Am 10.09.18 um 11:12 schrieb Rowland Penny via samba:> Hi Stefan, I would set up a small AD domain, one DC, and turn the two > original servers into Unix domain members and then use kerberos. > > I cannot think of any other way of not using passwords.I won't get a third server for doing so. It could be a VM or container, though. For now we discussed simply editing the batchfile to not contain the passwords and the users have to enter their (strong) pw at connection time. Maybe set "/persistent: no" as well. This would improve things, no readable passwords on the client anymore.
On Mon, 10 Sep 2018 12:35:28 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 10.09.18 um 11:12 schrieb Rowland Penny via samba: > > > Hi Stefan, I would set up a small AD domain, one DC, and turn the > > two original servers into Unix domain members and then use kerberos. > > > > I cannot think of any other way of not using passwords. > > I won't get a third server for doing so. It could be a VM or > container, though.OK, because you only have so few users, use the DC as a fileserver ? Rowland
Am 10.09.18 um 12:49 schrieb Rowland Penny via samba:>>> I cannot think of any other way of not using passwords. >> >> I won't get a third server for doing so. It could be a VM or >> container, though. > > OK, because you only have so few users, use the DC as a fileserver ?yes, optional. Maybe even better: the 2nd server (backup) as DC, as it isn't used as fileserver in regular operation. That 2nd server more or less idles all day long and only rsyncs data over every hour or so ... it only gets busy in the evening, pulling VM-backups, doing backups etc
Am 10.09.18 um 12:35 schrieb Stefan G. Weichinger via samba:> Am 10.09.18 um 11:12 schrieb Rowland Penny via samba: > >> Hi Stefan, I would set up a small AD domain, one DC, and turn the two >> original servers into Unix domain members and then use kerberos. >> >> I cannot think of any other way of not using passwords. > > I won't get a third server for doing so. It could be a VM or container, > though. > > For now we discussed simply editing the batchfile to not contain the > passwords and the users have to enter their (strong) pw at connection time. > > Maybe set "/persistent: no" as well. > > This would improve things, no readable passwords on the client anymore.I am currently cut-and-pasting a vbs script together, that prompts for user/password (as the thin client is member in another domain) and maps a network drive using these creds ... Good scripts/examples welcome here ;-)
If you make sure the loginnames and password as the same on both domains. Then its just. net use k: \\FQDN\SHARE /user:DOM1\%username% net use l: \\FQDN\SHARE /user:DOM2\%username% At least that is what i do here. You can do more, open CMD box, run type: set You an use all these variables. net use m: \\FQDN\SHARE /user:%USERDOMAIN%\%username% Or net use n: \\FQDN\SHARE /user:%username%@%USERDNSDOMAIN% And i've disabled password changes for the time until im able to remove that old domain. You can set it with the persistance but i had more problem with that then above. If a password changes occurs, then the drive with persistant connections is failing. And why VB script, you can set it in you GPO also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: dinsdag 18 september 2018 15:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] design question for small environment > > Am 10.09.18 um 12:35 schrieb Stefan G. Weichinger via samba: > > Am 10.09.18 um 11:12 schrieb Rowland Penny via samba: > > > >> Hi Stefan, I would set up a small AD domain, one DC, and > turn the two > >> original servers into Unix domain members and then use kerberos. > >> > >> I cannot think of any other way of not using passwords. > > > > I won't get a third server for doing so. It could be a VM > or container, > > though. > > > > For now we discussed simply editing the batchfile to not > contain the > > passwords and the users have to enter their (strong) pw at > connection time. > > > > Maybe set "/persistent: no" as well. > > > > This would improve things, no readable passwords on the > client anymore. > > I am currently cut-and-pasting a vbs script together, that > prompts for > user/password (as the thin client is member in another > domain) and maps > a network drive using these creds ... > > Good scripts/examples welcome here ;-) > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Am 18.09.18 um 16:00 schrieb L.P.H. van Belle via samba:> If you make sure the loginnames and password as the same on both domains.That is exactly what we want to avoid!> Then its just. > > net use k: \\FQDN\SHARE /user:DOM1\%username% > net use l: \\FQDN\SHARE /user:DOM2\%username% > > At least that is what i do here. > You can do more, open CMD box, run type: set > You an use all these variables. > > net use m: \\FQDN\SHARE /user:%USERDOMAIN%\%username% > Or > net use n: \\FQDN\SHARE /user:%username%@%USERDNSDOMAIN% > > And i've disabled password changes for the time until im able to remove that old domain. > > You can set it with the persistance but i had more problem with that then above. > If a password changes occurs, then the drive with persistant connections is failing. > > And why VB script, you can set it in you GPO also.I don't have access to the GPOs upstream. Remember: the thin client is domain member in a company ADS and not under our control ... but has to mount our protected share as well. And we look for a user-friendly way without storing passwords anywhere. So right now: (vbs-)script and enter pw at session start.
Ah, ok. Maybe you can do something with the static id mappings on the server. Map a computer to user But besides that, uhm, good luck... Stick with the login popup, and save yourself a lot of troubles. Maybe this wil give you a good hint, https://sambaxp.org/fileadmin/user_upload/sambaXP2018-Slides/StefanMetzmacher_sambaxp2018_trusted_domain_support-rev0-compact.pdf Imo, a hard one to solve. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: dinsdag 18 september 2018 16:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] design question for small environment > > Am 18.09.18 um 16:00 schrieb L.P.H. van Belle via samba: > > If you make sure the loginnames and password as the same on > both domains. > > That is exactly what we want to avoid! > > > Then its just. > > > > net use k: \\FQDN\SHARE /user:DOM1\%username% > > net use l: \\FQDN\SHARE /user:DOM2\%username% > > > > At least that is what i do here. > > You can do more, open CMD box, run type: set > > You an use all these variables. > > > > net use m: \\FQDN\SHARE /user:%USERDOMAIN%\%username% > > Or > > net use n: \\FQDN\SHARE /user:%username%@%USERDNSDOMAIN% > > > > And i've disabled password changes for the time until im > able to remove that old domain. > > > > You can set it with the persistance but i had more problem > with that then above. > > If a password changes occurs, then the drive with > persistant connections is failing. > > > > And why VB script, you can set it in you GPO also. > > I don't have access to the GPOs upstream. > > Remember: the thin client is domain member in a company ADS and not > under our control ... but has to mount our protected share as well. > > And we look for a user-friendly way without storing passwords > anywhere. > > So right now: (vbs-)script and enter pw at session start. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >