#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    BC, Canada
    Posts
    16
    Rep Power
    0

    Question Help needed to authenticate Samba shares via AD and local accounts (FreeBSD)


    Hi all! I'm running FreeBSD 5.5 and Samba 3 and I'm trying to setup my Samba server to authenticate users against local accounts and then if there is no local account for the user then authenticate against the Active Domain. Is this possible or can I only do one or the other?

    I've tried a ton of things and can only seem to get it to authenticate against one or the other. I can kind of get this functionality using 'username map' but I'd like a solution where I don't have to have matching local account for each Domain, user if at all possible, but where local accounts will be checked first and then if one doesn't exist the Domain account will be used.

    Here's my current smb.conf file which is currently only authenticating against the ADS:
    Code:
    [global]
            allow trusted domains = No
            auth methods = guest, sam, winbind
            client NTLMv2 auth = Yes
            client lanman auth = No
            client plaintext auth = No
            disable spoolss = Yes
            dns proxy = No
            domain master = No
            encrypt passwords = Yes
            hide files = /.*/
            hide special files = Yes
            hide unreadable = Yes
            hide unwriteable files = Yes
            idmap backend = rid:MYDOMAIN=2000-3000
            idmap gid = 2000-100000
            idmap uid = 2000-100000
            ldap ssl = no
            lm announce = No
            load printers = No
            local master = No
            locking = Yes
            log file = /var/log/samba/log.%m
            log level = 10 passdb:10 auth:10 winbind:10 locking:10
            max log size = 50
            ntlm auth = Yes
            null passwords = Yes
            password server = MYDOMAINSERVER
            preferred master = No
            realm = MYREALM
            security = ADS
            server signing = auto
            server string = MY.SAMBA.SERVER
            show add printer wizard = No
            socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=24576 IPTOS_THROUGHPUT
            syslog = 10
            syslog only = Yes
            template homedir = /home/%U
            template shell = /usr/local/bin/bash
            veto files = /.*/
            winbind cache time = 3600
            winbind nested groups = Yes
            winbind use default domain = Yes
            wins server = MYDOMAINSERVER
            workgroup = MYDOMAIN
    
    [testshare]
            path = /data/testshare
            valid users = MYDOMAIN\User1, MYDOMAIN\User2
            read only = No
            create mask = 0777
            directory mask = 0777
    I know there's probably junk in there I don't need but it does at least work for ADS at the moment so I just left it as is till I can get the other part worked out.

    Another question I had is why does WindowsXP require users to type their Domain username and password the first time they try to access the Samba server but then never asks again so long as they don't reboot? Is there a way to get it to pass on the authentication or is that just how it is?

    Also, I'm having a hard time getting true file locking working between WindowsXP clients and the Samba file server. I've followed the man page and everything seems to be configured correctly but still no luck. Is that just a problem with XP?

    Thanks for any help or tips, they are much appreciated!
  2. #2
  3. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    BC, Canada
    Posts
    16
    Rep Power
    0
    Does anyone at least know the answer to this? If so I think I can live with the rest, at least for now.

    Another question I had is why does WindowsXP require users to type their Domain username and password the first time they try to access the Samba server but then never asks again so long as they don't reboot? Is there a way to get it to pass on the authentication or is that just how it is?
    Thanks, appreciate it!
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    Originally Posted by Maniac
    Does anyone at least know the answer to this? If so I think I can live with the rest, at least for now.
    Thanks, appreciate it!
    I can only help with your last question.
    Windows does cache your login credentials.
    Thus you only have to enter them once.
    This is a client-side feature.

    M.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2004
    Location
    BC, Canada
    Posts
    16
    Rep Power
    0
    Thanks, M.Hirsch! Appreciate it.

IMN logo majestic logo threadwatch logo seochat tools logo