[Samba] winbind map untrusted domain problem

schlittae at bluewin.ch schlittae at bluewin.ch
Sat Nov 5 08:40:39 MDT 2011 

Hi David

Thank you for your reply.

I forgot to mention that my samba must run as PDC in my case. So as I read in the 
manual, security = user should be applicable? Anyhow I also tried security = domain and security = ads without success 
(but I did not change any other settings like domain master, so samba still staied as PDC?). Is it actually possible to 
map any domain to its own when samba runs as PDC?

Best regards
Tobias

David Roid wrote:
>
> I don't think your 
configuration is right, "map untrusted domain", "allow trusted domains" are not supposed to work with > "security = 
user".
> 2011/11/5 schlittae at bluewin.ch <schlittae at bluewin.ch>
> 
> Hi
>
> I have a question/problem about winbind and 
the "map untrusted to domain" (=yes) parameter.
>
> I use samba 3.6.0 on
> FreeBSD 8.2 with the following 
configuration:
> [global]
>  encrypt passwords = yes
>  map untrusted to domain = yes
>
> allow trusted domains = yes

>  client ntlmv2 auth = yes
>  client use spnego = yes
>  client lanman auth = yes
>  client
> plaintext auth = no
>  
winbind enum users = yes
>  winbind enum groups = yes
>  winbind offline logon = yes
>  winbind use
> default domain = 
yes
>  restrict anonymous = 2
>  winbind cache time = 10
>  restrict anonymous = 2
>  os level = 0
>
> lanman auth = 
yes
>  ntlm auth = yes
>
>  domain logons = yes
>  unix password sync = yes
>  passwd program =
> /usr/bin/passwd %u
>

>  preferred master = yes
>
>  local master = yes
>  security = user
>  domain master = yes
>
>  workgroup= DOMAIN
>
>  
netbios name = smbsrv01
>  server string = smbsrv01
>
> Authentication when accessing a SMB share works without
> 
specify a domain from a windows client. (so windows uses client hostname as domain name, I guess samba does map the
> 
"untrusted" hostname domain to its own) But if I use squid for authentication with samba NTLM auth helper plugin, it
> 
does not work if the client does not explicit specify the domain name. I also tried with wbinfo -a
> 
<hostname>\\vailduser and I get "NT_STATUS_NO_SUCH_USER (0xc0000064)". (I guess wbinfo authenticates the same > > way 
as
> the NTLM auth helper plugin does)
>
> Is there a way to tell samba that it also maps untrusted domains over 
winbind. If
> yes, how?
>
> Thank you
>
> Best regards
> Tobias

More information about the samba mailing list