samba - Aug 2020 - accessing foreign AD users to NT domain

Rowland penny via samba ha scritto il 24/08/20 alle
17:39:
> [...]
> As far as I am aware, SMBv1 is still readily available on Win7, but from 
> Samba 4.11.0, it is now disabled on Samba, so if you must use SMBv1, you 
> will need to set:
> 
> client min protocol = NT1
> 
> server min protocol = NT1
> 
> in smb.conf
ok, the samba server I'm using as test has samba 4.5.16-Debian installed 
and these are the global parameters of the smb.conf (after adding the 
client/server min protocol):
> # Global parameters
> [global]
> 	server string = %h server
> 	workgroup = DOMINIOCSA
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	allow insecure wide links = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	printcap name = cups
> 	client min protocol = NT1
> 	server min protocol = NT1
> 	unix extensions = No
> 	allow trusted domains = No
> 	client ipc signing = if_required
> 	client signing = if_required
> 	map to guest = Bad User
> 	obey pam restrictions = Yes
> 	pam password change = Yes
> 	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
> 	passwd program = /usr/bin/passwd %u
> 	security = DOMAIN
> 	server signing = if_required
> 	unix password sync = Yes
> 	template shell = /bin/bash
> 	winbind cache time = 1
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind use default domain = Yes
> 	dns proxy = No
> 	wins server = 192.168.70.2
> 	idmap config * : range = 25000-30000
> 	idmap config dominiocsa : range = 10000-25000
> 	idmap config dominiocsa : backend = rid
> 	idmap config * : backend = tdb
> 	map archive = No
> 	map acl inherit = Yes
> 	inherit acls = Yes
> 	invalid users = root
when a user of the AD domain try to access to a share of this server 
(even accessing using the IP instead of the name) the authentication 
fails even if the user has the same credentials in both domains...

The win10 client has smbv1 client enabled...

Piviul

On 25/08/2020 08:28, Piviul via samba wrote:
> Rowland penny via samba ha scritto il 24/08/20 alle 17:39:
>> [...]
>> As far as I am aware, SMBv1 is still readily available on Win7, but 
>> from Samba 4.11.0, it is now disabled on Samba, so if you must use 
>> SMBv1, you will need to set:
>>
>> client min protocol = NT1
>>
>> server min protocol = NT1
>>
>> in smb.conf
>
> ok, the samba server I'm using as test has samba 4.5.16-Debian 
> installed and these are the global parameters of the smb.conf (after 
> adding the client/server min protocol):
>> # Global parameters
>> [global]
>> ????server string = %h server
>> ????workgroup = DOMINIOCSA
>> ????log file = /var/log/samba/log.%m
>> ????max log size = 1000
>> ????allow insecure wide links = Yes
>> ????panic action = /usr/share/samba/panic-action %d
>> ????printcap name = cups
>> ????client min protocol = NT1
>> ????server min protocol = NT1
>> ????unix extensions = No
>> ????allow trusted domains = No
>> ????client ipc signing = if_required
>> ????client signing = if_required
>> ????map to guest = Bad User
>> ????obey pam restrictions = Yes
>> ????pam password change = Yes
>> ????passwd chat = *Enter\snew\s*\spassword:* %n\n 
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> ????passwd program = /usr/bin/passwd %u
>> ????security = DOMAIN
>> ????server signing = if_required
>> ????unix password sync = Yes
>> ????template shell = /bin/bash
>> ????winbind cache time = 1
>> ????winbind enum groups = Yes
>> ????winbind enum users = Yes
>> ????winbind use default domain = Yes
>> ????dns proxy = No
>> ????wins server = 192.168.70.2
>> ????idmap config * : range = 25000-30000
>> ????idmap config dominiocsa : range = 10000-25000
>> ????idmap config dominiocsa : backend = rid
>> ????idmap config * : backend = tdb
>> ????map archive = No
>> ????map acl inherit = Yes
>> ????inherit acls = Yes
>> ????invalid users = root
>
> when a user of the AD domain try to access to a share of this server 
> (even accessing using the IP instead of the name) the authentication 
> fails even if the user has the same credentials in both domains...
>
> The win10 client has smbv1 client enabled...
>
> Piviul
>
Try adding 'nltm auth = yes' to the smb.conf, it defaulted to
'no' at 4.5.0

Rowland

Rowland penny via samba ha scritto il 25/08/20 alle
12:21:
> [...]
> Try adding 'nltm auth = yes' to the smb.conf, it defaulted to
'no' at 4.5.0
thanks Rowland I have tried to change ntlm auth to yes but AD users 
continue to have problems connecting to the shares...

Piviul