"map untrusted to domain = yes" with AD member

Christof Schmitt cs at samba.org
Tue Mar 15 20:13:17 UTC 2016

Given this setup:

 - Samba fileserver joined to AD domain DOMAIN.
 - Windows client WORKSTATION that is not a member of the AD domain

Now a user USER from WORKSTATION opens a SMB connection to the Samba
fileserver. The user name has a matching name in the domain. The goal is
to not require a logon to the domain, but to use the credentials of the

Traces show that the Windows client sends the SESSION SETUP request to
authenticate USER in WORKSTATION. WORKSTATION is obviously not known on
the Samba fileserver.

From reading the documentation, "map untrusted to domain = yes" seems to
be supposed to handle this setup. smbd then maps the unknown WORKSTATION
domain to DOMAIN. The problem that now surfaces is that with the patch
from bugzilla #9817, the original WORKSTATION identifier is passed to
winbindd and all the way to the NetSamLogonEx request to the domain
controller. As a result, the logon for USER from WORKSTATION fails.

Is it possible, that the patch from bugzilla #9817 only works with the
old-style domains, but not AD domains?


More information about the samba-technical mailing list