samba - Nov 2011 - winbind map untrusted domain problem

Hi

I have a question/problem about winbind and the "map untrusted to
domain" (=yes) parameter.

I use samba 3.6.0 on 
FreeBSD 8.2 with the following configuration:
[global]
  encrypt passwords = yes
  map untrusted to domain = yes
  
allow trusted domains = yes
  client ntlmv2 auth = yes
  client use spnego = yes
  client lanman auth = yes
  client 
plaintext auth = no
  winbind enum users = yes
  winbind enum groups = yes
  winbind offline logon = yes
  winbind use 
default domain = yes
  restrict anonymous = 2
  winbind cache time = 10
  restrict anonymous = 2
  os level = 0
  
lanman auth = yes
  ntlm auth = yes

  domain logons = yes
  unix password sync = yes
  passwd program = 
/usr/bin/passwd %u

  preferred master = yes

  local master = yes
  security = user
  domain master = yes

  workgroup 
= DOMAIN

  netbios name = smbsrv01
  server string = smbsrv01

Authentication when accessing a SMB share works without 
specify a domain from a windows client. (so windows uses client hostname as
domain name, I guess samba does map the
"untrusted" hostname domain to its own) But if I use squid for
authentication with samba NTLM auth helper plugin, it
does not work if the client does not explicit specify the domain name. I also
tried with wbinfo -a
<hostname>\\vailduser and I get "NT_STATUS_NO_SUCH_USER
(0xc0000064)". (I guess wbinfo authenticates the same way as
the NTLM auth helper plugin does)

Is there a way to tell samba that it also maps untrusted domains over winbind.
If
yes, how?

Thank you

Best regards
Tobias

I don't think your configuration is right, "map untrusted domain",
"allow
trusted domains" are not supposed to work with "security = user".

2011/11/5 schlittae at bluewin.ch <schlittae at bluewin.ch>
> Hi
>
> I have a question/problem about winbind and the "map untrusted to
domain"
> (=yes) parameter.
>
> I use samba 3.6.0 on
> FreeBSD 8.2 with the following configuration:
> [global]
>  encrypt passwords = yes
>  map untrusted to domain = yes
>
> allow trusted domains = yes
>  client ntlmv2 auth = yes
>  client use spnego = yes
>  client lanman auth = yes
>  client
> plaintext auth = no
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind offline logon = yes
>  winbind use
> default domain = yes
>  restrict anonymous = 2
>  winbind cache time = 10
>  restrict anonymous = 2
>  os level = 0
>
> lanman auth = yes
>  ntlm auth = yes
>
>  domain logons = yes
>  unix password sync = yes
>  passwd program > /usr/bin/passwd %u
>
>  preferred master = yes
>
>  local master = yes
>  security = user
>  domain master = yes
>
>  workgroup
> = DOMAIN
>
>  netbios name = smbsrv01
>  server string = smbsrv01
>
> Authentication when accessing a SMB share works without
> specify a domain from a windows client. (so windows uses client hostname
> as domain name, I guess samba does map the
> "untrusted" hostname domain to its own) But if I use squid for
> authentication with samba NTLM auth helper plugin, it
> does not work if the client does not explicit specify the domain name. I
> also tried with wbinfo -a
> <hostname>\\vailduser and I get "NT_STATUS_NO_SUCH_USER
(0xc0000064)". (I
> guess wbinfo authenticates the same way as
> the NTLM auth helper plugin does)
>
> Is there a way to tell samba that it also maps untrusted domains over
> winbind. If
> yes, how?
>
> Thank you
>
> Best regards
> Tobias
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi David

Thank you for your reply.

I forgot to mention that my samba must run as PDC in my case. So as I read in
the
manual, security = user should be applicable? Anyhow I also tried security =
domain and security = ads without success
(but I did not change any other settings like domain master, so samba still
staied as PDC?). Is it actually possible to
map any domain to its own when samba runs as PDC?

Best regards
Tobias

David Roid wrote:
>
> I don't think your 
configuration is right, "map untrusted domain", "allow trusted
domains" are not supposed to work with > "security =
user".
> 2011/11/5 schlittae at bluewin.ch <schlittae at bluewin.ch>
> 
> Hi
>
> I have a question/problem about winbind and 
the "map untrusted to domain" (=yes)
parameter.
>
> I use samba 3.6.0 on
> FreeBSD 8.2 with the following 
configuration:
> [global]
>  encrypt passwords = yes
>  map untrusted to domain = yes
>
> allow trusted domains = yes
>  client ntlmv2 auth = yes
>  client use spnego = yes
>  client lanman auth = yes
>  client
> plaintext auth = no
>  
winbind enum users = yes
>  winbind enum groups = yes
>  winbind offline logon = yes
>  winbind use
> default domain = 
yes
>  restrict anonymous = 2
>  winbind cache time = 10
>  restrict anonymous = 2
>  os level = 0
>
> lanman auth = 
yes
>  ntlm auth = yes
>
>  domain logons = yes
>  unix password sync = yes
>  passwd program > /usr/bin/passwd %u
>
>  preferred master = yes
>
>  local master = yes
>  security = user
>  domain master = yes
>
>  workgroup= DOMAIN
>
>  
netbios name = smbsrv01
>  server string = smbsrv01
>
> Authentication when accessing a SMB share works without
> 
specify a domain from a windows client. (so windows uses client hostname as
domain name, I guess samba does map the
> 
"untrusted" hostname domain to its own) But if I use squid for
authentication with samba NTLM auth helper plugin, it
> 
does not work if the client does not explicit specify the domain name. I also
tried with wbinfo -a
> 
<hostname>\\vailduser and I get "NT_STATUS_NO_SUCH_USER
(0xc0000064)". (I guess wbinfo authenticates the same > > way
as
> the NTLM auth helper plugin does)
>
> Is there a way to tell samba that it also maps untrusted domains over 
winbind. If
> yes, how?
>
> Thank you
>
> Best regards
> Tobias