Hi all! I'm running FreeBSD 5.5 and Samba 3 and I'm trying to setup my Samba server to authenticate users against local accounts and then if there is no local account for the user then authenticate against the Active Domain. Is this possible or can I only do one or the other?
I've tried a ton of things and can only seem to get it to authenticate against one or the other. I can kind of get this functionality using 'username map' but I'd like a solution where I don't have to have matching local account for each Domain, user if at all possible, but where local accounts will be checked first and then if one doesn't exist the Domain account will be used.
Here's my current smb.conf file which is currently only authenticating against the ADS:
Code:
[global]
allow trusted domains = No
auth methods = guest, sam, winbind
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
disable spoolss = Yes
dns proxy = No
domain master = No
encrypt passwords = Yes
hide files = /.*/
hide special files = Yes
hide unreadable = Yes
hide unwriteable files = Yes
idmap backend = rid:MYDOMAIN=2000-3000
idmap gid = 2000-100000
idmap uid = 2000-100000
ldap ssl = no
lm announce = No
load printers = No
local master = No
locking = Yes
log file = /var/log/samba/log.%m
log level = 10 passdb:10 auth:10 winbind:10 locking:10
max log size = 50
ntlm auth = Yes
null passwords = Yes
password server = MYDOMAINSERVER
preferred master = No
realm = MYREALM
security = ADS
server signing = auto
server string = MY.SAMBA.SERVER
show add printer wizard = No
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=24576 IPTOS_THROUGHPUT
syslog = 10
syslog only = Yes
template homedir = /home/%U
template shell = /usr/local/bin/bash
veto files = /.*/
winbind cache time = 3600
winbind nested groups = Yes
winbind use default domain = Yes
wins server = MYDOMAINSERVER
workgroup = MYDOMAIN
[testshare]
path = /data/testshare
valid users = MYDOMAIN\User1, MYDOMAIN\User2
read only = No
create mask = 0777
directory mask = 0777
I know there's probably junk in there I don't need but it does at least work for ADS at the moment so I just left it as is till I can get the other part worked out.
Another question I had is why does WindowsXP require users to type their Domain username and password the first time they try to access the Samba server but then never asks again so long as they don't reboot? Is there a way to get it to pass on the authentication or is that just how it is?
Also, I'm having a hard time getting true file locking working between WindowsXP clients and the Samba file server. I've followed the man page and everything seems to be configured correctly but still no luck. Is that just a problem with XP?
Thanks for any help or tips, they are much appreciated!
Dev Shed Forums Sponsor:
June 14th, 2006, 03:22 PM
Help needed to authenticate Samba shares via AD and local accounts (FreeBSD)
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
