samba - Nov 2018 - How to Samba share with mixed Active Directory 'Classic' authentication

I have a Samba4 AD Domain with one of the file servers as a domain member. This
file server
host the main network shares for the domain. Currently, Windows users mapping
this share are
authenticated using their AD domain credentials. That all works just fine.

What I want to do now is ALSO allow a user on a network host which IS NOT a
domain member, and
the user is not domain users to also map/mount this share, possibly via the
"Classic"
'security = user' mechanism. Can this be done? That is, can both
mechanisms be accomodated somehow?

THX --Mark

Below is the current smb.conf with 'security = ADS' and various idmaps.

[global]
netbios name = OHPRSSTORAGE

# workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
#   workgroup = WORKGROUP

# server string is the equivalent of the NT Description field
   server string = HPRS NAS server

domain master = no
prefered master = no

realm = HPRS.LOCAL
workgroup = HPRS
usershare allow guests = Yes
usershare max shares = 10
security = ADS
template shell = /bin/bash

max log size = 10000

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
                
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config HPRS:backend = ad
idmap config HPRS:schema_mode = rfc2307
idmap config HPRS:range = 10000-10099

winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes

[public]
comment = OHPRS main file and document repository
path = /mnt/RAID/public

# for the following settings see:
https://www.samba.org/samba/docs/using_samba/ch08.html
hide dot files = yes
# set o+x to mark a file as hidden (doesn't work for folders)
map hidden = yes
# User's outlook .pst files are in a folder named "outlook"
hide files = /Outlook/outlook/~*/

# locking: https://www.samba.org/samba/docs/using_samba/ch08.html
veto oplock files = /OfficeCalendar.pst/

inherit acls = yes
valid users = @"domain users"

# guest ok = yes
# guest only = yes

locking = yes
public = yes
writeable = yes
browseable= yes
printable = no
create mask = 0660
force user = ohprso
force group = ohprs
force create mode = 0660
directory mask = 2771

Uhhh, what is wrong with how Active Directory is running? I have plenty of
machines that are and are not attached to various NT-style and AD-style
domains, hosted by Samba, and I can access the files I want.

On Fri, Nov 9, 2018 at 7:35 PM Mark Foley via samba <samba at
lists.samba.org>
wrote:
> I have a Samba4 AD Domain with one of the file servers as a domain member.
> This file server
> host the main network shares for the domain. Currently, Windows users
> mapping this share are
> authenticated using their AD domain credentials. That all works just fine.
>
> What I want to do now is ALSO allow a user on a network host which IS NOT
> a domain member, and
> the user is not domain users to also map/mount this share, possibly via
> the "Classic"
> 'security = user' mechanism. Can this be done? That is, can both
> mechanisms be accomodated somehow?
>
> THX --Mark
>
> Below is the current smb.conf with 'security = ADS' and various
idmaps.
>
> [global]
> netbios name = OHPRSSTORAGE
>
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
> #   workgroup = WORKGROUP
>
> # server string is the equivalent of the NT Description field
>    server string = HPRS NAS server
>
> domain master = no
> prefered master = no
>
> realm = HPRS.LOCAL
> workgroup = HPRS
> usershare allow guests = Yes
> usershare max shares = 10
> security = ADS
> template shell = /bin/bash
>
> max log size = 10000
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config HPRS:backend = ad
> idmap config HPRS:schema_mode = rfc2307
> idmap config HPRS:range = 10000-10099
>
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
>
> [public]
> comment = OHPRS main file and document repository
> path = /mnt/RAID/public
>
> # for the following settings see:
> https://www.samba.org/samba/docs/using_samba/ch08.html
> hide dot files = yes
> # set o+x to mark a file as hidden (doesn't work for folders)
> map hidden = yes
> # User's outlook .pst files are in a folder named "outlook"
> hide files = /Outlook/outlook/~*/
>
> # locking: https://www.samba.org/samba/docs/using_samba/ch08.html
> veto oplock files = /OfficeCalendar.pst/
>
> inherit acls = yes
> valid users = @"domain users"
>
> # guest ok = yes
> # guest only = yes
>
> locking = yes
> public = yes
> writeable = yes
> browseable= yes
> printable = no
> create mask = 0660
> force user = ohprso
> force group = ohprs
> force create mode = 0660
> directory mask = 2771
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I too have a dozen Windows and 3 Linux computers connected to the AD domain.
I'm wanting to
connect a device that does not support AD, but it does do Samba Classic and I
want it to be
able to access a share on the Samba-server domain member which currently uses AD
authentication
only, per my listed smb.conf.

--Mark

-----Original Message-----
> On Fri, 9 Nov 2018 19:46:18 -0800 From: Luke Barone wrote:
>
> On Fri, Nov 9, 2018 at 7:35 PM Mark Foley via samba <samba at
lists.samba.org>
> wrote:
>
> > I have a Samba4 AD Domain with one of the file servers as a domain
member.
> > This file server
> > host the main network shares for the domain. Currently, Windows users
> > mapping this share are
> > authenticated using their AD domain credentials. That all works just
fine.
> >
> > What I want to do now is ALSO allow a user on a network host which IS
NOT
> > a domain member, and
> > the user is not domain users to also map/mount this share, possibly
via
> > the "Classic"
> > 'security = user' mechanism. Can this be done? That is, can
both
> > mechanisms be accomodated somehow?
> >
> > THX --Mark
> >
> > Below is the current smb.conf with 'security = ADS' and
various idmaps.
> >
> > [global]
> > netbios name = OHPRSSTORAGE
> >
> > # workgroup = NT-Domain-Name or Workgroup-Name, eg: LINUX2
> > #   workgroup = WORKGROUP
> >
> > # server string is the equivalent of the NT Description field
> >    server string = HPRS NAS server
> >
> > domain master = no
> > prefered master = no
> >
> > realm = HPRS.LOCAL
> > workgroup = HPRS
> > usershare allow guests = Yes
> > usershare max shares = 10
> > security = ADS
> > template shell = /bin/bash
> >
> > max log size = 10000
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config HPRS:backend = ad
> > idmap config HPRS:schema_mode = rfc2307
> > idmap config HPRS:range = 10000-10099
> >
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind nss info = rfc2307
> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> >
> > [public]
> > comment = OHPRS main file and document repository
> > path = /mnt/RAID/public
> >
> > # for the following settings see:
> > https://www.samba.org/samba/docs/using_samba/ch08.html
> > hide dot files = yes
> > # set o+x to mark a file as hidden (doesn't work for folders)
> > map hidden = yes
> > # User's outlook .pst files are in a folder named
"outlook"
> > hide files = /Outlook/outlook/~*/
> >
> > # locking: https://www.samba.org/samba/docs/using_samba/ch08.html
> > veto oplock files = /OfficeCalendar.pst/
> >
> > inherit acls = yes
> > valid users = @"domain users"
> >
> > # guest ok = yes
> > # guest only = yes
> >
> > locking = yes
> > public = yes
> > writeable = yes
> > browseable= yes
> > printable = no
> > create mask = 0660
> > force user = ohprso
> > force group = ohprs
> > force create mode = 0660
> > directory mask = 2771
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>