On 30/08/2019 17:25, Rowland penny via samba wrote:> On 30/08/2019 17:12, lejeczek via samba wrote: >> hi guys, >> >> with Samba as below >> >> [global] >> ???? workgroup = NNNR >> ???? netbios name = PA2 >> ???? realm = PRIVATE.REALM.MINE >> ???? kerberos method = dedicated keytab >> ???? dedicated keytab file = /etc/samba/samba.keytab >> ???? create krb5 conf = no >> ???? security = user >> ???? domain master = yes >> ???? domain logons = yes >> >> Should nodes/clients outside of domain (non-members) be >> able to access >> (with user+pass) Samba shares? >> >> many thanks, L. >> >> > 99% of that smb.conf is for a Unix Domain member, but > 'security = user' should be 'security = ADS' and it > wouldn't be a PDC (domain master = yes) because it is > using kerberos. > > There are also no auth lines that are required for a Unix > domain member. > > To put it another way, that is a borked smb.conf. > > If you just want a standalone server, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server > > > If you want something else, please explain just what you > are trying to achieve. > > Rowland > >Yes, it's a unix domain for it's a "regular" FreeIPA's Samba. Out of box this, I think, only does windows when trusted to an AD and from there, from/via AD win clients work. But I was hoping that outside of kerberos/domain clients(win 10), perhaps with user+pass could be mangled into such FreeIPA's Samba. many thanks, L.
Rowland penny
2019-Aug-30 18:34 UTC
[Samba] to shares access from non-member clients/nodes
On 30/08/2019 19:13, lejeczek via samba wrote:> > On 30/08/2019 17:25, Rowland penny via samba wrote: >> On 30/08/2019 17:12, lejeczek via samba wrote: >>> hi guys, >>> >>> with Samba as below >>> >>> [global] >>> ???? workgroup = NNNR >>> ???? netbios name = PA2 >>> ???? realm = PRIVATE.REALM.MINE >>> ???? kerberos method = dedicated keytab >>> ???? dedicated keytab file = /etc/samba/samba.keytab >>> ???? create krb5 conf = no >>> ???? security = user >>> ???? domain master = yes >>> ???? domain logons = yes >>> >>> Should nodes/clients outside of domain (non-members) be >>> able to access >>> (with user+pass) Samba shares? >>> >>> many thanks, L. >>> >>> >> 99% of that smb.conf is for a Unix Domain member, but >> 'security = user' should be 'security = ADS' and it >> wouldn't be a PDC (domain master = yes) because it is >> using kerberos. >> >> There are also no auth lines that are required for a Unix >> domain member. >> >> To put it another way, that is a borked smb.conf. >> >> If you just want a standalone server, see here: >> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server >> >> >> If you want something else, please explain just what you >> are trying to achieve. >> >> Rowland >> >> > Yes, it's a unix domain for it's a "regular" FreeIPA's > Samba. Out of box this, I think, only does windows when > trusted to an AD and from there, from/via AD win clients work. > But I was hoping that outside of kerberos/domain clients(win > 10), perhaps with user+pass could be mangled into such > FreeIPA's Samba. > many thanks, L. >I think you need to think the other way, how to use Samba with FreeIPA, which I haven't got a clue about, but here is a starting point: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Rowland
Joachim Lindenberg
2019-Sep-01 07:45 UTC
[Samba] to shares access from non-member clients/nodes
To the original question> Should nodes/clients outside of domain (non-members) be able to access (with user+pass) Samba shares?I was tempted to write "yes, of course", but then I realized the share I was thinking of is hosted by windows rather than samba... What does work: non-domain clients can connect to a windows share hosted by a domain member using domain\user + password. I am using that frequently. Now if I try similar with a samba share it fails. The only samba shares I run are those shared by the domain controllers, thus I tried "net use \\boa.samba.lindenberg.one\sysvol /user:samba\joachim", but after supplying the password several times I get system error 5 permission denied. Ok, sysvol is not really relevant to non-domain clients, but what that tells me is that there is a difference in behavior between samba and windows servers. I am not ruling out it can be a configuration issue as well, but at least looking at the security tab of the shares with windows explorer I cannot really tell why it should fail. Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba Gesendet: Friday, 30 August 2019 20:35 An: samba at lists.samba.org Betreff: Re: [Samba] to shares access from non-member clients/nodes On 30/08/2019 19:13, lejeczek via samba wrote:> > On 30/08/2019 17:25, Rowland penny via samba wrote: >> On 30/08/2019 17:12, lejeczek via samba wrote: >>> hi guys, >>> >>> with Samba as below >>> >>> [global] >>> workgroup = NNNR >>> netbios name = PA2 >>> realm = PRIVATE.REALM.MINE >>> kerberos method = dedicated keytab >>> dedicated keytab file = /etc/samba/samba.keytab >>> create krb5 conf = no >>> security = user >>> domain master = yes >>> domain logons = yes >>> >>> Should nodes/clients outside of domain (non-members) be able to >>> access (with user+pass) Samba shares? >>> >>> many thanks, L. >>> >>> >> 99% of that smb.conf is for a Unix Domain member, but 'security = >> user' should be 'security = ADS' and it wouldn't be a PDC (domain >> master = yes) because it is using kerberos. >> >> There are also no auth lines that are required for a Unix domain >> member. >> >> To put it another way, that is a borked smb.conf. >> >> If you just want a standalone server, see here: >> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Ser >> ver >> >> >> If you want something else, please explain just what you are trying >> to achieve. >> >> Rowland >> >> > Yes, it's a unix domain for it's a "regular" FreeIPA's Samba. Out of > box this, I think, only does windows when trusted to an AD and from > there, from/via AD win clients work. > But I was hoping that outside of kerberos/domain clients(win 10), > perhaps with user+pass could be mangled into such FreeIPA's Samba. > many thanks, L. >I think you need to think the other way, how to use Samba with FreeIPA, which I haven't got a clue about, but here is a starting point: https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba