That is because.. Your not sending the DOMAIN\username but COMPUTER\username, so access denied. I know its something like that in the backgrond, but i dont code "Windows" ;-) So, this is the only part i use: net use g: \\server.fqdn.tld\share /persistent:yes /user:NT4DOM\%username% net use k: \\server.fqdn.tld\share /persistent:yes /user:ADDOM\%username% Stop using : \\hostname\share This only works if and due. 1) the search/primary domain is same in pc and servers. 2) netbios resolving works ( or due dns proxy = yes ) and/or due a working LLMNR setup. (default in windows 10) Do read : https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials \\IP\share Only works good if.. 1) the PTR record is registered to the correct "hostname.FQDN.TLD" So, only use : \\host.fqdn.tld\share for all servers For all above you need A + PTR for a good working kerberos setup Howto use your samba shares and setups, due all new security things in windows.. Follow these rules.. https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and And only use \\host.fqdn.tld\shares I'm doing this since 2016, after microsoft adviced to use it. Its somewhere in there docs.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Piviul via samba > Verzonden: woensdag 26 augustus 2020 11:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] accessing foreign AD users to NT domain > > Per chi vuole guardare il log generato aggiungo una piccola legenda: > ZIZI (192.168.70.3) ? il server samba, win7pro-v01 > (192.168.64.12) ? il > client win7; inoltre il dominio AD si chiama CSATEST mentre > il dominio > NT (anche se non compare nei logs) si chiama DOMINIOCSA. > > Piviul > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle via samba ha scritto il 26/08/20 alle 11:48:> That is because.. Your not sending the DOMAIN\username but COMPUTER\username, so access denied.Why you say that? I didn't use the /user option at all; the log I sent has been generated running the following command: net use g: \\IP\share /persistent:yes Anyway nothing change if I use net use g: \\F.Q.D.N.\share /persistent:yes Furthermore if I use the option /user:NT4DOM\%username% the net use command complete successfully; if I use /user:ADDOM\%username% didn't, that's all.> [...] > \\hostname\share > This only works if and due. > 1) the search/primary domain is same in pc and servers. > 2) netbios resolving works ( or due dns proxy = yes ) and/or due a working LLMNR setup. (default in windows 10) > Do read : https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentialsthat's not so simple, network users are used to access shares browsing the network and windows doesn't shows FQDN in browsing network...> [...] > Follow these rules.. > https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and > > And only use \\host.fqdn.tld\sharesok, I'll remember. Piviul
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Piviul via samba > Verzonden: woensdag 26 augustus 2020 14:38 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] accessing foreign AD users to NT domain > > L.P.H. van Belle via samba ha scritto il 26/08/20 alle 11:48: > > That is because.. Your not sending the DOMAIN\username but > COMPUTER\username, so access denied. > Why you say that? I didn't use the /user option at all; the > log I sent has been generated running the following command: > net use g: \\IP\share /persistent:yesThats exacly what i see. This: net use g: \\IP\share /persistent:yes Used COMPUTERNAME\username at REALM Or DOM\USER at COMPUTERNAME And not not DOM\user at REALM Thats what i mean, and if you look good in your logs you see this also.> > Anyway nothing change if I use > net use g: \\F.Q.D.N.\share /persistent:yes > > Furthermore if I use the option /user:NT4DOM\%username% the net use > command complete successfully; if I use > /user:ADDOM\%username% didn't, > that's all.Ah, ok, i understand,> > > > [...] > > \\hostname\share > > This only works if and due. > > 1) the search/primary domain is same in pc and servers. > > 2) netbios resolving works ( or due dns proxy = yes ) > and/or due a working LLMNR setup. (default in windows 10) > > Do read : > https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving > -away-credentials > that's not so simple, network users are used to access shares > browsing > the network and windows doesn't shows FQDN in browsing network...Which is going to be 1) a problem in future. 2) is a security risk 3) users should not browse and should have drive mappings.. But.. Im not controlling your network, you do, just my opinion.> > > > [...] > > Follow these rules.. > > > https://support.microsoft.com/en-us/help/909264/naming-convent > ions-in-active-directory-for-computers-domains-sites-and > > > > And only use \\host.fqdn.tld\shares > ok, I'll remember.The longer you wait with changing these setups, the more problems you will hit in the future. Not because im saying this.. Because Microsoft is enforcing more security. Google is enforcing more security. like, how you setup your certificat chains, it must have a intermediate cert in latest chrome versions. Basicly all big companies are doing it now, i think a bit late.. But better late then never.. Greetz, Louis
L.P.H. van Belle via samba ha scritto il 26/08/20 alle 15:41:> [...] > Thats exacly what i see. > This: net use g: \\IP\share /persistent:yes > > Used COMPUTERNAME\username at REALM Or DOM\USER at COMPUTERNAME > And not not DOM\user at REALM > Thats what i mean, and if you look good in your logs you see this also.yes I've seen it but if you say "Your not sending the DOMAIN\username but COMPUTER\username, so access denied." this is not true because I have only run the command "net use g: \\IP\share /persistent:yes">[...] > Which is going to be > 1) a problem in future. > 2) is a security risk > 3) users should not browse and should have drive mappings.. > But.. Im not controlling your network, you do, just my opinion.that's not so simple... some data are in official server but others don't. We have a lot of instruments that produce data that are stored in local PCs; some users have to access these data to control and elaborate results... any way thank you for the hint, I'll think about it...> The longer you wait with changing these setups, the more problems you will hit in the future. > Not because im saying this.. Because > > Microsoft is enforcing more securitybut it's Microsoft that develop NetBIOS and LLMNR and if it's enforcingsecurity should enforce these protocols or remove them from their OS isn't it? Any way I'll think about it. Thank you very much Piviul