Samba with both domain and local users
I've got a sticky problem that I can't seem to figure out. I have a server set up with samba on a windows domain. I have it working with security=ads, shares work fine with domain users.
However, I have a share which I want to be available to non domain users. Basically, I have some machines on the network which are not joined to the domain and must stay that way for security reasons. Ideally, they should connect to the samba share as a local user (local to the server). Unfortunately, it seems like samba in ads mode cannot support this - it always uses the ad server for authentication.
So I wanted to try using pam for authentication. I have pam working fine for ssh and gdm authentication, looking first for local users and then for domain users. However, when I set the same pam settings for samba, it doesn't seem to do anything at all. "obey pam restrictions = yes" is in my smb.conf file. I eventually figured out that if encrpyt passwords is on (which it is by default), then samba ignores pam authentication entirely. However, when I put "encrypt passwords = no", then I cannot seem to authenticate at all, either with a domain user or a local user, no matter what I set the security mode to.
Have googled the problem with no luck. Does anyone have a good link or advice for how to get samba to authenticate via pam? Or any other way to have samba allow connections for both domain and local users? I'd be content with having the share open (not requiring authentication), but that doesn't seem to work either. Allowing guests and setting the guest account doesn't work because even if the share allows any user to get to it, samba still needs to authenticate the user with the AD server (at least in ads mode), meaning guest access will only work if the AD guest account is set up, which it is not.