# [Samba] Local Groups with Domain Users

## Bitspyer

Hi!

I got a strange Problem...

I have a Domain Member Server with some shares... and I need a local group with domain users.

But when i try to authenticate against the local group, nothing happend.

getent passwd and getent group gives me the complete Users and Groups of the domain.

 *Quote:*   

> 
> 
> check_ntlm_password:  authentication for user [tester] -> [tester] -> [DOMAIN\tester] succeeded
> 
> [2009/08/11 09:16:36,  2] lib/access.c:check_access(406)
> ...

 

You see, the authentication with the Domain-User works, but there is no permition for the share.

 *Quote:*   

> 
> 
> [transfer]
> 
>         path = /Samba/transfer
> ...

 

With usermod -G orbiters - a DOMAIN\testuser i successful added the user to the local group, but i got no permition. When tester is Member in DOMAIN\sambawrite, i got permition, but this is not  what i want.

Another Problem is, when i try to connect the Member Server directly. 

For listing the local groups of root:

net rpc group list

Enter root's password: ********

Could not connect to server 127.0.0.1  

Connection failed: NT_STATUS_CONNECTION_REFUSED

And i dont find and see the problem!

Please, anyone can help?

Greetz,

Bitspyer

----------

## aceFruchtsaft

Try prefixing @orbiters with the local machine name. I don't know what the current default behavior is (as it changed some time ago), but maybe Samba assumes that this is a domain group if its name is not fully qualified.

Concerning root access:  do you have a root user in the PDC's SAM database? If not, it's hardly surprising that authentication fails.

----------

## Bitspyer

 *aceFruchtsaft wrote:*   

> 
> 
> Concerning root access:  do you have a root user in the PDC's SAM database? If not, it's hardly surprising that authentication fails.

 

i tried to connect to the Domain Member Server and its local users and groups... The Domain Member Server has an local user named root....

----------

## aceFruchtsaft

 *Bitspyer wrote:*   

>  *aceFruchtsaft wrote:*   
> 
> Concerning root access:  do you have a root user in the PDC's SAM database? If not, it's hardly surprising that authentication fails. 
> 
> i tried to connect to the Domain Member Server and its local users and groups... The Domain Member Server has an local user named root....

 

As I understand this, it is not sufficient that the domain member server has a local unix user.

Without knowing your smb.conf, I assume you specified security = domain; consequently, smbd on the MS will authenticate users against the PDC, and not against the local user database (as is the case if you use security = user).

Consequently, you need a root user in the PDC's user database (be it ldapsam oder tdbsam) with a NTLM-hashed password.

----------

## Bitspyer

smb.conf

 *Quote:*   

> 
> 
> dos charset = 850
> 
>         unix charset = UTF-8
> ...

 

OK, now i try to list the groups of a Domain-Admin. As i know, a domain admin is member of local admins.

Following entered at Domain Member Server:

```
orbitalrat # net rpc group list global -U TESTDOMAIN+admin-test

Enter TESTDOMAIN+admin-test's password:

Could not connect to server 127.0.0.1

Connection failed: NT_STATUS_CONNECTION_REFUSED

```

----------

## aceFruchtsaft

 *Bitspyer wrote:*   

> 
> 
> OK, now i try to list the groups of a Domain-Admin. As i know, a domain admin is member of local admins.
> 
> 

 

Not necessarily. This is the case on Windows, not Samba. Samba tries to imitate this behavior by creating the BUILTIN\Administrators and BUILTIN\Domain Users groups locally and adding the respective domain groups to these local groups. However, this only works if you have winbind properly configured and is not even needed for what you are trying to accomplish.

For example, I have a domain member server:

```

[global]

        workgroup = FOO

        netbios name = PHAIDON

        server string = Phaidon

        security = domain

        password server = *

        wins server = trillian

        log level = 2

        syslog = 0

        log file = /var/log/samba/%m.log

```

which is all that is needed.

When I run

```

# net rpc group list -S phaidon -U root                                                                                                                                                                                                     

```

I see on the member server:

```

[2009/08/12 20:59:04,  2] lib/access.c:check_access(406)

  Allowed connection from 10.88.1.117 (10.88.1.117)

[2009/08/12 21:01:06,  2] auth/auth.c:check_ntlm_password(308)

  check_ntlm_password:  authentication for user [root] -> [root] -> [root] succeeded

```

and on the PDC:

```

[2009/08/12 21:01:06, 2, pid=28500] lib/smbldap.c:smbldap_open_connection(786)

  smbldap_open_connection: connection opened

[2009/08/12 21:01:06, 2, pid=28500] passdb/pdb_ldap.c:init_sam_from_ldap(545)

  init_sam_from_ldap: Entry found for user: root

[2009/08/12 21:01:06, 2, pid=28500] auth/auth.c:check_ntlm_password(309)

  check_ntlm_password:  authentication for user [root] -> [root] -> [root] succeeded

```

As you can see, the authentication is passed to the PDC and the PDC then checks it against its local SAM database, which happens to be openldap in this case.

So obviously there must be an ldap entry for root:

```

2013 # ldapsearch "(uid=root)"

Enter LDAP Password:

dn: uid=root,ou=Users,dc=foo

uid: root

sambaSID: S-1-5-21-3106152489-2881007552-2016175788-1000

displayName: root

sambaLMPassword: 

sambaNTPassword: 

sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000

 00000000

sambaPwdLastSet: 1211126932

sambaAcctFlags: [U          ]

objectClass: sambaSamAccount

objectClass: account

```

The crucial point here is that the root account used to list groups on the member server is not a local account from samba's point of view, but a regular domain account (and therefore you have to use the root password from the PDCs SAM database, not the local root password!). Samba does not care at all about local Unix accounts for authentication, it needs those only to determine file access. I am not sure whether / how you can create local Samba account with security = domain.

Actually I think this question is too samba-specific for a Gentoo forum. I'd suggest you consult the Samba mailing list if the problem persist.

----------

