[Samba] ADS security mode - authenticating non-domain Linux users
Tim Miller
btmiller at hpc.nih.gov
Tue Jun 4 19:17:57 UTC 2019
Hi All,
We've been beating our heads against a problem here with a new Samba
server that we're trying to bring into production, and I'm hoping that
the members of this list can provide some insight.
Our server is on a Linux CentOS 7.6, Samba version 4.8.3 installed from
distribution packages. Our clients are a mixture of Windows, Mac, and
Linux systems. Most of these clients are joined to the enterprise
domain, as is the server (smb.conf has "server role = member server" and
"security = auto"; we've also set "security = ADS" explicitly).
Users on domain joined systems, regardless of OS, can successfully map
the exports from the server, assumedly using their Kerberos tickets from
the domain controller. However, non-domain joined clients (various
Linux systems) cannot use username/password authenticate to map the
network drives - they always get permission denied.
If I go and get Kerberos tickets for the problem clients (using kinit
and friends against the domain controller), mount.cifs with sec=krb5i
works. But we cannot get sec=ntlmsspi to work. This was working on an
older server (CentOS 6.10, Samba 3.6.23), and I think the key is that
the "map untrusted to domain" option was deprecated and eventually
removed in Samba 4.8. Otherwise, the configurations between the older
and newer server are identical.
For non-domain joined clients without Kerberos tickets , I'm guessing
that "map untrusted to domain" was allowing the Samba server to accept
username/password credentials, authenticate them with the domain
controller, and allow access accordingly. However, I can't seem to find
an equivalent way of doing this under Samba 4.8. I found one other user
who seems to be having an identical issue (see
https://unix.stackexchange.com/questions/513169/linux-clients-cant-login-on-samba-share-while-windows-and-mac-can-active-direc
for details), but there does not appear to be a solution.
My questions are:
1. Is my diagnosis of the situation correct, based on the information
that I've given?
2. Is there any way to mimic the behavior of the "map untrusted to
domain" option or otherwise allow username/password authentication
against the domain joined Samba server to work against non-domain joined
systems?
More information about the samba
mailing list