hi guys, with Samba as below [global] ??? workgroup = NNNR ??? netbios name = PA2 ??? realm = PRIVATE.REALM.MINE ??? kerberos method = dedicated keytab ??? dedicated keytab file = /etc/samba/samba.keytab ??? create krb5 conf = no ??? security = user ??? domain master = yes ??? domain logons = yes Should nodes/clients outside of domain (non-members) be able to access (with user+pass) Samba shares? many thanks, L.
Rowland penny
2019-Aug-30 16:25 UTC
[Samba] to shares access from non-member clients/nodes
On 30/08/2019 17:12, lejeczek via samba wrote:> hi guys, > > with Samba as below > > [global] > ??? workgroup = NNNR > ??? netbios name = PA2 > ??? realm = PRIVATE.REALM.MINE > ??? kerberos method = dedicated keytab > ??? dedicated keytab file = /etc/samba/samba.keytab > ??? create krb5 conf = no > ??? security = user > ??? domain master = yes > ??? domain logons = yes > > Should nodes/clients outside of domain (non-members) be able to access > (with user+pass) Samba shares? > > many thanks, L. > >99% of that smb.conf is for a Unix Domain member, but 'security = user' should be 'security = ADS' and it wouldn't be a PDC (domain master = yes) because it is using kerberos. There are also no auth lines that are required for a Unix domain member. To put it another way, that is a borked smb.conf. If you just want a standalone server, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server If you want something else, please explain just what you are trying to achieve. Rowland
On 30/08/2019 17:25, Rowland penny via samba wrote:> On 30/08/2019 17:12, lejeczek via samba wrote: >> hi guys, >> >> with Samba as below >> >> [global] >> ???? workgroup = NNNR >> ???? netbios name = PA2 >> ???? realm = PRIVATE.REALM.MINE >> ???? kerberos method = dedicated keytab >> ???? dedicated keytab file = /etc/samba/samba.keytab >> ???? create krb5 conf = no >> ???? security = user >> ???? domain master = yes >> ???? domain logons = yes >> >> Should nodes/clients outside of domain (non-members) be >> able to access >> (with user+pass) Samba shares? >> >> many thanks, L. >> >> > 99% of that smb.conf is for a Unix Domain member, but > 'security = user' should be 'security = ADS' and it > wouldn't be a PDC (domain master = yes) because it is > using kerberos. > > There are also no auth lines that are required for a Unix > domain member. > > To put it another way, that is a borked smb.conf. > > If you just want a standalone server, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > > If you want something else, please explain just what you > are trying to achieve. > > Rowland > >Yes, it's a unix domain for it's a "regular" FreeIPA's Samba. Out of box this, I think, only does windows when trusted to an AD and from there, from/via AD win clients work. But I was hoping that outside of kerberos/domain clients(win 10), perhaps with user+pass could be mangled into such FreeIPA's Samba. many thanks, L.