it works fine with both local and domain users), but the same config fails for samba.

Well, as I said in my previous post, it seems like I might have a working config to allow guest access, but you're saying it's impossible, and it might be true since I have only tested with domain computers so far.
12-13-2010
F1Fish

When you set security = ads in smb.conf file.
Samba differs to active directory settings and
ignores pam permissions. So guest acounts
must be setup active directory.

I don't use active directory becuase I have some
XP Home systems.

What I posted works with security = share.