[Samba] is "map untrusted to domain" possible?

[Rowland Penny]

On Fri, 29 Jun 2018 15:48:32 +0800
d tbsky <tbskyd at gmail.com> wrote:

> hi:
>  samba file server global configuration below:
> 
> [global]
>    workgroup = SAM-DOM
>    netbios name = file
>    # password server = DC.AD.SAM-DOM.EXAMPLE.COM
>    realm = AD.SAM-DOM.EXAMPLE.COM
>    security = ads
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 1000000-1999999
> 
>    idmap config SAM-DOM:backend = ad
>    idmap config SAM-DOM:default = yes
>    idmap config SAM-DOM:range = 1000-999999
>    idmap config SAM-DOM:schema_mode = rfc2307
> 
>    winbind enum users = yes
>    winbind enum groups = yes
>    winbind nested groups = yes
>    winbind use default domain = yes
>    winbind offline logon = no
>    obey pam restrictions = no
> 
>    winbind nss info = template
>    template homedir = /share/samba/home/%U
>    template shell = /bin/bash
> 
>    lanman auth = yes
>    map untrusted to domain = yes

OK, if I remove all the default and unnecessary lines, I am left with
this:

[global]
   workgroup = SAM-DOM
   realm = AD.SAM-DOM.EXAMPLE.COM
   security = ads

   idmap config *:backend = tdb
   idmap config *:range = 1000000-1999999
   idmap config SAM-DOM:backend = ad
   idmap config SAM-DOM:range = 1000-999999
   idmap config SAM-DOM:schema_mode = rfc2307

   winbind use default domain = yes

   template homedir = /share/samba/home/%U
   template shell = /bin/bash

   lanman auth = yes
   map untrusted to domain = yes

Just a couple of comments:
Because you start 'SAM-DOM' at '1000', you cannot have ANY local Unix
users.

You have 'lanman auth' set to yes, do you really have any Win95/98
clients ? If not, you should remove this security risk line.

With the above smb.conf, if a user called 'fred' connects from DOMSAM
(DOMSAM\fred), the user should become SAM-DOM\fred and then
authenticated. This means that SAM-DOM\fred must exist and DOMSAM\fred
must have the same password as SAM-DOM\fred.
Once the user is authenticated, 'winbind use default domain = yes' will
remove the domain name and SAM-DOM\fred would become just 'fred'.

If the above isn't happening, then, potentially, you have discovered a
bug.

Rowland