[Samba] winbind map untrusted domain problem

[David Roid]

I don't think your configuration is right, "map untrusted domain", "allow
trusted domains" are not supposed to work with "security = user".

2011/11/5 schlittae at bluewin.ch <schlittae at bluewin.ch>

> Hi
>
> I have a question/problem about winbind and the "map untrusted to domain"
> (=yes) parameter.
>
> I use samba 3.6.0 on
> FreeBSD 8.2 with the following configuration:
> [global]
>  encrypt passwords = yes
>  map untrusted to domain = yes
>
> allow trusted domains = yes
>  client ntlmv2 auth = yes
>  client use spnego = yes
>  client lanman auth = yes
>  client
> plaintext auth = no
>  winbind enum users = yes
>  winbind enum groups = yes
>  winbind offline logon = yes
>  winbind use
> default domain = yes
>  restrict anonymous = 2
>  winbind cache time = 10
>  restrict anonymous = 2
>  os level = 0
>
> lanman auth = yes
>  ntlm auth = yes
>
>  domain logons = yes
>  unix password sync = yes
>  passwd program =
> /usr/bin/passwd %u
>
>  preferred master = yes
>
>  local master = yes
>  security = user
>  domain master = yes
>
>  workgroup
> = DOMAIN
>
>  netbios name = smbsrv01
>  server string = smbsrv01
>
> Authentication when accessing a SMB share works without
> specify a domain from a windows client. (so windows uses client hostname
> as domain name, I guess samba does map the
> "untrusted" hostname domain to its own) But if I use squid for
> authentication with samba NTLM auth helper plugin, it
> does not work if the client does not explicit specify the domain name. I
> also tried with wbinfo -a
> <hostname>\\vailduser and I get "NT_STATUS_NO_SUCH_USER (0xc0000064)". (I
> guess wbinfo authenticates the same way as
> the NTLM auth helper plugin does)
>
> Is there a way to tell samba that it also maps untrusted domains over
> winbind. If
> yes, how?
>
> Thank you
>
> Best regards
> Tobias
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>