[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

Rowland Penny rpenny at samba.org
Tue Oct 2 15:31:23 UTC 2018


On Tue, 2 Oct 2018 17:00:43 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > No, but what I do know is this, you should not use guest access on a
> > domain member, Windows turns it off by default. Also 'Guest' doesn't
> > exist on a Unix domain member, you would have to map it to the Unix
> > domain user 'nobody'
> 
> No, this is not exactly true. You forget the 'guest account' option,
> that have the default value 'nobody'.
> 
> So, even not specifying guest mapping, guest account are mapped to
> 'nobody'.
> 

OK, Windows 'Guest' != Unix 'nobody'
It might seem if it does, but it doesn't

> 
> > If you have 'winbind use default domain = yes' in smb.conf, winbind
> > will basically just strip off the leading 'DOMAIN\' from user and
> > group names. so the user 'DOMAIN\fred' will become 'fred'. 
> > Okay so far ?
> > Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and
> > there is a user called 'fred' in both domains and you have 'winbind
> > use default domain = yes', you will end up with two users called
> > 'fred'.
> 
> Ok, perfectly clear. But manpage seems to me say something different:
> 
>  This parameter specifies whether the winbindd(8) daemon should
> operate on users without domain component in their username. Users
> without a domain component are treated as is part of the winbindd
> server's own domain.

OK, it might say that, but, I have 'winbind use default domain = yes'
set on my Unix domain members and if I run 'getent passwd rowland' on
one, I get:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

But on a DC, where the line has no affect:

SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The line removes the domain name and just leaves the username. You can
use 'winbind use default domain = yes' in smb.conf if you only have one
DOMAIN set, if you set another trusted DOMAIN, you must not use it.

Rowland
 




More information about the samba mailing list