Tim Miller
2019-Jun-05 01:49 UTC
[Samba] ADS security mode - authenticating non-domain Linux users
Hi Rowland, Thanks very much for the reply and confirming what I suspected. One quick questions in-line, if I may: On 6/4/19 4:00 PM, Rowland penny via samba wrote:> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become > 'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has > the correct password, then access will be allowed. The parameter 'map > untrusted to domain was removed at Samba 4.8.0, it was deprecated at > 4.7.0I found the patch that deprecated the option, with the comment (quoting from Volker Lendecke in https://lists.samba.org/archive/samba-technical/2017-March/119417.html): > In an active directory environment, we don't know of >a good way to enumerate all domains that we have to accept as trusted, >in particular with multiple forests, one-way and external trusts. We >hope to replace this parameter in the future with something that matches >Windows behaviour better, after the deprecation phase of this parameter >is over and we can remove it. Any notion of whether such a replacement is on the horizon at present? If not, we'll live with the behavior as-is. Regards, Tim
Christian Naumer
2019-Jun-05 04:10 UTC
[Samba] ADS security mode - authenticating non-domain Linux users
Have you tried using domain\user to log in? That should work if this is the problem. Am 5. Juni 2019 03:49:43 MESZ schrieb Tim Miller via samba <samba at lists.samba.org>:>Hi Rowland, > >Thanks very much for the reply and confirming what I suspected. One >quick questions in-line, if I may: > >On 6/4/19 4:00 PM, Rowland penny via samba wrote: >> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become >> 'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has > >> the correct password, then access will be allowed. The parameter 'map > >> untrusted to domain was removed at Samba 4.8.0, it was deprecated at >> 4.7.0 >I found the patch that deprecated the option, with the comment (quoting > >from Volker Lendecke in >https://lists.samba.org/archive/samba-technical/2017-March/119417.html): > > > In an active directory environment, we don't know of >>a good way to enumerate all domains that we have to accept as trusted, > >in particular with multiple forests, one-way and external trusts. We >>hope to replace this parameter in the future with something that >matches >>Windows behaviour better, after the deprecation phase of this >parameter > >is over and we can remove it. > >Any notion of whether such a replacement is on the horizon at present? >If not, we'll live with the behavior as-is. > >Regards, >Tim-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland penny
2019-Jun-05 07:17 UTC
[Samba] ADS security mode - authenticating non-domain Linux users
On 05/06/2019 02:49, Tim Miller via samba wrote:> Hi Rowland, > > Thanks very much for the reply and confirming what I suspected. One > quick questions in-line, if I may: > > On 6/4/19 4:00 PM, Rowland penny via samba wrote: >> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become >> 'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has >> the correct password, then access will be allowed. The parameter 'map >> untrusted to domain was removed at Samba 4.8.0, it was deprecated at >> 4.7.0 > I found the patch that deprecated the option, with the comment > (quoting from Volker Lendecke in > https://lists.samba.org/archive/samba-technical/2017-March/119417.html): > > > In an active directory environment, we don't know of > >a good way to enumerate all domains that we have to accept as trusted, > >in particular with multiple forests, one-way and external trusts. We > >hope to replace this parameter in the future with something that matches > >Windows behaviour better, after the deprecation phase of this parameter > >is over and we can remove it. > > Any notion of whether such a replacement is on the horizon at present? > If not, we'll live with the behavior as-is. > > Regards, > Tim >Sorry, but I have no idea what Volker is planning, if anything. That 'we hope' has the sound of 'perhaps' to me ;-) Rowland
Rowland penny
2019-Jun-05 07:20 UTC
[Samba] ADS security mode - authenticating non-domain Linux users
On 05/06/2019 05:10, Christian Naumer via samba wrote:> Have you tried using domain\user to log in? That should work if this is the problem. >That would come under the heading of trusts and require modification of smb.conf. This is hardly the same as 'map untrusted to domain' Rowland
Apparently Analagous Threads
- Upgrade from 4.9.8 to 4.10.3 on Centos using Sernet Packages
- Upgrade from 4.9.8 to 4.10.3 on Centos using Sernet Packages
- Samba with AD : SID rejected
- Upgrade from 4.9.8 to 4.10.3 on Centos using Sernet Packages
- Upgrade from 4.9.8 to 4.10.3 on Centos using Sernet Packages