samba - Sep 2018 - design question for small environment

Ah, ok. 

Maybe you can do something with the static id mappings on the server.
Map a computer to user 

But besides that, uhm, good luck... 
Stick with the login popup, and save yourself a lot of troubles. 

Maybe this wil give you a good hint, 
https://sambaxp.org/fileadmin/user_upload/sambaXP2018-Slides/StefanMetzmacher_sambaxp2018_trusted_domain_support-rev0-compact.pdf

Imo, a hard one to solve. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: dinsdag 18 september 2018 16:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] design question for small environment
> 
> Am 18.09.18 um 16:00 schrieb L.P.H. van Belle via samba:
> > If you make sure the loginnames and password as the same on 
> both domains.
> 
> That is exactly what we want to avoid!
> 
> > Then its just.
> > 
> > net use k: \\FQDN\SHARE /user:DOM1\%username%
> > net use l: \\FQDN\SHARE /user:DOM2\%username%
> > 
> > At least that is what i do here.
> > You can do more, open CMD box, run type: set
> > You an use all these variables.
> > 
> > net use m: \\FQDN\SHARE /user:%USERDOMAIN%\%username%
> > Or
> > net use n: \\FQDN\SHARE /user:%username%@%USERDNSDOMAIN%
> > 
> > And i've disabled password changes for the time until im 
> able to remove that old domain.
> > 
> > You can set it with the persistance but i had more problem 
> with that then above.
> > If a password changes occurs, then the drive with 
> persistant connections is failing.
> > 
> > And why VB script, you can set it in you GPO also.
> 
> I don't have access to the GPOs upstream.
> 
> Remember: the thin client is domain member in a company ADS and not 
> under our control ... but has to mount our protected share as well.
> 
> And we look for a user-friendly way without storing passwords 
> anywhere.
> 
> So right now: (vbs-)script and enter pw at session start.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Am 18.09.18 um 16:33 schrieb L.P.H. van Belle via samba:
> Ah, ok.
> 
> Maybe you can do something with the static id mappings on the server.
> Map a computer to user
> 
> But besides that, uhm, good luck...
> Stick with the login popup, and save yourself a lot of troubles.
> 
> Maybe this wil give you a good hint,
>
https://sambaxp.org/fileadmin/user_upload/sambaXP2018-Slides/StefanMetzmacher_sambaxp2018_trusted_domain_support-rev0-compact.pdf
> 
> Imo, a hard one to solve.
Yep.

I discussed this with another admin and he came up with "Windows 
Anmeldeinformationen" ... maybe "stored passwords" in english?

This is an improvement as it allows to store credentials in a safe(r) 
way ... I assume it is hashed and encrypted.

So no more cleartext pw on the client, no more pw-entry at start-time 
(at least not for connecting the shares).

OK, if the upstream admin resets the users PW, he gets access to the 
samba-shares as well ... but this would be noticed ("hey, my pw doesn't
work anymore").

We will test that in more detail tmrw and check if it is enough.

A first test worked fine (entered servername, user/pw ... batch without 
user/pw connects fine)

- additionally I will have to look into the transport crypto: traffic 
goes through "hostile" networks ;-)

Am 18.09.18 um 17:19 schrieb Stefan G. Weichinger via samba:
> A first test worked fine (entered servername, user/pw ... batch without 
> user/pw connects fine)
played with "net use /savecred" and "cmdkey" today ... not
OK yet.

After reboot still no drives ... maybe the upstream domain disables my 
"/persistent: yes"