samba - Jun 2020 - SAMBA using existing users and passwords on Linux

Hello everyone.
I'm back because I decided to follow your advice and deploy the system
using a new version of SAMBA with encrypted passwords.
I added the SAMBA server in the AD domain without any problems and I am
already accessing the shares with AD users.
However I have a new problem for which I need help.
When I try to access SAMBA shares with local Linux users, it is necessary
to include the name of the Linux server when passing the local user.
For example if I try to access like this, it doesn't work, it gives an
invalid user error

net use \\host\share /U:localuser

To work the command must be like this:

net use \\host\share /U:host\localuser

What it seems to me is that SAMBA does not authenticate on the local
machine, only in AD.
Is there a way to get SAMBA to authenticate to AD and on the local machine?

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Em qui., 4 de jun. de 2020 ?s 10:26, mathias dufresne via samba <
samba at lists.samba.org> escreveu:
> Hi Fernando,
>
> What kind of system are using your Samba's clients?
>
> If they are using Windows systems joined to AD, you can join your Samba
> server into AD too. Then your users will be able to use Kerberos (ie SSO)
> to authenticate against your Samba server.
>
> Your Samba system users could be local (in /etc/passwd) or coming from AD
> (using winbindd).
> If system users are in /etc/passwd, they would have to have the same name
> as on the client system or you will have to add some username mapping (see
> "username map" option).
>
> Perhaps all that blabla is out of subject, perhaps it will help, I do hope
> it will ; )
>
> Cheers,
>
> mathias
>
> Le jeu. 4 juin 2020 ? 08:45, Rowland penny via samba <
> samba at lists.samba.org>
> a ?crit :
>
> > On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
> > > So that it doesn't end without a conclusion I will inform you
what has
> > been
> > > accomplished.
> > > As our time was short to complete the migration I decided to
install
> the
> > > same version of SAMBA that was already running on the old machine
> > (3.6.6).
> > > After the migration is complete, I will have more time to update
the
> > SAMBA
> > > and insert it into our AD domain, thus changing the entire login
and
> > > mapping system.
> > > I am very grateful to everyone who responded and helped me in
this
> > decision
> > > making.
> > > I wish everyone health.
> >
> > I cannot help but think that was a BAD decision, Samba 3.6.6 is
totally
> > unsupported and is very insecure, ever heard of 'wanacry' ?
> >
> > If you must use it, then can I urge you to not connect your network to
> > the internet in any way.
> >
> > I cannot stop you using 3.6.6, it is your network and you control it,
> > but you also get to pick up the pieces when it goes wrong.
> >
> > One last thought, do the people who run your AD know you are doing
this
> > very insecure thing ?
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 18/06/2020 17:55, Fernando Gon?alves via samba wrote:
> Hello everyone.
> I'm back because I decided to follow your advice and deploy the system
> using a new version of SAMBA with encrypted passwords.
> I added the SAMBA server in the AD domain without any problems and I am
> already accessing the shares with AD users.
> However I have a new problem for which I need help.
> When I try to access SAMBA shares with local Linux users, it is necessary
> to include the name of the Linux server when passing the local user.
> For example if I try to access like this, it doesn't work, it gives an
> invalid user error
>
> net use \\host\share /U:localuser
>
> To work the command must be like this:
>
> net use \\host\share /U:host\localuser
>
> What it seems to me is that SAMBA does not authenticate on the local
> machine, only in AD.
Yes, that is correct, all authentication on a domain machine is done via 
the AD DC.
> Is there a way to get SAMBA to authenticate to AD and on the local machine?
Well, yes and no, it all depends on what you mean by authentication and 
local users ;-)

If I run 'getent passwd rowland' on a Unix domain member, I get this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

So, the OS thinks that I am a local user, but, you will not find 
'rowland' in /etc/passwd

I think we need to see your present smb.conf file and can you also tell 
us what your AD DC's are and how you joined the domain.

Rowland

Hello Rowland. Thanks for answering.

The linux server is already in the AD domain and resolving Ad users as
normal.

To map the linux server share using AD users I use the following command:

net use \\linuxserver\share /U:AD_user

and it works perfectly.

But I would like to use the same command for users who are in /etc/passwd,
like this:

net use \\linuxserver\share /U:linuxserver_user

and so it doesn't work, it gives an invalid user error.

To work with users who are in /etc/passwd I have to use the following
command:

net use \\linuxserver\share /U:linuxserver\linuxserver_user

In short, I wanted to map the share using Linux users (who are in
/etc/passwd) without having to specify the name of the Linux server.
Is there a way to do this?

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
de v?rus. www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Em qui., 18 de jun. de 2020 ?s 13:55, Fernando Gon?alves <
fernandolmg at gmail.com> escreveu:
> Hello everyone.
> I'm back because I decided to follow your advice and deploy the system
> using a new version of SAMBA with encrypted passwords.
> I added the SAMBA server in the AD domain without any problems and I am
> already accessing the shares with AD users.
> However I have a new problem for which I need help.
> When I try to access SAMBA shares with local Linux users, it is necessary
> to include the name of the Linux server when passing the local user.
> For example if I try to access like this, it doesn't work, it gives an
> invalid user error
>
> net use \\host\share /U:localuser
>
> To work the command must be like this:
>
> net use \\host\share /U:host\localuser
>
> What it seems to me is that SAMBA does not authenticate on the local
> machine, only in AD.
> Is there a way to get SAMBA to authenticate to AD and on the local machine?
>
>
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Livre
> de v?rus. www.avast.com
>
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>.
> <#m_-2063159758718843766_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> Em qui., 4 de jun. de 2020 ?s 10:26, mathias dufresne via samba <
> samba at lists.samba.org> escreveu:
>
>> Hi Fernando,
>>
>> What kind of system are using your Samba's clients?
>>
>> If they are using Windows systems joined to AD, you can join your Samba
>> server into AD too. Then your users will be able to use Kerberos (ie
SSO)
>> to authenticate against your Samba server.
>>
>> Your Samba system users could be local (in /etc/passwd) or coming from
AD
>> (using winbindd).
>> If system users are in /etc/passwd, they would have to have the same
name
>> as on the client system or you will have to add some username mapping
(see
>> "username map" option).
>>
>> Perhaps all that blabla is out of subject, perhaps it will help, I do
hope
>> it will ; )
>>
>> Cheers,
>>
>> mathias
>>
>> Le jeu. 4 juin 2020 ? 08:45, Rowland penny via samba <
>> samba at lists.samba.org>
>> a ?crit :
>>
>> > On 03/06/2020 22:41, Fernando Gon?alves via samba wrote:
>> > > So that it doesn't end without a conclusion I will inform
you what has
>> > been
>> > > accomplished.
>> > > As our time was short to complete the migration I decided to
install
>> the
>> > > same version of SAMBA that was already running on the old
machine
>> > (3.6.6).
>> > > After the migration is complete, I will have more time to
update the
>> > SAMBA
>> > > and insert it into our AD domain, thus changing the entire
login and
>> > > mapping system.
>> > > I am very grateful to everyone who responded and helped me in
this
>> > decision
>> > > making.
>> > > I wish everyone health.
>> >
>> > I cannot help but think that was a BAD decision, Samba 3.6.6 is
totally
>> > unsupported and is very insecure, ever heard of 'wanacry'
?
>> >
>> > If you must use it, then can I urge you to not connect your
network to
>> > the internet in any way.
>> >
>> > I cannot stop you using 3.6.6, it is your network and you control
it,
>> > but you also get to pick up the pieces when it goes wrong.
>> >
>> > One last thought, do the people who run your AD know you are doing
this
>> > very insecure thing ?
>> >
>> > Rowland
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

On 19/06/2020 14:08, Fernando Gon?alves wrote:
> Hello Rowland. Thanks for answering.
Please post your present smb.conf

Tell us what your AD DC's are.

How did you join the domain ?

Rowland