[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Rowland Penny
rpenny at samba.org
Tue Oct 2 15:31:23 UTC 2018
On Tue, 2 Oct 2018 17:00:43 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
>
> > No, but what I do know is this, you should not use guest access on a
> > domain member, Windows turns it off by default. Also 'Guest' doesn't
> > exist on a Unix domain member, you would have to map it to the Unix
> > domain user 'nobody'
>
> No, this is not exactly true. You forget the 'guest account' option,
> that have the default value 'nobody'.
>
> So, even not specifying guest mapping, guest account are mapped to
> 'nobody'.
>
OK, Windows 'Guest' != Unix 'nobody'
It might seem if it does, but it doesn't
>
> > If you have 'winbind use default domain = yes' in smb.conf, winbind
> > will basically just strip off the leading 'DOMAIN\' from user and
> > group names. so the user 'DOMAIN\fred' will become 'fred'.
> > Okay so far ?
> > Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and
> > there is a user called 'fred' in both domains and you have 'winbind
> > use default domain = yes', you will end up with two users called
> > 'fred'.
>
> Ok, perfectly clear. But manpage seems to me say something different:
>
> This parameter specifies whether the winbindd(8) daemon should
> operate on users without domain component in their username. Users
> without a domain component are treated as is part of the winbindd
> server's own domain.
OK, it might say that, but, I have 'winbind use default domain = yes'
set on my Unix domain members and if I run 'getent passwd rowland' on
one, I get:
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
But on a DC, where the line has no affect:
SAMDOM\rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
The line removes the domain name and just leaves the username. You can
use 'winbind use default domain = yes' in smb.conf if you only have one
DOMAIN set, if you set another trusted DOMAIN, you must not use it.
Rowland
More information about the samba
mailing list