Harald Hannelius
2020-Jun-04 12:49 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
We have a windows domain "AD" and a samba domain "SAD" running Samba 4.9 in AD-mode. We also have an old NT4 domain called "Samba" running Samba 3.6 + OpenLDAP. We have the same users and passwords in all three. The user objects in the "SAD"-domain have the same uidNumber as in the "Samba"-domain. Workstations and users log on to the windows domain "AD". Previously users mapped their homedrive from the NT4-domain "Samba", running samba 3.6 + OpenLDAP. In order for this to go smoothly we where using the option "map untrusted to domain = yes" so the users from the "AD"-domain where able to map their drives from the "Samba" domain without entering their passwords. Now we would like the users in the Windows domain "AD" to map their homedrive from a fileserver in the "SAD" domain. Question 1) Is this possible anymore? The option "map untrusted to domain" doesn't seem to exist anymore. Question 2) Does a windows client behave differently when speaking to a NT4-domain or an AD-domain in how they try passwords? I have a feeling that users in the "AD"-domain didn't need to (manually at least) enter any passwords to get their drives mapped from the "Samba" domain. "It just worked". Question 3) If I would enable trust between "AD" and "SAD", would users trying to access files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? Or would they be mapped to something entirely else? I'm not really understanding the idmap and identities it seems. Many thanks for your time! The fileserver: # Global parameters [global] dedicated keytab file = /etc/krb5.keytab disable spoolss = Yes kerberos method = secrets and keytab load printers = No printcap name = /dev/null realm = SAD.ARCADA.FI security = ADS username map = /etc/samba/user.map utmp = Yes winbind enum groups = Yes winbind enum users = Yes winbind refresh tickets = Yes winbind use default domain = Yes workgroup = SAD idmap config sad:unix_primary_group = yes idmap config sad:unix_nss_info = yes idmap config sad:range = 500-4000000 idmap config sad:schema_mode = rfc2307 idmap config sad:backend = ad idmap config * : range = 5000000-9000000 idmap config * : backend = tdb map acl inherit = Yes printing = bsd vfs objects = acl_xattr [homes] browseable = No comment = Home Directories create mask = 0604 directory mask = 0705 force directory mode = 0705 read only = No -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Rowland penny
2020-Jun-04 13:11 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On 04/06/2020 13:49, Harald Hannelius via samba wrote:> > > We have a windows domain "AD" and a samba domain "SAD" running Samba > 4.9 in AD-mode. > > We also have an old NT4 domain called "Samba" running Samba 3.6 + > OpenLDAP. > > We have the same users and passwords in all three. The user objects in > the "SAD"-domain have the same uidNumber as in the "Samba"-domain. > > Workstations and users log on to the windows domain "AD". > > Previously users mapped their homedrive from the NT4-domain "Samba", > running samba 3.6 + OpenLDAP. In order for this to go smoothly we > where using the option "map untrusted to domain = yes" so the users > from the "AD"-domain where able to map their drives from the "Samba" > domain without entering their passwords. > > Now we would like the users in the Windows domain "AD" to map their > homedrive from a fileserver in the "SAD" domain. > > Question 1) > Is this possible anymore? The option "map untrusted to domain" doesn't > seem to exist anymore.It was removed at 4.8.0> > Question 2) > Does a windows client behave differently when speaking to a NT4-domain > or an > AD-domain in how they try passwords? I have a feeling that users in > the "AD"-domain didn't need to (manually at least) enter any passwords > to get their drives mapped from the "Samba" domain. "It just worked".An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer wants you to use. The latest Samba versions use a minimum of SMBv2 by default.> > Question 3) > If I would enable trust between "AD" and "SAD", would users trying to > access files on a Samba fileserver be mapped to the uidNumber in "SAD" > DS? Or would they be mapped to something entirely else? I'm not really > understanding the idmap and identities it seems.No, you would have to give one set of users new uidNumbers and create another 'idmap config' block in smb.conf. You could use autorid instead, but this would mean totally new ID's everywhere. Rowland
Harald Hannelius
2020-Jun-04 13:46 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On Thu, 4 Jun 2020, Rowland penny via samba wrote:> On 04/06/2020 13:49, Harald Hannelius via samba wrote: >> >> Question 2) >> Does a windows client behave differently when speaking to a NT4-domain or >> an >> AD-domain in how they try passwords? I have a feeling that users in the >> "AD"-domain didn't need to (manually at least) enter any passwords to get >> their drives mapped from the "Samba" domain. "It just worked". > An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer wants > you to use. The latest Samba versions use a minimum of SMBv2 by default.Thanks, now I remember.>> Question 3) >> If I would enable trust between "AD" and "SAD", would users trying to >> access files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? >> Or would they be mapped to something entirely else? I'm not really >> understanding the idmap and identities it seems. > No, you would have to give one set of users new uidNumbers and create another > 'idmap config' block in smb.conf. You could use autorid instead, but this > would mean totally new ID's everywhere.So the best way for me would be to implement the RFC2307/SFU schema in the Windows AD "AD", add the same uidNumber for every user in "AD" as they had in the old "Samba" domain, and then just join the fileservers to the "AD" domain? Then I change the map-range to be like it was for the "SAD" domain. It's more like migrating filesystems with users and groups tied to files than just migrating users. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Harald Hannelius
2020-Jun-04 14:03 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On Thu, 4 Jun 2020, Rowland penny via samba wrote:> On 04/06/2020 13:49, Harald Hannelius via samba wrote: >> >> Question 3) >> If I would enable trust between "AD" and "SAD", would users trying to >> access files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? >> Or would they be mapped to something entirely else? I'm not really >> understanding the idmap and identities it seems. > No, you would have to give one set of users new uidNumbers and create another > 'idmap config' block in smb.conf. You could use autorid instead, but this > would mean totally new ID's everywhere.Can't I just use the same idmap range for the "SAD" and "AD" domains? They are, after all, the same users in both domains. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Marco Gaiarin
2020-Jun-04 15:30 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
Mandi! Harald Hannelius via samba In chel di` si favelave...> Question 2) > Does a windows client behave differently when speaking to a NT4-domain or an > AD-domain in how they try passwords? I have a feeling that users in the > "AD"-domain didn't need to (manually at least) enter any passwords to get > their drives mapped from the "Samba" domain. "It just worked".Only a note. CLIENT windows OSes try to be 'polite' handling auth, so if you have same username and same password in two domains (and, as stated by rowland, you have SMB1 active), auth must work. But, i restae, seems not some sort of 'server magic', only 'client magic': eg, windows client try to auth without the domain info, and so succeed. Do some test. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Harald Hannelius
2020-Jun-04 18:35 UTC
[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
On Thu, 4 Jun 2020, Marco Gaiarin via samba wrote:> Mandi! Harald Hannelius via samba > In chel di` si favelave... > >> Question 2) >> Does a windows client behave differently when speaking to a NT4-domain or an >> AD-domain in how they try passwords? I have a feeling that users in the >> "AD"-domain didn't need to (manually at least) enter any passwords to get >> their drives mapped from the "Samba" domain. "It just worked". > > Only a note. > > CLIENT windows OSes try to be 'polite' handling auth, so if you have > same username and same password in two domains (and, as stated by > rowland, you have SMB1 active), auth must work.Well in the old NT4-domain we had. The current issue is how to replicate that behaviour to between to AD-domains. Which seems impossible. After giving it a thought, I might just have the users enter their username and password. It's the same, bar the domain-part of the username. Let's see what support thinks about my plan :)> But, i restae, seems not some sort of 'server magic', only 'client > magic': eg, windows client try to auth without the domain info, and so > succeed. > > Do some test. ;-)Yes, tested by deleting all credentials. The credentials stored where the old NT4-style domain credentials. The AD-level domain's credentials weren't stored in the the credential manager. Thanks -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Maybe Matching Threads
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- Is Samba 4.9 and "map untrusted to domain" possible anymore?
- 3.6.6 map untrusted to domain does not work if winbind is running
- Wrong password, Win10 not using SMB3_11?