June 14th, 2006, 04:22 PM
Help needed to authenticate Samba shares via AD and local accounts (FreeBSD)
Hi all! I'm running FreeBSD 5.5 and Samba 3 and I'm trying to setup my Samba server to authenticate users against local accounts and then if there is no local account for the user then authenticate against the Active Domain. Is this possible or can I only do one or the other?
I've tried a ton of things and can only seem to get it to authenticate against one or the other. I can kind of get this functionality using 'username map' but I'd like a solution where I don't have to have matching local account for each Domain, user if at all possible, but where local accounts will be checked first and then if one doesn't exist the Domain account will be used.
Here's my current smb.conf file which is currently only authenticating against the ADS:
I know there's probably junk in there I don't need but it does at least work for ADS at the moment so I just left it as is till I can get the other part worked out.
allow trusted domains = No
auth methods = guest, sam, winbind
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
disable spoolss = Yes
dns proxy = No
domain master = No
encrypt passwords = Yes
hide files = /.*/
hide special files = Yes
hide unreadable = Yes
hide unwriteable files = Yes
idmap backend = rid:MYDOMAIN=2000-3000
idmap gid = 2000-100000
idmap uid = 2000-100000
ldap ssl = no
lm announce = No
load printers = No
local master = No
locking = Yes
log file = /var/log/samba/log.%m
log level = 10 passdb:10 auth:10 winbind:10 locking:10
max log size = 50
ntlm auth = Yes
null passwords = Yes
password server = MYDOMAINSERVER
preferred master = No
realm = MYREALM
security = ADS
server signing = auto
server string = MY.SAMBA.SERVER
show add printer wizard = No
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=24576 IPTOS_THROUGHPUT
syslog = 10
syslog only = Yes
template homedir = /home/%U
template shell = /usr/local/bin/bash
veto files = /.*/
winbind cache time = 3600
winbind nested groups = Yes
winbind use default domain = Yes
wins server = MYDOMAINSERVER
workgroup = MYDOMAIN
path = /data/testshare
valid users = MYDOMAIN\User1, MYDOMAIN\User2
read only = No
create mask = 0777
directory mask = 0777
Another question I had is why does WindowsXP require users to type their Domain username and password the first time they try to access the Samba server but then never asks again so long as they don't reboot? Is there a way to get it to pass on the authentication or is that just how it is?
Also, I'm having a hard time getting true file locking working between WindowsXP clients and the Samba file server. I've followed the man page and everything seems to be configured correctly but still no luck. Is that just a problem with XP?
Thanks for any help or tips, they are much appreciated!
June 16th, 2006, 01:59 PM
Does anyone at least know the answer to this? If so I think I can live with the rest, at least for now.
Thanks, appreciate it!
June 20th, 2006, 07:07 PM
I can only help with your last question.
Originally Posted by Maniac
Windows does cache your login credentials.
Thus you only have to enter them once.
This is a client-side feature.
June 21st, 2006, 12:55 PM
Thanks, M.Hirsch! Appreciate it.