[Samba] Newer clients and security=domain

[Rowland Penny]

On 04/09/14 08:39, Markus Carlstedt wrote:
> ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld:
>> Hello Markus,
>>
>> Am 03.09.2014 09:26, schrieb Markus Carlstedt:
>>> Hello everybody, I have not found any answers on this issue on the
>>> internet and figured I'd try to send a mail to this list.
>>>
>>> We have an issue with Windows 7 and 8.1-computers (and also very new
>>> Mac's) that cannot login to one of our Samba servers. The server is a
>>> part of a domain and has security=domain set.
>>> The clients are not part of the domain.
>>>
>>> It seems like the newer clients send the servername as domain and the
>>> server therefore only looks in its own user database instead of the
>>> domains.
>>> The clients can login to the domain controller (also Samba) without any
>>> problem.
>>>
>>> Is there a way to make Samba force all local authentications to be done
>>> against the domain instead its own (empty) database?
>>>
>>> The workaround is to always add the domain when logging in to this
>>> server.
>>>
>>> On Mac, when connecting:
>>> smb://domain:user@servername
>>>
>>> On PC, when asked for username:
>>> domain\user
>>
>> Can you please give use more details about your configuration (smb.conf,
>> Idmapping, nsswitch.conf, passdb backend, etc.)?
>>
>> Makes it easier to provide help. Otherwise we have to guess a lot. ;-)
> Absolutely, and thanks for answering!
> Here's some details.
>
> Two Samba servers (latest CentOS 6)
> Server1 is domain controller and also NIS server
> Server2 is domain member and NIS member for passwd
>
> ids are shares via NIS and 'ypcat passwd' works fine.
>
> The servers are in two different locations that are connected via
> openvpn.
>
> I attach nsswitch.conf, it is the default for CentOS6
>
> smb.conf for Server1:
> ---------------------
> [global]
> workgroup = mydomain
> bind interfaces only = yes
> interfaces = br0 172.16.0.14/255.255.252.0 127.0.0.1
> printcap name = /etc/printcap
> load printers = no
>
> passdb backend = tdbsam
> nt acl support = no
> map acl inherit = no
> map archive = no
> map hidden = no
> map read only = no
> map system = no
> store dos attributes = yes
> unix extensions = no
>
> cups options = raw
> log file = /var/log/samba/%m.log
> max log size = 5000
> log level = 4 auth:4
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> name resolve order = wins lmhosts hosts bcast
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> wins support = yes
>
> smb.conf for Server2:
> ---------------------
> [global]
> workgroup = mydomain
> netbios name = server2
> server string = Samba Server Version %v
> log level = 2 auth:2
> log file = /var/log/samba/log.%m
> max log size = 5000
> interfaces = br0 172.18.0.10/255.255.192.0 127.0.0.1
> security = domain
> password server = *
> domain logons = no
> domain master = no
> local master = yes
> os level = 33
> preferred master = yes
> wins server = 172.16.0.14
> wins proxy = yes
> load printers = no
> cups options = raw
> map archive = no
> map hidden = no
> map read only = no
> map system = no
> store dos attributes = yes
> unix extensions = no
> name resolve order = wins lmhosts hosts bcast
>
> Clients
> The clients are *not* part of the domain, which is probably why this
> happens. However they cannot be part of it either.
> As I said before, all clients can connect to server1 without any
> problems. And they can connect to server2 but only if they specify the
> correct domain for the user.
> When I check the logs it is clear that the client sends this to the
> server:
> User: server2\myuser
> This makes the login fail since the local smbpasswd database is empty
> and all users should be authenticated against the domain instead.
>
> I am not certain but it is possible that this would happen with windows
> servers aswell.
>
> I just thought that perhaps there was a way to make server2 always
> translate its own name to mean the domain name.
> server2\myuser --> mydomain\myuser
>
>
>   / Markus
>
>
>
Hi, I would suggest that you run 'man smb.conf' in a terminal. You 
appear to have lines in your smb.conf's global area that should only be 
in a share.

Server 2 seems to be set up to use server 1 but have you used the 'net' 
command to add this machine to the NT4 style domain?

Do your users exist as 'Unix' users on both machines ? If not, you could 
investigate the 'map to guest' parameter.

Rowland