Dear list,
when I connect to a samba AD member server from a windows 10 client not
joined to the domain, it appears that I always have to connect as
DOMAIN\USER. Is it possible to configure samba such that it always
interprets the USER part as being the account name of the one domain
that is configured, and to discard the DOMAIN part supplied by the
client? This may be a dumb question, but thanks for any hints... Cheers,
Christian
PS: Here is the smb.conf on the member server:
[global]
bind interfaces only = Yes
interfaces = lo eth0
realm = XXX.XXX.XXX
workgroup = XXX
netbios aliases = wpkg
winbind expand groups = 2
security = ADS
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nss info = ad
winbind refresh tickets = yes
idmap config * : backend = tdb
idmap config * : range = 3000 - 7999
idmap config IQO:backend = ad
idmap config IQO:schema_mode = rfc2307
idmap config IQO:range = 10000 - 999999
idmap config IQO:unix_nss_info = yes
map acl inherit = yes
store dos attributes = yes
vfs objects = acl_xattr
(using debian stretch and Louis' 4.8.10 packages)
On Thu, 2019-05-02 at 02:07 +0200, Christian via samba wrote:> Dear list, > > when I connect to a samba AD member server from a windows 10 client not > joined to the domain, it appears that I always have to connect as > DOMAIN\USER. Is it possible to configure samba such that it always > interprets the USER part as being the account name of the one domain > that is configured, and to discard the DOMAIN part supplied by the > client? This may be a dumb question, but thanks for any hints... Cheers,Sadly not! We used to have 'map untrusted to domain' but we had to get rid of it, because for NTLMv2 it fails (because the domain is included in the challenge/response password calculation). If someone finds a truly critical situation where this matters we might be able to solve it for pure samba domains, because on the DC we can hold both names in memory, but for now we don't have a good solution. Sorry! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
> Dear list, > > when I connect to a samba AD member server from a windows 10 client not > joined to the domain, it appears that I always have to connect as > DOMAIN\USER. Is it possible to configure samba such that it always > interprets the USER part as being the account name of the one domain > that is configured, and to discard the DOMAIN part supplied by the > client? This may be a dumb question, but thanks for any hints... Cheers,samba <= 4.6 will work. samba 4.7 should work in theory, but it didn't. there is workaround in the bugzilla, but I didn't try. I am afraid it will break anytime. maybe you can give it a try... https://bugzilla.samba.org/show_bug.cgi?id=13543
On Thu, 2 May 2019 14:05:12 +0800 d tbsky via samba <samba at lists.samba.org> wrote:> > Dear list, > > > > when I connect to a samba AD member server from a windows 10 client > > not joined to the domain, it appears that I always have to connect > > as DOMAIN\USER. Is it possible to configure samba such that it > > always interprets the USER part as being the account name of the > > one domain that is configured, and to discard the DOMAIN part > > supplied by the client? This may be a dumb question, but thanks for > > any hints... Cheers, > > samba <= 4.6 will work. samba 4.7 should work in theory, but it > didn't. there is workaround in the bugzilla, but I didn't try. I am > afraid it will break anytime. > maybe you can give it a try... > > https://bugzilla.samba.org/show_bug.cgi?id=13543 >As Andrew has said, this will not work and why you would want this escapes me ? if it did work, you could end up with a user called 'fred' from DOMAIN_A and a user called 'fred' from DOMAIN_B, so which user would be the one used, the one from DOMAIN_A, or the one from DOMAIN_B, or both ? Rowland