samba - Aug 2023 - Override unjoined computername with SAMDOM to allow connection to share

Hi,

I have a Samba 4 domain (separate DC and file server), with a bunch of
Win/Mac/Lin domain joined machines, everything works on that side.

I have a machine with a read-only SOC which can't take a \ or @ in the
username, and in the samba file server logs, I see it is authenticating
with it's computername in place of the domain:

[2023/08/02 09:46:24.265533,  3]
../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[]\[USERNAME]@[computername] with the new password interface
[2023/08/02 09:46:24.265596,  3]
../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: []\[USERNAME]@[computername]
[2023/08/02 09:46:24.269665,  3]
../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'USERNAME' in passdb.
[2023/08/02 09:46:24.269763,  2]
../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [USERNAME] -> [USERNAME]
FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1


Is there a way I can map the USERNAME at computername to USERNAME at SAMDOM,
such
as with a username map file or other mechanism?

Other unjoined devices can map the same share without issues, but they
allow me to authenticate as SAMDOM\username or username at samdom.tld.

Thanks,

Peter

On Wed, 2023-08-02 at 11:05 -0700, Alex via samba wrote:
> Hi,
> 
> I have a Samba 4 domain (separate DC and file server), with a bunch
> of
> Win/Mac/Lin domain joined machines, everything works on that side.
> 
> I have a machine with a read-only SOC which can't take a \ or @ in
> the
> username, and in the samba file server logs, I see it is
> authenticating
> with it's computername in place of the domain:
> 
> [2023/08/02 09:46:24.265533,  3]
> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> []\[USERNAME]@[computername] with the new password interface
> [2023/08/02 09:46:24.265596,  3]
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: []\[USERNAME]@[computername]
> [2023/08/02 09:46:24.269665,  3]
> ../source3/auth/check_samsec.c:399(check_sam_security)
>   check_sam_security: Couldn't find user 'USERNAME' in passdb.
> [2023/08/02 09:46:24.269763,  2]
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [USERNAME] ->
> [USERNAME]
> FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
> 
> 
> Is there a way I can map the USERNAME at computername to USERNAME at SAMDOM
> , such
> as with a username map file or other mechanism?
> 
> Other unjoined devices can map the same share without issues, but
> they
> allow me to authenticate as SAMDOM\username or 
> username at samdom.tld
> .
Sadly the AD DC doesn't use the username map functionality on the DC
side, the "map untrusted to domain" and while the Samba AD DC could
implement the "map untrusted to domain" function technically, there
isn't code to do that right now.

Internally, we could revive "map untrusted to domain" with a small
change to auth_context_create_for_netlogon() to put in the mentioned
"sam_ignoredomain" module into the list.

So, not impossible - far from it, thankfully because you have a Samba
AD DC - but not possible out of the box.

Andrew Bartlett


-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions