[kwlug disc.] Authenticating both local and ADS users in Samba

[Paul Nijjar]

I think I am asking for impossible things again, but here goes: 
is it possible for a Linux fileserver running a Samba share to do
BOTH
of the following?

0. Authenticate Active Directory user accounts (where an
Active Directory with Windows 2003 has been set up already). I want
this to be transparent to the users if possible. 

1. Authenticate using a separate set of user accounts from machines
that are not members of the domain. (In my case I have a bunch of DOS
clients that are used for ghost imaging, as well as some WinXP
clients
that live in a separate workgroup.) 

Note that I am only talking about authenticating to a share, not
authenticating so that Active Directory users can log into shell
accounts on the Linux machine. 

I can put up smb.conf files and such on request, but at this point I
am not even sure Samba can be configured to do what I want. By
including the following in my configuration:

security = ADS
domain logons = no 

I can get the Linux machine viewed as a client on the AD network, and
other AD members can log in -- but I can't figure out how to
authenticate local users. If I go: 

security = user 

then I can get clients to log in using local accounts, but I lose
Active Directory authentication. If I try to get fancy with things
like

security = ADS 
domain logons = yes 

things break in frustrating ways -- it looks like my Linux client
becomes a domain controller (which is the documented behaviour).
Maybe
that is okay, but then I get other errors (e.g. problems getting
Kerberos tickets and winbind failures). 

Details: I have tried Debian Etch (Samba 3.0.24) and SuSE 10.1 (also
Samba 3.0.x) on the server. I am attempting to configure users and
groups using winbind. The domain controller for the Active Directory
share is Windows 2003. 

- Paul





      Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com