2018-06-29 15:12 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Fri, 29 Jun 2018 12:56:33 +0800 > d tbsky via samba <samba at lists.samba.org> wrote: > >> hi: >> >> at RHEL 7.4 we had used "map untrusted to domain = yes". so users >> can login with "username" instead of "sam-dom\username". >> >> after upgrade to RHEL 7.5, samba version upgrade from 4.6 to 4.7. >> now "map untrusted to domain = yes" or "map untrusted to domain >> auto" are not working. >> >> can we still let user to use "usename" instead of >> "sam-dom\username" like old days? >> >> thanks a lot for help!! >> > > The default for 'map untrusted to domain' was changed from 'no' to > 'auto' when 4.7.0 was released, but setting it to 'yes' should still > work. > > Can you please post the '[global]' portion of your smb.conf. > > Rowlandhi: samba file server global configuration below: [global] workgroup = SAM-DOM netbios name = file # password server = DC.AD.SAM-DOM.EXAMPLE.COM realm = AD.SAM-DOM.EXAMPLE.COM security = ads idmap config *:backend = tdb idmap config *:range = 1000000-1999999 idmap config SAM-DOM:backend = ad idmap config SAM-DOM:default = yes idmap config SAM-DOM:range = 1000-999999 idmap config SAM-DOM:schema_mode = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind offline logon = no obey pam restrictions = no winbind nss info = template template homedir = /share/samba/home/%U template shell = /bin/bash lanman auth = yes map untrusted to domain = yes
On Fri, 29 Jun 2018 15:48:32 +0800 d tbsky <tbskyd at gmail.com> wrote:> hi: > samba file server global configuration below: > > [global] > workgroup = SAM-DOM > netbios name = file > # password server = DC.AD.SAM-DOM.EXAMPLE.COM > realm = AD.SAM-DOM.EXAMPLE.COM > security = ads > > idmap config *:backend = tdb > idmap config *:range = 1000000-1999999 > > idmap config SAM-DOM:backend = ad > idmap config SAM-DOM:default = yes > idmap config SAM-DOM:range = 1000-999999 > idmap config SAM-DOM:schema_mode = rfc2307 > > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = yes > winbind use default domain = yes > winbind offline logon = no > obey pam restrictions = no > > winbind nss info = template > template homedir = /share/samba/home/%U > template shell = /bin/bash > > lanman auth = yes > map untrusted to domain = yesOK, if I remove all the default and unnecessary lines, I am left with this: [global] workgroup = SAM-DOM realm = AD.SAM-DOM.EXAMPLE.COM security = ads idmap config *:backend = tdb idmap config *:range = 1000000-1999999 idmap config SAM-DOM:backend = ad idmap config SAM-DOM:range = 1000-999999 idmap config SAM-DOM:schema_mode = rfc2307 winbind use default domain = yes template homedir = /share/samba/home/%U template shell = /bin/bash lanman auth = yes map untrusted to domain = yes Just a couple of comments: Because you start 'SAM-DOM' at '1000', you cannot have ANY local Unix users. You have 'lanman auth' set to yes, do you really have any Win95/98 clients ? If not, you should remove this security risk line. With the above smb.conf, if a user called 'fred' connects from DOMSAM (DOMSAM\fred), the user should become SAM-DOM\fred and then authenticated. This means that SAM-DOM\fred must exist and DOMSAM\fred must have the same password as SAM-DOM\fred. Once the user is authenticated, 'winbind use default domain = yes' will remove the domain name and SAM-DOM\fred would become just 'fred'. If the above isn't happening, then, potentially, you have discovered a bug. Rowland
On Fri, 29 Jun 2018 16:56:47 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-06-29 16:26 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > OK, if I remove all the default and unnecessary lines, I am left > > with this: > > > > [global] > > workgroup = SAM-DOM > > realm = AD.SAM-DOM.EXAMPLE.COM > > security = ads > > > > idmap config *:backend = tdb > > idmap config *:range = 1000000-1999999 > > idmap config SAM-DOM:backend = ad > > idmap config SAM-DOM:range = 1000-999999 > > idmap config SAM-DOM:schema_mode = rfc2307 > > > > winbind use default domain = yes > > > > template homedir = /share/samba/home/%U > > template shell = /bin/bash > > > > lanman auth = yes > > map untrusted to domain = yes > > > > Just a couple of comments: > > Because you start 'SAM-DOM' at '1000', you cannot have ANY local > > Unix users. > > that's ok. we don't have any local unix users at samba file server.Er, no its not, what happens if something goes wrong and you need to 'SSH' in to fix something ??? You need a few local Unix users, but hey, its your domain.> > > You have 'lanman auth' set to yes, do you really have any Win95/98 > > clients ? If not, you should remove this security risk line. > > we have dos client. although win95/98 is useless, but dos is still > sometimes necessary today.Why do you still have a dos client, even I (an inept programmer) could crack its password in minutes. Rowland
2018-06-29 17:07 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> Why do you still have a dos client, even I (an inept programmer) could > crack its password in minutes.some tool/utility only has dos version. if you want to input/output something to dos, then samba is the best partner. you won't want usb-disk or floopy under dos. BTW, dos has universal storage and network drivers,although it will become broken by future uefi-only computers. I have test "DOMSAM\fred" and it can not work. so maybe it is the bug of samba 4.7?