Give domain user access to samba folders without join the Ubuntu server to the domain

Command Center

2 min read

·

21-10-2024

the ifix

1

0

Share

If you're looking to provide domain users with access to Samba shares on an Ubuntu server without actually joining the server to a domain, this article will guide you through the necessary steps. Below, I’ll explain the problem, provide a corrected understanding, offer a practical example, and share additional insights for better comprehension.

Understanding the Problem

The original issue is that there’s a need to allow users from a domain to access Samba folders on an Ubuntu server. However, this server should not be joined to the domain, which can complicate user authentication.

Original Scenario Code

# Example command to create a Samba share
smb.conf:
[shared]
   path = /srv/samba/shared
   writable = yes
   guest ok = no
   valid users = @sambashare

Granting Access to Domain Users

To allow domain users access to Samba shares without joining the server to a domain, you can use a combination of Samba and winbind. Here's how you can achieve this:

Step-by-Step Instructions

1. Install Samba and Winbind: Ensure that you have Samba and Winbind installed on your Ubuntu server.

   sudo apt update
   sudo apt install samba winbind
   

2. Configure Samba: Modify the Samba configuration file, typically located at /etc/samba/smb.conf. Add the share definition you need.

   [shared]
      path = /srv/samba/shared
      writable = yes
      guest ok = no
      valid users = @sambashare
   

3. Create the Shared Directory: Ensure the directory you intend to share exists and set the appropriate permissions.

   sudo mkdir -p /srv/samba/shared
   sudo chown nobody:sambashare /srv/samba/shared
   sudo chmod 2770 /srv/samba/shared
   

4. Add Domain Users Locally: You will need to create a local user that corresponds to the domain user or use winbind to fetch domain users directly. Add a user to the sambashare group:

   sudo groupadd sambashare
   sudo useradd -M -s /sbin/nologin your_local_user
   sudo usermod -aG sambashare your_local_user
   

5. Set Password for Samba: Set a Samba password for the user.

   sudo smbpasswd -a your_local_user
   

6. Configuring Winbind: If you wish to get domain users authenticated via Winbind, you may need to modify the /etc/nsswitch.conf file to include winbind for user and group name resolution:

   passwd:         compat winbind
   group:          compat winbind
   

7. Start Samba Services: After completing the configurations, restart the Samba services.

   sudo systemctl restart smbd
   sudo systemctl restart nmbd
   

Analysis and Practical Examples

By setting up Samba in this manner, you allow domain users to connect to the shared folder using their domain credentials without the server needing to be joined to the domain. This can be particularly useful for companies that require flexibility in managing access or for environments where joining a domain is not feasible.

Additional Explanations

Using Samba with Winbind ensures that user authentication can still be managed without requiring a full domain join. This creates a lightweight solution that retains the benefits of domain integration while avoiding the complexities that come with it.

Conclusion

This guide outlines a method for granting domain user access to Samba folders on an Ubuntu server without joining the server to a domain. This process can be particularly valuable in various IT scenarios, enhancing flexibility and reducing administrative overhead.

Useful Resources

• Samba Official Documentation
• Ubuntu Community Help Wiki: Samba

By following these instructions and best practices, you should be able to effectively manage user access to your Samba shares on Ubuntu.