[Samba] ADS security mode - authenticating non-domain Linux users

Tim Miller btmiller at hpc.nih.gov
Tue Jun 4 19:17:57 UTC 2019 

Hi All,

We've been beating our heads against a problem here with a new Samba 
server that we're trying to bring into production, and I'm hoping that 
the members of this list can provide some insight.

Our server is on a Linux CentOS 7.6, Samba version 4.8.3 installed from 
distribution packages. Our clients are a mixture of Windows, Mac, and 
Linux systems. Most of these clients are joined to the enterprise 
domain, as is the server (smb.conf has "server role = member server" and 
"security = auto"; we've also set "security = ADS" explicitly).

Users on domain joined systems, regardless of OS, can successfully map 
the exports from the server, assumedly using their Kerberos tickets from 
the domain controller.  However, non-domain joined clients (various 
Linux systems) cannot use username/password authenticate to map the 
network drives - they always get permission denied.

If I go and get Kerberos tickets for the problem clients (using kinit 
and friends against the domain controller), mount.cifs with sec=krb5i 
works. But we cannot get sec=ntlmsspi to work. This was working on an 
older server (CentOS 6.10, Samba 3.6.23), and I think the key is that 
the "map untrusted to domain" option was deprecated and eventually 
removed in Samba 4.8. Otherwise, the configurations between the older 
and newer server are identical.

For non-domain joined clients without Kerberos tickets , I'm guessing 
that "map untrusted to domain" was allowing the Samba server to accept 
username/password credentials, authenticate them with the domain 
controller, and allow access accordingly. However, I can't seem to find 
an equivalent way of doing this under Samba 4.8. I found one other user 
who seems to be having an identical issue (see 
https://unix.stackexchange.com/questions/513169/linux-clients-cant-login-on-samba-share-while-windows-and-mac-can-active-direc 
for details), but there does not appear to be a solution.

My questions are:

1. Is my diagnosis of the situation correct, based on the information 
that I've given?

2. Is there any way to mimic the behavior of the "map untrusted to 
domain" option or otherwise allow username/password authentication 
against the domain joined Samba server to work against non-domain joined 
systems?

More information about the samba mailing list