[Samba] Newer clients and security=domain SOLVED

[Markus Carlstedt]

tor 2014-09-04 klockan 09:58 +0100 skrev Rowland Penny:
> On 04/09/14 08:39, Markus Carlstedt wrote:
> > ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld:
> >> Hello Markus,
> >>
> >> Am 03.09.2014 09:26, schrieb Markus Carlstedt:
> >>> Hello everybody, I have not found any answers on this issue on the
> >>> internet and figured I'd try to send a mail to this list.
> >>>
> >>> We have an issue with Windows 7 and 8.1-computers (and also very new
> >>> Mac's) that cannot login to one of our Samba servers. The server is a
> >>> part of a domain and has security=domain set.
> >>> The clients are not part of the domain.
> >>>
> >>> It seems like the newer clients send the servername as domain and the
> >>> server therefore only looks in its own user database instead of the
> >>> domains.
> >>> The clients can login to the domain controller (also Samba) without any
> >>> problem.
> >>>
> >>> Is there a way to make Samba force all local authentications to be done
> >>> against the domain instead its own (empty) database?
> >>>
> >>> The workaround is to always add the domain when logging in to this
> >>> server.
> >>>
> >>> On Mac, when connecting:
> >>> smb://domain:user@servername
> >>>
> >>> On PC, when asked for username:
> >>> domain\user
> >>
> >> Can you please give use more details about your configuration (smb.conf,
> >> Idmapping, nsswitch.conf, passdb backend, etc.)?
> >>
> >> Makes it easier to provide help. Otherwise we have to guess a lot. ;-)
> > Absolutely, and thanks for answering!
> > Here's some details.
> >
> > Two Samba servers (latest CentOS 6)
> > Server1 is domain controller and also NIS server
> > Server2 is domain member and NIS member for passwd
> >
> > ids are shares via NIS and 'ypcat passwd' works fine.
> >
> > The servers are in two different locations that are connected via
> > openvpn.
> >
> > I attach nsswitch.conf, it is the default for CentOS6
> >
> > smb.conf for Server1:
> > ---------------------
> > [global]
> > workgroup = mydomain
> > bind interfaces only = yes
> > interfaces = br0 172.16.0.14/255.255.252.0 127.0.0.1
> > printcap name = /etc/printcap
> > load printers = no
> >
> > passdb backend = tdbsam
> > nt acl support = no
> > map acl inherit = no
> > map archive = no
> > map hidden = no
> > map read only = no
> > map system = no
> > store dos attributes = yes
> > unix extensions = no
> >
> > cups options = raw
> > log file = /var/log/samba/%m.log
> > max log size = 5000
> > log level = 4 auth:4
> >
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >
> > name resolve order = wins lmhosts hosts bcast
> > local master = yes
> > domain master = yes
> > preferred master = yes
> > domain logons = yes
> > wins support = yes
> >
> > smb.conf for Server2:
> > ---------------------
> > [global]
> > workgroup = mydomain
> > netbios name = server2
> > server string = Samba Server Version %v
> > log level = 2 auth:2
> > log file = /var/log/samba/log.%m
> > max log size = 5000
> > interfaces = br0 172.18.0.10/255.255.192.0 127.0.0.1
> > security = domain
> > password server = *
> > domain logons = no
> > domain master = no
> > local master = yes
> > os level = 33
> > preferred master = yes
> > wins server = 172.16.0.14
> > wins proxy = yes
> > load printers = no
> > cups options = raw
> > map archive = no
> > map hidden = no
> > map read only = no
> > map system = no
> > store dos attributes = yes
> > unix extensions = no
> > name resolve order = wins lmhosts hosts bcast
> >
> > Clients
> > The clients are *not* part of the domain, which is probably why this
> > happens. However they cannot be part of it either.
> > As I said before, all clients can connect to server1 without any
> > problems. And they can connect to server2 but only if they specify the
> > correct domain for the user.
> > When I check the logs it is clear that the client sends this to the
> > server:
> > User: server2\myuser
> > This makes the login fail since the local smbpasswd database is empty
> > and all users should be authenticated against the domain instead.
> >
> > I am not certain but it is possible that this would happen with windows
> > servers aswell.
> >
> > I just thought that perhaps there was a way to make server2 always
> > translate its own name to mean the domain name.
> > server2\myuser --> mydomain\myuser
> >
> >
> >   / Markus
> >
> >
> >
> Hi, I would suggest that you run 'man smb.conf' in a terminal. You 
> appear to have lines in your smb.conf's global area that should only be 
> in a share.
> 
> Server 2 seems to be set up to use server 1 but have you used the 'net' 
> command to add this machine to the NT4 style domain?
> 
> Do your users exist as 'Unix' users on both machines ? If not, you could 
> investigate the 'map to guest' parameter.


Hi, and thanks for the tips.
The server is a part of the domain and logins work when the correct
domain name is supplied aswell as the username.

The Unix users also exist on both machines, they are shared via NIS.

Thanks for pointing out that some of the Global options where Share
only, I will look into those.


The 'map to guest' did not do what I needed but it turns out that the
next option in the man-file did.

'map untrusted to domain = yes' makes a domain member server use the
domain to authenticate users.
According to the man-file, the behaviour was changed in Samba 3.4.


 / Markus