Goetz, Patrick G
2019-Jun-25 16:11 UTC
[Samba] SMB share access for machines which are not joined to the domain?
Samba 4.7.6 running on Ubuntu 18.04, with host joined to an AD domain as a domain member. I have all this working perfectly for SMB clients which are joined to the domain, however I need to provide SMB access (if possible) to a handful of machines that are not domain members and can't be made domain members. Is there any way to do this? I thought configuring "allow hosts" in smb.conf with the IP addresses of the 2-4 machines in question might work, but this seems to restrict all access, in particular blocking domain-joined clients when configured.
Rowland penny
2019-Jun-25 16:20 UTC
[Samba] SMB share access for machines which are not joined to the domain?
On 25/06/2019 17:11, Goetz, Patrick G via samba wrote:> Samba 4.7.6 running on Ubuntu 18.04, with host joined to an AD domain as > a domain member. > > I have all this working perfectly for SMB clients which are joined to > the domain, however I need to provide SMB access (if possible) to a > handful of machines that are not domain members and can't be made domain > members. Is there any way to do this? > > I thought configuring "allow hosts" in smb.conf with the IP addresses of > the 2-4 machines in question might work, but this seems to restrict all > access, in particular blocking domain-joined clients when configured. > > > >The only way would be to add 'map to guest = bad user' to [global] and 'guest ok = yes' to the share you want to connect to, then connect with a user that is unknown to the domain. This is very insecure, as the share will be wide open and everything in the share will belong to the Unix guest user (not to be confused with the Windows guest user) and any user will be able read anything. Why can the machines not be joined to the domain ? Rowland
Gregory Sloop
2019-Jun-25 16:21 UTC
[Samba] SMB share access for machines which are not joined to the domain?
Are these clients Windows machines? [I suppose it doesn't matter.] You can always connect to the SMB share using a domain user/password credential set, even if you're not a member of the domain. Something like - Connect as: User: "somedomain\pat" with Pat's password. But perhaps I'm missing something? -Greg GPGvs> Samba 4.7.6 running on Ubuntu 18.04, with host joined to an AD domain as GPGvs> a domain member. GPGvs> I have all this working perfectly for SMB clients which are joined to GPGvs> the domain, however I need to provide SMB access (if possible) to a GPGvs> handful of machines that are not domain members and can't be made domain GPGvs> members. Is there any way to do this? GPGvs> I thought configuring "allow hosts" in smb.conf with the IP addresses of GPGvs> the 2-4 machines in question might work, but this seems to restrict all GPGvs> access, in particular blocking domain-joined clients when configured.
Goetz, Patrick G
2019-Jun-25 16:57 UTC
[Samba] SMB share access for machines which are not joined to the domain?
On 6/25/19 11:20 AM, Rowland penny via samba wrote:> > Why can the machines not be joined to the domain ? >They're control PCs in a microscopy lab on a private network than can access the SMB server (which is on 2 networks), but won't be able to contact the campus-wide domain controllers. Also, the software is technically maintained by the vendor although we do install stuff. We have a data collection pipeline that moves data directly the SMB server (perhaps the least of this machine's functions), but when people collect data outside the pipeline (which happens regularly) it would be nice to be able to just drag it to an SMB-mounted drive. Using winscp is do-able, but not optimal; I tried setting them up with Expandrive, but this inexplicably resulted in occasional data corruption on file transfer, and now they don't trust it.
Goetz, Patrick G
2019-Jun-25 17:37 UTC
[Samba] SMB share access for machines which are not joined to the domain?
On 6/25/19 11:21 AM, Gregory Sloop via samba wrote:> You can always connect to the SMB share using a domain user/password credential set, even if you're not a member of the domain. > Something like - Connect as: User: "somedomain\pat" with Pat's password. >When we try this from a machine that is not connected to the domain, authentication fails: C:\Users\cns-dbr2717>net use * \\cns-bio-krak1.austin.utexas.edu\emtifs /user:austin.utexas.edu\dbr2717 System error 1311 has occurred. We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your organization's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential. We experimented, switching between security = ADS and security = user This doesn't seem to matter for domain users connecting from a domain host, but neither work for a domain user connecting from a non-domain host. Connecting to a Windows SMB server, this does work. Some information found online seems to suggest that this (domain user, non-domain host) *would* work if we were running winbind, but Rowland seems to suggest this isn't the case, either. In theory it should be possible to run sssd and winbind on the SMB server, but we put some minimal effort into this and couldn't get it to work. Likely will work in a couple of software iterations.