samba - Jun 2019 - ADS security mode - authenticating non-domain Linux users

Hi Rowland,

Thanks very much for the reply and confirming what I suspected. One 
quick questions in-line, if I may:

On 6/4/19 4:00 PM, Rowland penny via samba wrote:
> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become 
> 'LOCALDOMAIN\fred' and if 'fred' is a member of
'LOCALDOMAIN' and has
> the correct password, then access will be allowed. The parameter 'map 
> untrusted to domain was removed at Samba 4.8.0, it was deprecated at 
> 4.7.0
I found the patch that deprecated the option, with the comment (quoting 
from Volker Lendecke in 
https://lists.samba.org/archive/samba-technical/2017-March/119417.html):

 > In an active directory environment, we don't know of
 >a good way to enumerate all domains that we have to accept as trusted,
 >in particular with multiple forests, one-way and external trusts. We
 >hope to replace this parameter in the future with something that matches
 >Windows behaviour better, after the deprecation phase of this parameter
 >is over and we can remove it.

Any notion of whether such a replacement is on the horizon at present? 
If not, we'll live with the behavior as-is.

Regards,
Tim

Have you tried using domain\user to log in? That should work if this is the
problem.


Am 5. Juni 2019 03:49:43 MESZ schrieb Tim Miller via samba <samba at
lists.samba.org>:
>Hi Rowland,
>
>Thanks very much for the reply and confirming what I suspected. One 
>quick questions in-line, if I may:
>
>On 6/4/19 4:00 PM, Rowland penny via samba wrote:
>> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred'
become
>> 'LOCALDOMAIN\fred' and if 'fred' is a member of
'LOCALDOMAIN' and has
>
>> the correct password, then access will be allowed. The parameter
'map
>
>> untrusted to domain was removed at Samba 4.8.0, it was deprecated at 
>> 4.7.0
>I found the patch that deprecated the option, with the comment (quoting
>
>from Volker Lendecke in 
>https://lists.samba.org/archive/samba-technical/2017-March/119417.html):
>
> > In an active directory environment, we don't know of
>>a good way to enumerate all domains that we have to accept as trusted,
> >in particular with multiple forests, one-way and external trusts. We
>>hope to replace this parameter in the future with something that
>matches
>>Windows behaviour better, after the deprecation phase of this
>parameter
> >is over and we can remove it.
>
>Any notion of whether such a replacement is on the horizon at present? 
>If not, we'll live with the behavior as-is.
>
>Regards,
>Tim
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 05/06/2019 02:49, Tim Miller via samba wrote:
> Hi Rowland,
>
> Thanks very much for the reply and confirming what I suspected. One 
> quick questions in-line, if I may:
>
> On 6/4/19 4:00 PM, Rowland penny via samba wrote:
>> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred'
become
>> 'LOCALDOMAIN\fred' and if 'fred' is a member of
'LOCALDOMAIN' and has
>> the correct password, then access will be allowed. The parameter
'map
>> untrusted to domain was removed at Samba 4.8.0, it was deprecated at 
>> 4.7.0
> I found the patch that deprecated the option, with the comment 
> (quoting from Volker Lendecke in 
> https://lists.samba.org/archive/samba-technical/2017-March/119417.html):
>
> > In an active directory environment, we don't know of
> >a good way to enumerate all domains that we have to accept as trusted,
> >in particular with multiple forests, one-way and external trusts. We
> >hope to replace this parameter in the future with something that
matches
> >Windows behaviour better, after the deprecation phase of this parameter
> >is over and we can remove it.
>
> Any notion of whether such a replacement is on the horizon at present? 
> If not, we'll live with the behavior as-is.
>
> Regards,
> Tim
>
Sorry, but I have no idea what Volker is planning, if anything. That 'we 
hope' has the sound of 'perhaps' to me ;-)

Rowland

On 05/06/2019 05:10, Christian Naumer via samba wrote:
> Have you tried using domain\user to log in? That should work if this is the
problem.
>
That would come under the heading of trusts and require modification of 
smb.conf. This is hardly the same as 'map untrusted to domain'

Rowland