samba - Aug 2019 - Samba 4.8.3 - Stand-alone server

>>On 16/08/2019 17:39, Bob Wyatt via samba wrote:
>> Presently, we do not wish to use domain credentials - samba users and
>> passwords have been set.
>> 
>>However, to establish the map, me the user is asked for their
credentials
in
>> a Windows domain user credential pop-up.
>> 
>> Not being a Windows/domain administrator, nor a Samba Administrator,
are
we
>> missing something in the config file, or a setting in the domain?
>> 
>> [global]
>>          workgroup = STA
>>          netbios name = sttest01
>>          server role = standalone
>>          security = user
>>          map to guest = Bad User
>>         passdb backend = tdbsam
>>          printing = cups
>>          printcap name = cups
>>          load printers = yes
>>          cups options = raw
>>          logfile = /var/log/samba/sambalog.log
>>          log level = 1 auth:5
>>          unix password sync = no
>> 
>> [homes]
>>          comment = Home Directories
>>          valid users = %S, %D%w%S
>>          browseable = No
>>          read only = No
>>          inherit acls = Yes
>> 
>> [printers]
>>          comment = All Printers
>>          path = /var/tmp
>>          printable = Yes
>>          create mask = 0600
>>          browseable = No
>> 
>> [print$]
>>          comment = Printer Drivers
>>          path = /var/lib/samba/drivers
>>          write list = @printadmin root
>>          force group = @printadmin
>>          create mask = 0664
>>          directory mask = 0775
>> 
>> [AXIARListen]
>>     comment = Axiar Listen directory Retrieval
>>     path = /AXIAR/listen
>>     public = yes
>>     writeable = yes
>>     printable = no
>>     create mask = 0777
>>     guest only = true
>> 
>> You will probably always be asked for authentication. I take it we are 
>> talking about the 'AXIARListen' share here, if so, then only
the guest
>> user will be allowed access. To ensure that it is a guest user, Samba 
>> has to check that the user is unknown, so it checks the connecting user
>> against its database and if unknown, the user is mapped to the guest 
>> user, it will do this every time a user connect, because the unknown 
>> user will not be stored in Samba's database.
 
> Rowland
 

The network administrator added the guest parameter when we could not
successfully connect otherwise.

It is not desired to acquire access as a guest.

 
>From my experience with Samba3, I was expecting Windows to cache the
credentials until the next user workstation reboot.

The samba login credentials for users added were not in the domain\username
format; they were local (to RHEL) login I.D.'s, such as bwyatt.

When the user credentials box pops up, I have no way to be rid of the domain
part of the credentials; we want to use the same login I.D. (such as bwyatt)
for both RHEL/database access and Samba share access.

 

This server's user login is not a domain user I.D.; aside from me, the
logins are totally disparate.

 

Thank you (and any others) for any advice tendered.

 

Bob Wyatt

On 17/08/2019 17:47, Bob Wyatt via samba wrote:
> The network administrator added the guest parameter when we could not
> successfully connect otherwise.
>
> It is not desired to acquire access as a guest.
Then remove 'map to guest = Bad User' from [global] and make 
'AXIARListen' look like this:

[AXIARListen]
 ????? comment = Axiar Listen directory Retrieval
 ????? path = /AXIAR/listen
 ????? read only = no
 ????? create mask = 0770
>  From my experience with Samba3, I was expecting Windows to cache the
> credentials until the next user workstation reboot.
It would, if you create users correctly, which brings us to 'unix 
password sync = no', change the 'no' to 'yes' and create
Unix users and
then make them Samba users with 'smbpasswd -a username' run by root or 
with sudo.
> The samba login credentials for users added were not in the domain\username
> format; they were local (to RHEL) login I.D.'s, such as bwyatt.
Yes, I supposed that they were Unix users.
> When the user credentials box pops up, I have no way to be rid of the
domain
> part of the credentials; we want to use the same login I.D. (such as
bwyatt)
> for both RHEL/database access and Samba share access.
on a standalone server another name for 'domain' is 'workgroup'
so you
need to be entering 'STA' here
> This server's user login is not a domain user I.D.; aside from me, the
> logins are totally disparate.
Hard luck, they need to be Unix & Samba users that match your Windows 
users.

Two final thoughts, your email client is terrible and if you reply to 
this, please reply to the thread, do not open a new one.

Rowland

On 19/08/2019 21:29, Bob Wyatt wrote:
> Rowland,
>
> I wish to thank you for your patience with me and your responses...
> This note is also to seek some clarity, if I may...
> The clarity desired is prefixed with [BW]...
>
> Bob Wyatt
> -----Original Message-----
> From: Rowland penny <rpenny at samba.org>
> Sent: Saturday, August 17, 2019 1:26 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.8.3 - Stand-alone server
>
> On 17/08/2019 17:47, Bob Wyatt via samba wrote:
>> The network administrator added the guest parameter when we could not
>> successfully connect otherwise.
>>
>> It is not desired to acquire access as a guest.
> Then remove 'map to guest = Bad User' from [global] and make
> 'AXIARListen' look like this:
>
> [AXIARListen]
>         comment = Axiar Listen directory Retrieval
>         path = /AXIAR/listen
>         read only = no
>         create mask = 0770
>
>>   From my experience with Samba3, I was expecting Windows to cache the
>> credentials until the next user workstation reboot.
> It would, if you create users correctly, which brings us to 'unix
> password sync = no', change the 'no' to 'yes' and
create Unix users and
> then make them Samba users with 'smbpasswd -a username' run by root
or
> with sudo.
>
>
> [BW] In the STA domain, unix, and samba, using userid bwyatt; passwords
> are the same for the three users. Trying to map the share failed before the
> initial post here, and before the network administrator added the guest
clause
> to AxiarListen. I'll test this again after the adjustments recommended.
> Setting passwd sync = 'yes' can be done easily; the current
application changes
> the unix password separately from the samba password (as they were version
3).
>
>> The samba login credentials for users added were not in the
domain\username
>> format; they were local (to RHEL) login I.D.'s, such as bwyatt.
> Yes, I supposed that they were Unix users.
>> When the user credentials box pops up, I have no way to be rid of the
domain
>> part of the credentials; we want to use the same login I.D. (such as
bwyatt)
>> for both RHEL/database access and Samba share access.
> on a standalone server another name for 'domain' is
'workgroup' so you
> need to be entering 'STA' here
>> This server's user login is not a domain user I.D.; aside from me,
the
>> logins are totally disparate.
> Hard luck, they need to be Unix & Samba users that match your Windows
> users.
>
> [BW] We don?t want Samba being a DC; we were doing standalone to maintain
> some degree of separation between the domain and the database. The issue
we'd
> like to avoid is forcing the user to change their samba and unix user
passwds
> whenever they change the domain passwd; we fear it will be the forgotten
step.
> If we join the database server to the domain (no more separation), and
configure
> for single sign-on, will we still need to update samba passwd?
>    
> Two final thoughts, your email client is terrible and if you reply to
> this, please reply to the thread, do not open a new one.
> [BW] Yea, that was my fault. I normally use Outlook (I know) for work, and
I
> use gmail for other stuff. It just so happens this address is sync'd in
Outlook
> (sorry).
> Rowland
>
>
> Thanks again for your patience and assistance!
>
I think your problems all stem from your efforts to keep everything 
separate ;-)

Even if you do use a standalone server, then your windows users (if you 
want to use authentication) will have to be known to the standalone 
server with the same password (unless they want to be asked for their 
password every time).

If you are running a domain, I do not understand why you do not just 
join the standalone server to the domain as a Unix domain member, all 
your authentication problems would then go away.

Another name for a Windows PC that is not joined to a domain is a 
standalone server, would you run a Windows machine in the same way that 
you are running this Samba machine ?

If you insist on running Samba as a standalone server, then you should 
create any Windows users, that you want to access it, as Unix & Samba 
users using the Same password as the Windows user. You will then need to 
come up with some way to change the passwords on the standalone server 
when the users Window password is changed. Still want to run Samba as a 
standalone server ?

Just one final thought, a group of standalone servers (Unix and/or 
Windows) is called a workgroup and they were terrible to maintain once 
you got past a dozen users/computers because of the user password 
problem, why do you think Microsoft came up with domains in the first 
place, they do not scale.

Rowland