SAMBA3.5pre2-Does map untrusted to domain work?

[Steven Danneman]

Hi Michael,

I don't quite understand the problem you're having.  You're saying that
you set "map untrusted to domain" to yes in your smb.conf, and you're
still unable to login without specifying a domain name?

What you described in your email is the new intended behavior.  If your
client is not joined to the domain, and you want to authenticate to a
member Samba server with a domain user, you must explicitly specify the
domain of that user on the client machine.  This is the
new-matches-Windows behavior.

-Steven

> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-
> bounces at lists.samba.org] On Behalf Of MICHAEL BROWN
> Sent: Wednesday, January 06, 2010 11:11 AM
> To: samba-technical at lists.samba.org
> Subject: SAMBA3.5pre2-Does map untrusted to domain work?
> 
> Greetings,
> I had asked this previously.
> I had read that the "map untrusted to domain" is supposed to revert
> back to the way SAMBA previously authenticated the
> users, if needed per this thread:
>
http://lists.samba.org/archive/samba-technical/2010-January/068635.html
> 
> "Previous to my patches, smbd would replace an untrusted domain name,
> or
> a NULL domain name, with the primary domain, and then try to
> authenticate that name against the DC.  This, while not matching
> Windows
> behavior, seems to be the behavior you're expecting and want in your
> setup.  That's why the "map untrusted to domain" parameter exists, to
> allow you to revert to the previous non-Windows behavior."
> 
> 
> Unless I am missing something, this switch does not seem to work in
> that I can't get the user
> authenticated to a SAMBA share unless the domain is also specified
with
> the username.  The logs show that
> the machine's name is used as the domain name, unless you specify the
> real domain name when authenticating.
> 
> Log with just username:
> Got user=[someuser] domain=[XPMachine] workstation=[XPMachine]
> 
> Log when you specify domain (which is what I need without specifying
> the domain):
> Got user=[someuser] domain=[DomainSambaJoinedTo]
> workstation=[XPMachine]
> 
> The test setup is SAMBA3.5 pre2 joined to a Windows 2008 R2 active
> directory server.  The machine trying
> to access the share is an XP SP3 machine and is NOT joined to the 2008
> R2 AD server.
> 
> Thanks for the help!
> 
> 
> NOTICE - This communication may contain confidential and privileged
> information that is for the sole use of the intended recipient. Any
> viewing, copying or distribution of, or reliance on this message by
> unintended recipients is strictly prohibited.  If you have received
> this message in error, please notify us immediately by replying to the
> message and deleting it from your computer.