[Samba] Newer clients and security=domain

Markus Carlstedt mc at samurajdata.se
Thu Sep 4 01:39:28 MDT 2014

ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld:
> Hello Markus,
> Am 03.09.2014 09:26, schrieb Markus Carlstedt:
> > Hello everybody, I have not found any answers on this issue on the
> > internet and figured I'd try to send a mail to this list.
> > 
> > We have an issue with Windows 7 and 8.1-computers (and also very new
> > Mac's) that cannot login to one of our Samba servers. The server is a
> > part of a domain and has security=domain set.
> > The clients are not part of the domain.
> > 
> > It seems like the newer clients send the servername as domain and the
> > server therefore only looks in its own user database instead of the
> > domains.
> > The clients can login to the domain controller (also Samba) without any
> > problem.
> > 
> > Is there a way to make Samba force all local authentications to be done
> > against the domain instead its own (empty) database?
> > 
> > The workaround is to always add the domain when logging in to this
> > server.
> > 
> > On Mac, when connecting:
> > smb://domain:user@servername
> > 
> > On PC, when asked for username:
> > domain\user
> Can you please give use more details about your configuration (smb.conf,
> Idmapping, nsswitch.conf, passdb backend, etc.)?
> Makes it easier to provide help. Otherwise we have to guess a lot. ;-)

Absolutely, and thanks for answering!
Here's some details.

Two Samba servers (latest CentOS 6)
Server1 is domain controller and also NIS server
Server2 is domain member and NIS member for passwd

ids are shares via NIS and 'ypcat passwd' works fine.

The servers are in two different locations that are connected via

I attach nsswitch.conf, it is the default for CentOS6

smb.conf for Server1:
workgroup = mydomain
bind interfaces only = yes
interfaces = br0
printcap name = /etc/printcap
load printers = no

passdb backend = tdbsam
nt acl support = no
map acl inherit = no
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
unix extensions = no

cups options = raw
log file = /var/log/samba/%m.log
max log size = 5000
log level = 4 auth:4

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

name resolve order = wins lmhosts hosts bcast
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes

smb.conf for Server2:
workgroup = mydomain
netbios name = server2
server string = Samba Server Version %v
log level = 2 auth:2
log file = /var/log/samba/log.%m
max log size = 5000
interfaces = br0
security = domain
password server = *
domain logons = no
domain master = no
local master = yes
os level = 33
preferred master = yes
wins server =
wins proxy = yes
load printers = no
cups options = raw
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
unix extensions = no
name resolve order = wins lmhosts hosts bcast

The clients are *not* part of the domain, which is probably why this
happens. However they cannot be part of it either.
As I said before, all clients can connect to server1 without any
problems. And they can connect to server2 but only if they specify the
correct domain for the user.
When I check the logs it is clear that the client sends this to the
User: server2\myuser
This makes the login fail since the local smbpasswd database is empty
and all users should be authenticated against the domain instead.

I am not certain but it is possible that this would happen with windows
servers aswell.

I just thought that perhaps there was a way to make server2 always
translate its own name to mean the domain name.
server2\myuser --> mydomain\myuser

 / Markus

-------------- next part --------------
# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Valid entries include:
#	nisplus			Use NIS+ (NIS version 3)
#	nis			Use NIS (NIS version 2), also called YP
#	dns			Use DNS (Domain Name Service)
#	files			Use the local files
#	db			Use the local database (.db) files
#	compat			Use NIS on compat mode
#	hesiod			Use Hesiod for user lookups
#	[NOTFOUND=return]	Stop searching if not found so far

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files nis
shadow:     files nis
group:      files nis

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   nisplus

publickey:  nisplus

automount:  files nisplus
aliases:    files nisplus

More information about the samba mailing list