I've got a CentOS 5.3 server with Samba running. I've joined this server to my domain in the hopes of allowing AD users some access to my Samba shares. I've found that this works, but only as long as the AD username that I'm trying to authenticate with is also a local user on the server. In other words, if I'm trying to access a share, and try to authenticate with the AD username "joe", I get errors unless I create a user named 'joe' on the server. I don't have to create a matching password or anything….the local user's password is always blank, so I do know that the authentication is actually happening against the AD.
Here's my smb.conf file:
[global]
workgroup = <mydomain> server string = <snip> netbios name = HOME security = ADS realm = <mydomain.com> password server = <snip> auth methods = winbind log level = 1 log file = /var/log/samba/%m.log[amore]
path = /var/www/amore
browseable = yes
writable = yes
valid users = DOMAIN\user1 DOMAIN\user2 DOMAIN\user3 DOMAIN\user4
I would assume that my kerberos settings are fine, as I've joined the domain and can use wbinfo to see users and groups. However, I can provide that info if necessary.
Anyone have any ideas?
Best Answer
Fundamentally, Linux uses UID/GID values in its access control sysetm, while the Windows NT operating system family uses Security Identifiers (SIDs) in its access control system.
The Windows Server 2003 R2 Active Directory along with "Services for Unix" (which provides the RFC2307bis schema) can store UID/GID values for each user in the directory and Samba is capable of using these values (or, so I've read-- I've never actually tried it, but multiple docs I've ready say that it works well).
If you're not storing UID/GID values in a directory service then you'll need a mechanism to deterministically map between these two unlike identifier systems. The "idmap" functionality of "winbind" is typically used to perform this mapping. Have a look at the following articles to get some idea of the functionality: