[Samba] is "map untrusted to domain" possible?

Rowland Penny rpenny at samba.org
Fri Jun 29 09:07:46 UTC 2018


On Fri, 29 Jun 2018 16:56:47 +0800
d tbsky <tbskyd at gmail.com> wrote:

> 2018-06-29 16:26 GMT+08:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> > OK, if I remove all the default and unnecessary lines, I am left
> > with this:
> >
> > [global]
> >    workgroup = SAM-DOM
> >    realm = AD.SAM-DOM.EXAMPLE.COM
> >    security = ads
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 1000000-1999999
> >    idmap config SAM-DOM:backend = ad
> >    idmap config SAM-DOM:range = 1000-999999
> >    idmap config SAM-DOM:schema_mode = rfc2307
> >
> >    winbind use default domain = yes
> >
> >    template homedir = /share/samba/home/%U
> >    template shell = /bin/bash
> >
> >    lanman auth = yes
> >    map untrusted to domain = yes
> >
> > Just a couple of comments:
> > Because you start 'SAM-DOM' at '1000', you cannot have ANY local
> > Unix users.
> 
>    that's ok. we don't have any local unix users at samba file server.

Er, no its not, what happens if something goes wrong and you need to
'SSH' in to fix something ???
You need a few local Unix users, but hey, its your domain.

> 
> > You have 'lanman auth' set to yes, do you really have any Win95/98
> > clients ? If not, you should remove this security risk line.
> 
>   we have dos client. although win95/98 is useless, but dos is still
> sometimes necessary today.

Why do you still have a dos client, even I (an inept programmer) could
crack its password in minutes.

Rowland



More information about the samba mailing list