Hey everyone! I'm working on setting up a Samba share on my Linux server, which is joined to an Active Directory domain. I want a specific folder, /home/public, to be accessible via SMB for both AD users (like DOMAINNAMEtest-windows) and local Unix users (like uwe, who belongs to the unix-groups). I've created two Samba shares that point to the same folder, but I'm running into issues. The AD users can't reliably access the share, and the local Unix users aren't able to authenticate at all, receiving an NT_STATUS_LOGON_FAILURE error. I understand that I might not be able to use 'security = ADS' and 'security = user' at the same time for the same share. Is there a way to allow both types of users simultaneous access to the same Samba share? If that's not possible, what would be the best workaround? I'm looking for any advice on configuration examples that could help me out. Thanks in advance!
2 Answers
If your AD users are working correctly, you might want to try entering the username with the local server name in the format localhostnameofserveruser. Samba prioritizes AD by default, so this could help. However, mixing AD and local accounts within a single Samba config isn’t typically supported. I’ve dealt with similar issues and ended up creating dedicated AD accounts for external users to avoid conflicts. It might depend on your security requirements though!
You can't have local and AD users accessing the same Samba share simultaneously because local users are unknown to Samba in 'security = ADS' mode. A workaround could be to add those local users into AD and remove their entries from /etc/passwd, turning them into AD users for Samba purposes. This way, they become recognized by Samba as valid users. Just a thought!
Thanks for the reply! To clarify, I have an external user who needs access to /home/public while they're on the company network. AD users are fine, but when I set up a local Unix account for this external user, Samba always tries to authenticate them against AD. I think mixing the local and AD accounts is where I'm hitting the wall.