samba - Jun 2020 - Is Samba 4.9 and "map untrusted to domain" possible anymore?

We have a windows domain "AD" and a samba domain "SAD"
running Samba 4.9 in
AD-mode.

We also have an old NT4 domain called "Samba" running Samba 3.6 +
OpenLDAP.

We have the same users and passwords in all three. The user objects in the 
"SAD"-domain have the same uidNumber as in the
"Samba"-domain.

Workstations and users log on to the windows domain "AD".

Previously users mapped their homedrive from the NT4-domain "Samba",
running
samba 3.6 + OpenLDAP. In order for this to go smoothly we where using the 
option "map untrusted to domain = yes" so the users from the
"AD"-domain
where able to map their drives from the "Samba" domain without
entering
their passwords.

Now we would like the users in the Windows domain "AD" to map their 
homedrive from a fileserver in the "SAD" domain.

Question 1)
Is this possible anymore? The option "map untrusted to domain"
doesn't seem
to exist anymore.

Question 2)
Does a windows client behave differently when speaking to a NT4-domain or an
AD-domain in how they try passwords? I have a feeling that users in the 
"AD"-domain didn't need to (manually at least) enter any passwords
to get
their drives mapped from the "Samba" domain. "It just
worked".

Question 3)
If I would enable trust between "AD" and "SAD", would users
trying to access
files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? Or
would
they be mapped to something entirely else? I'm not really understanding the 
idmap and identities it seems.


Many thanks for your time!

The fileserver:

# Global parameters
[global]
 	dedicated keytab file = /etc/krb5.keytab
 	disable spoolss = Yes
 	kerberos method = secrets and keytab
 	load printers = No
 	printcap name = /dev/null
 	realm = SAD.ARCADA.FI
 	security = ADS
 	username map = /etc/samba/user.map
 	utmp = Yes
 	winbind enum groups = Yes
 	winbind enum users = Yes
 	winbind refresh tickets = Yes
 	winbind use default domain = Yes
 	workgroup = SAD
 	idmap config sad:unix_primary_group = yes
 	idmap config sad:unix_nss_info = yes
 	idmap config sad:range = 500-4000000
 	idmap config sad:schema_mode = rfc2307
 	idmap config sad:backend = ad
 	idmap config * : range = 5000000-9000000
 	idmap config * : backend = tdb
 	map acl inherit = Yes
 	printing = bsd
 	vfs objects = acl_xattr


[homes]
 	browseable = No
 	comment = Home Directories
 	create mask = 0604
 	directory mask = 0705
 	force directory mode = 0705
 	read only = No

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>
>
> We have a windows domain "AD" and a samba domain "SAD"
running Samba
> 4.9 in AD-mode.
>
> We also have an old NT4 domain called "Samba" running Samba 3.6 +
> OpenLDAP.
>
> We have the same users and passwords in all three. The user objects in 
> the "SAD"-domain have the same uidNumber as in the
"Samba"-domain.
>
> Workstations and users log on to the windows domain "AD".
>
> Previously users mapped their homedrive from the NT4-domain
"Samba",
> running samba 3.6 + OpenLDAP. In order for this to go smoothly we 
> where using the option "map untrusted to domain = yes" so the
users
> from the "AD"-domain where able to map their drives from the
"Samba"
> domain without entering their passwords.
>
> Now we would like the users in the Windows domain "AD" to map
their
> homedrive from a fileserver in the "SAD" domain.
>
> Question 1)
> Is this possible anymore? The option "map untrusted to domain"
doesn't
> seem to exist anymore.
It was removed at 4.8.0
>
> Question 2)
> Does a windows client behave differently when speaking to a NT4-domain 
> or an
> AD-domain in how they try passwords? I have a feeling that users in 
> the "AD"-domain didn't need to (manually at least) enter any
passwords
> to get their drives mapped from the "Samba" domain. "It just
worked".
An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer 
wants you to use. The latest Samba versions use a minimum of SMBv2 by 
default.
>
> Question 3)
> If I would enable trust between "AD" and "SAD", would
users trying to
> access files on a Samba fileserver be mapped to the uidNumber in
"SAD"
> DS? Or would they be mapped to something entirely else? I'm not really 
> understanding the idmap and identities it seems.
No, you would have to give one set of users new uidNumbers and create 
another 'idmap config' block in smb.conf. You could use autorid instead,
but this would mean totally new ID's everywhere.

Rowland

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>> 
>> Question 2)
>> Does a windows client behave differently when speaking to a NT4-domain
or
>> an
>> AD-domain in how they try passwords? I have a feeling that users in the
>> "AD"-domain didn't need to (manually at least) enter any
passwords to get
>> their drives mapped from the "Samba" domain. "It just
worked".
> An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer
wants
> you to use. The latest Samba versions use a minimum of SMBv2 by default.
Thanks, now I remember.
>> Question 3)
>> If I would enable trust between "AD" and "SAD",
would users trying to
>> access files on a Samba fileserver be mapped to the uidNumber in
"SAD" DS?
>> Or would they be mapped to something entirely else? I'm not really 
>> understanding the idmap and identities it seems.
> No, you would have to give one set of users new uidNumbers and create
another
> 'idmap config' block in smb.conf. You could use autorid instead,
but this
> would mean totally new ID's everywhere.
So the best way for me would be to implement the RFC2307/SFU schema in the 
Windows AD "AD", add the same uidNumber for every user in
"AD" as they had
in the old "Samba" domain, and then just join the fileservers to the
"AD"
domain?

Then I change the map-range to be like it was for the "SAD" domain.

It's more like migrating filesystems with users and groups tied to files 
than just migrating users.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>> 
>> Question 3)
>> If I would enable trust between "AD" and "SAD",
would users trying to
>> access files on a Samba fileserver be mapped to the uidNumber in
"SAD" DS?
>> Or would they be mapped to something entirely else? I'm not really 
>> understanding the idmap and identities it seems.
> No, you would have to give one set of users new uidNumbers and create
another
> 'idmap config' block in smb.conf. You could use autorid instead,
but this
> would mean totally new ID's everywhere.
Can't I just use the same idmap range for the "SAD" and
"AD" domains? They
are, after all, the same users in both domains.


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

Mandi! Harald Hannelius via samba
  In chel di` si favelave...
> Question 2)
> Does a windows client behave differently when speaking to a NT4-domain or
an
> AD-domain in how they try passwords? I have a feeling that users in the
> "AD"-domain didn't need to (manually at least) enter any
passwords to get
> their drives mapped from the "Samba" domain. "It just
worked".
Only a note.

CLIENT windows OSes try to be 'polite' handling auth, so if you have
same username and same password in two domains (and, as stated by
rowland, you have SMB1 active), auth must work.

But, i restae, seems not some sort of 'server magic', only 'client
magic': eg, windows client try to auth without the domain info, and so
succeed.

Do some test. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bont?, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Thu, 4 Jun 2020, Marco Gaiarin via samba wrote:
> Mandi! Harald Hannelius via samba
>  In chel di` si favelave...
>
>> Question 2)
>> Does a windows client behave differently when speaking to a NT4-domain
or an
>> AD-domain in how they try passwords? I have a feeling that users in the
>> "AD"-domain didn't need to (manually at least) enter any
passwords to get
>> their drives mapped from the "Samba" domain. "It just
worked".
>
> Only a note.
>
> CLIENT windows OSes try to be 'polite' handling auth, so if you
have
> same username and same password in two domains (and, as stated by
> rowland, you have SMB1 active), auth must work.
Well in the old NT4-domain we had.

The current issue is how to replicate that behaviour to between to 
AD-domains. Which seems impossible.

After giving it a thought, I might just have the users enter their username 
and password. It's the same, bar the domain-part of the username. Let's
see
what support thinks about my plan :)
> But, i restae, seems not some sort of 'server magic', only
'client
> magic': eg, windows client try to auth without the domain info, and so
> succeed.
>
> Do some test. ;-)
Yes, tested by deleting all credentials. The credentials stored where the 
old NT4-style domain credentials. The AD-level domain's credentials
weren't
stored in the the credential manager.

Thanks

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020