samba - Jun 2020 - SAMBA using existing users and passwords on Linux

On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
> So that it doesn't end without a conclusion I will inform you what has
been
> accomplished.
> As our time was short to complete the migration I decided to install the
> same version of SAMBA that was already running on the old machine (3.6.6).
> After the migration is complete, I will have more time to update the SAMBA
> and insert it into our AD domain, thus changing the entire login and
> mapping system.
> I am very grateful to everyone who responded and helped me in this decision
> making.
> I wish everyone health.
I cannot help but think that was a BAD decision, Samba 3.6.6 is totally 
unsupported and is very insecure, ever heard of 'wanacry' ?

If you must use it, then can I urge you to not connect your network to 
the internet in any way.

I cannot stop you using 3.6.6, it is your network and you control it, 
but you also get to pick up the pieces when it goes wrong.

One last thought, do the people who run your AD know you are doing this 
very insecure thing ?

Rowland

Hi Fernando,

What kind of system are using your Samba's clients?

If they are using Windows systems joined to AD, you can join your Samba
server into AD too. Then your users will be able to use Kerberos (ie SSO)
to authenticate against your Samba server.

Your Samba system users could be local (in /etc/passwd) or coming from AD
(using winbindd).
If system users are in /etc/passwd, they would have to have the same name
as on the client system or you will have to add some username mapping (see
"username map" option).

Perhaps all that blabla is out of subject, perhaps it will help, I do hope
it will ; )

Cheers,

mathias

Le jeu. 4 juin 2020 ? 08:45, Rowland penny via samba <samba at
lists.samba.org>
a ?crit :
> On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
> > So that it doesn't end without a conclusion I will inform you what
has
> been
> > accomplished.
> > As our time was short to complete the migration I decided to install
the
> > same version of SAMBA that was already running on the old machine
> (3.6.6).
> > After the migration is complete, I will have more time to update the
> SAMBA
> > and insert it into our AD domain, thus changing the entire login and
> > mapping system.
> > I am very grateful to everyone who responded and helped me in this
> decision
> > making.
> > I wish everyone health.
>
> I cannot help but think that was a BAD decision, Samba 3.6.6 is totally
> unsupported and is very insecure, ever heard of 'wanacry' ?
>
> If you must use it, then can I urge you to not connect your network to
> the internet in any way.
>
> I cannot stop you using 3.6.6, it is your network and you control it,
> but you also get to pick up the pieces when it goes wrong.
>
> One last thought, do the people who run your AD know you are doing this
> very insecure thing ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello everyone.
I'm back because I decided to follow your advice and deploy the system
using a new version of SAMBA with encrypted passwords.
I added the SAMBA server in the AD domain without any problems and I am
already accessing the shares with AD users.
However I have a new problem for which I need help.
When I try to access SAMBA shares with local Linux users, it is necessary
to include the name of the Linux server when passing the local user.
For example if I try to access like this, it doesn't work, it gives an
invalid user error

net use \\host\share /U:localuser

To work the command must be like this:

net use \\host\share /U:host\localuser

What it seems to me is that SAMBA does not authenticate on the local
machine, only in AD.
Is there a way to get SAMBA to authenticate to AD and on the local machine?

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Em qui., 4 de jun. de 2020 ?s 10:26, mathias dufresne via samba <
samba at lists.samba.org> escreveu:
> Hi Fernando,
>
> What kind of system are using your Samba's clients?
>
> If they are using Windows systems joined to AD, you can join your Samba
> server into AD too. Then your users will be able to use Kerberos (ie SSO)
> to authenticate against your Samba server.
>
> Your Samba system users could be local (in /etc/passwd) or coming from AD
> (using winbindd).
> If system users are in /etc/passwd, they would have to have the same name
> as on the client system or you will have to add some username mapping (see
> "username map" option).
>
> Perhaps all that blabla is out of subject, perhaps it will help, I do hope
> it will ; )
>
> Cheers,
>
> mathias
>
> Le jeu. 4 juin 2020 ? 08:45, Rowland penny via samba <
> samba at lists.samba.org>
> a ?crit :
>
> > On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
> > > So that it doesn't end without a conclusion I will inform you
what has
> > been
> > > accomplished.
> > > As our time was short to complete the migration I decided to
install
> the
> > > same version of SAMBA that was already running on the old machine
> > (3.6.6).
> > > After the migration is complete, I will have more time to update
the
> > SAMBA
> > > and insert it into our AD domain, thus changing the entire login
and
> > > mapping system.
> > > I am very grateful to everyone who responded and helped me in
this
> > decision
> > > making.
> > > I wish everyone health.
> >
> > I cannot help but think that was a BAD decision, Samba 3.6.6 is
totally
> > unsupported and is very insecure, ever heard of 'wanacry' ?
> >
> > If you must use it, then can I urge you to not connect your network to
> > the internet in any way.
> >
> > I cannot stop you using 3.6.6, it is your network and you control it,
> > but you also get to pick up the pieces when it goes wrong.
> >
> > One last thought, do the people who run your AD know you are doing
this
> > very insecure thing ?
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>