samba - Aug 2015 - Make Samba4 ignore domain prefix on share logon

Hello,

at my work we are migrating from samba 3.6.24 on gentoo +  openLDAP to
Windows Server 2012 AD DC + Samba 4.1.6 Ubuntu Member server for file
sharing. Our old configuration ignores domain prefixes when logging on to
shares i.e. I just need to type user instead of SAMDOM\user when accessing
share from windows machines. The Windows DC behaves like this too, but
samba 4 does not. Is there any way to replicate this behavior on the new
version? Our users are used to not typing it and it would be quite
troublesome to retrain them. Additionally, we have a lot of windows batch
files that mount shares that also contain non-prefixed credentials,
scattered all around our organization.

Thanks for help,

Jakub Vesely

Hello Jakub,

"map untrusted to domain = yes" should probably do what you want.

Greetings,
Felix

Am 15.08.2015 um 07:24 schrieb Jakub Veselý:
> Hello,
>
> at my work we are migrating from samba 3.6.24 on gentoo +  openLDAP to
> Windows Server 2012 AD DC + Samba 4.1.6 Ubuntu Member server for file
> sharing. Our old configuration ignores domain prefixes when logging on to
> shares i.e. I just need to type user instead of SAMDOM\user when accessing
> share from windows machines. The Windows DC behaves like this too, but
> samba 4 does not. Is there any way to replicate this behavior on the new
> version? Our users are used to not typing it and it would be quite
> troublesome to retrain them. Additionally, we have a lot of windows batch
> files that mount shares that also contain non-prefixed credentials,
> scattered all around our organization.
>
> Thanks for help,
>
> Jakub Vesely

On 16/08/15 16:17, Felix Matouschek wrote:
> Hello Jakub,
>
> "map untrusted to domain = yes" should probably do what you want.
>
> Greetings,
> Felix
>
> Am 15.08.2015 um 07:24 schrieb Jakub Veselý:
>> Hello,
>>
>> at my work we are migrating from samba 3.6.24 on gentoo + openLDAP to
>> Windows Server 2012 AD DC + Samba 4.1.6 Ubuntu Member server for file
>> sharing. Our old configuration ignores domain prefixes when logging 
>> on to
>> shares i.e. I just need to type user instead of SAMDOM\user when 
>> accessing
>> share from windows machines. The Windows DC behaves like this too, but
>> samba 4 does not. Is there any way to replicate this behavior on the
new
>> version? Our users are used to not typing it and it would be quite
>> troublesome to retrain them. Additionally, we have a lot of windows 
>> batch
>> files that mount shares that also contain non-prefixed credentials,
>> scattered all around our organization.
>>
>> Thanks for help,
>>
>> Jakub Vesely
>
>
>
yes, but most people use 'winbind use default domain = yes' instead.

see 'man smb.conf' for more info.

Rowland

Unfortunately 'map untrusted to domain = yes' did not help, I still keep
getting wrong username or password error while accessing the share. I do
have 'winbind use default domain = yes' in the configuration, but seem
to
have no effect on windows either. I am trying it from windows 10 PC that is
not joined to domain, could the os be an issue?

Jakub Vesely

Here is our smb.conf:
[global]
  netbios name = SAMBA-TEST
  workgroup = <dom>
  security = ADS
  realm = AD.<dom>.SK
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-150000
  idmap config <dom>:backend = ad
  idmap config <dom>:schema_mode = rfc2307
  idmap config <dom>:range = 2000-60000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

  map untrusted to domain = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

[test]
   path = /data/test
   read only = no
   admin users = "@<dom>\Enterprise Admins"

[homes]
  comment = Home Directories
  browseable = no
  read only = no
  create mask = 0600
  directory mask = 0700
  invalid users = <snip>

S pozdravom,

Jakub Veselý
Správca siete GJH
Novohradská 3, 82109 Bratislava
02/210 28 328

2015-08-16 17:42 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 16/08/15 16:34, Jakub Veselý wrote:
>
> We do have that in smb.conf, but it does not seem to work.
>
> S pozdravom,
>
> Jakub Veselý
> Správca siete GJH
> Novohradská 3, 82109 Bratislava
> 02/210 28 328
>
> 2015-08-16 17:27 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>
>> On 16/08/15 16:17, Felix Matouschek wrote:
>>
>>> Hello Jakub,
>>>
>>> "map untrusted to domain = yes" should probably do what
you want.
>>>
>>> Greetings,
>>> Felix
>>>
>>> Am 15.08.2015 um 07:24 schrieb Jakub Veselý:
>>>
>>>> Hello,
>>>>
>>>> at my work we are migrating from samba 3.6.24 on gentoo +
openLDAP to
>>>> Windows Server 2012 AD DC + Samba 4.1.6 Ubuntu Member server
for file
>>>> sharing. Our old configuration ignores domain prefixes when
logging on
>>>> to
>>>> shares i.e. I just need to type user instead of SAMDOM\user
when
>>>> accessing
>>>> share from windows machines. The Windows DC behaves like this
too, but
>>>> samba 4 does not. Is there any way to replicate this behavior
on the new
>>>> version? Our users are used to not typing it and it would be
quite
>>>> troublesome to retrain them. Additionally, we have a lot of
windows
>>>> batch
>>>> files that mount shares that also contain non-prefixed
credentials,
>>>> scattered all around our organization.
>>>>
>>>> Thanks for help,
>>>>
>>>> Jakub Vesely
>>>>
>>>
>>>
>>>
>>>
>> yes, but most people use 'winbind use default domain = yes'
instead.
>>
>> see 'man smb.conf' for more info.
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> It should, can you post the smb.conf from the samba 4 fileserver
> (sanitized if you like)
>
> Rowland
>