Alex
2023-Aug-02 18:05 UTC
[Samba] Override unjoined computername with SAMDOM to allow connection to share
Hi, I have a Samba 4 domain (separate DC and file server), with a bunch of Win/Mac/Lin domain joined machines, everything works on that side. I have a machine with a read-only SOC which can't take a \ or @ in the username, and in the samba file server logs, I see it is authenticating with it's computername in place of the domain: [2023/08/02 09:46:24.265533, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[USERNAME]@[computername] with the new password interface [2023/08/02 09:46:24.265596, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: []\[USERNAME]@[computername] [2023/08/02 09:46:24.269665, 3] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'USERNAME' in passdb. [2023/08/02 09:46:24.269763, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 Is there a way I can map the USERNAME at computername to USERNAME at SAMDOM, such as with a username map file or other mechanism? Other unjoined devices can map the same share without issues, but they allow me to authenticate as SAMDOM\username or username at samdom.tld. Thanks, Peter
Andrew Bartlett
2023-Aug-03 02:24 UTC
[Samba] Override unjoined computername with SAMDOM to allow connection to share
On Wed, 2023-08-02 at 11:05 -0700, Alex via samba wrote:> Hi, > > I have a Samba 4 domain (separate DC and file server), with a bunch > of > Win/Mac/Lin domain joined machines, everything works on that side. > > I have a machine with a read-only SOC which can't take a \ or @ in > the > username, and in the samba file server logs, I see it is > authenticating > with it's computername in place of the domain: > > [2023/08/02 09:46:24.265533, 3] > ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > []\[USERNAME]@[computername] with the new password interface > [2023/08/02 09:46:24.265596, 3] > ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: []\[USERNAME]@[computername] > [2023/08/02 09:46:24.269665, 3] > ../source3/auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'USERNAME' in passdb. > [2023/08/02 09:46:24.269763, 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [USERNAME] -> > [USERNAME] > FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1 > > > Is there a way I can map the USERNAME at computername to USERNAME at SAMDOM > , such > as with a username map file or other mechanism? > > Other unjoined devices can map the same share without issues, but > they > allow me to authenticate as SAMDOM\username or > username at samdom.tld > .Sadly the AD DC doesn't use the username map functionality on the DC side, the "map untrusted to domain" and while the Samba AD DC could implement the "map untrusted to domain" function technically, there isn't code to do that right now. Internally, we could revive "map untrusted to domain" with a small change to auth_context_create_for_netlogon() to put in the mentioned "sam_ignoredomain" module into the list. So, not impossible - far from it, thankfully because you have a Samba AD DC - but not possible out of the box. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Possibly Parallel Threads
- Windows 7 client trying to authenticate with windows machine name
- Windows 7 client trying to authenticate with windows machine name
- Shares and AD users with winbind
- passdb.tdb shows no users in new 4.3.11-ubuntu install?
- Windows 7 client trying to authenticate with windows machine name