samba - Mar 2018 - Easy login/mapping from non domain member clients

Hi,

I'm starting to manually migrate my samba3 (or now samba4 classic)
servers into a new samba4 AD domain. (All servers are running with
v4.7.4) The DCs are running fine and I'm testing my first member server.
Works well with Windows 10 domain members, but we won't be adding all
clients into the domain just yet. Our old login scripts that map the
drives do create problems now, since the non domain members try to login
with "LOCALCOMPUTER\username", passwords are of course the same.

For my old samba 3 PDC, I successfully used map untrusted to domain yes to solve
that problem. I'm now using the new default "auto", which
will be the only value in 4.8 as far as I understand and it doesn't seem
to work as I need it to. AFAIU the member server is supposed to delegate
the decision to the DC, which, in case it is unknown, should perform a
local authentication. I'm not sure what exactly local is (is it the AD
of the server?), but it doesn't work here.

So in short, is there an easy solution to map all unknown domains to
BSS\user? Since I don't have more than this one domain, I don't even
mind mapping everything.

DC smb.conf is fairly standard (left out netlogon/sysvol):
| [global]
|         workgroup = BSS
|         realm = BSS.FQDN.EXAMPLE.COM
|         netbios name = BARVA
|         server role = active directory domain controller
|         dns forwarder = 1.2.3.4
|         idmap_ldb:use rfc2307 = yes
|         time server = yes

Member (file) server, left out the share definitions:
| [global]
|     workgroup = BSS
|     realm = BSS.FQDN.EXAMPLE.COM
|     security = ADS
|
|     winbind enum users = yes
|     winbind enum groups = yes
|     winbind use default domain = yes
|     winbind refresh tickets = yes
|     winbind nss info = template
|     template shell = /bin/false
|     template homedir = /srv/samba/homes/%U
|
|     #
https://wiki.samba.org/index.php/Idmap_config_rid#Planning_the_ID_Ranges
|     # Default idmap config for local BUILTIN accounts and groups
|     idmap config * : backend = tdb
|     idmap config * : range = 3000-7999
|
|     # idmap config for the domain
|     idmap config BSS : backend = rid
|     idmap config BSS : range = 10000-999999
|
|     store dos attributes = yes
|     vfs objects = acl_xattr
|     inherit acls = yes
|     map acl inherit = yes

Thanks in advance,
Jakob

Am 07.03.2018 um 13:48 schrieb Jakob Lenfers via samba:
> So in short, is there an easy solution to map all unknown domains to
> BSS\user? Since I don't have more than this one domain, I don't
even
> mind mapping everything.
Is there some info missing or is that really a use case nobody else has?
Or is it working for everybody? I'm striking everywhere out with my
question, here, IRC, and Stackexchange...

Any ideas where else I could ask?
Thanks,
Jakob