[Samba] Samba 4.6.5-Debian, authentication on a mix workgroup+domain

Marc-Henri Pamiseux marc-henri.pamiseux at libricks.org
Thu Jul 27 22:38:15 UTC 2017 

Hello,

I encounter a particular configuration at a client.
Stations linked to the Samba domain are mixed with other workstations
configured as a Workgroup.

The Workgroup has the same name as the Samba domain.
Domain machines can access data from a domain member server.
There is no additionnal identification request since this step was
carried out at the open time of the session.

Historically, this was also the case for machines operating in the
Workgroup mode. The condition was obviously that the same connection
name had to be create on both the machine and the domain controller.
I am glad to think that passwords should not be often changed !

Since then, I have updated Samba to :
# Samba -V
Version 4.6.5-Debian

Therefore, when a Workstation tries to access the resources of a member
server on the domain, a prompt asks the user to identify itself.

If the user only input his ID, this will not work. User must prefix his
identifier with the name of the domain:
DOMAIN\login

The client asks me if it would be possible not to have to add the domain
name in this entry. I guess that's not the best way...
Why was this working before ?
Is there a configuration variable that would allow that?
Something like "username level = 2" can do.

An option that helps Samba to try and 'guess' at the real DOMAIN name.
I can read this on smb.conf man page :

"When performing local authentication, the username map is applied to
the login name before attempting to authenticate the connection.

When relying upon a external domain controller for validating
authentication requests, smbd will apply the username map to the fully
qualified username (i.e.  DOMAIN\user) only after the user has been
successfully authenticated."

Sorry, but I do not understand how this works or how does this
authentication work?

Regards,
-- 
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
6 rue LĂ©onard de Vinci - CS 20119, 53001 LAVAL Cedex
Tel. : 02.30.96.15.24 / Mobile : 06.26.71.30.97

More information about the samba mailing list