[Samba] ADS security mode - authenticating non-domain Linux users
Rowland penny
rpenny at samba.org
Tue Jun 4 20:00:09 UTC 2019
On 04/06/2019 20:17, Tim Miller via samba wrote:
> Hi All,
>
> We've been beating our heads against a problem here with a new Samba
> server that we're trying to bring into production, and I'm hoping that
> the members of this list can provide some insight.
>
> Our server is on a Linux CentOS 7.6, Samba version 4.8.3 installed
> from distribution packages. Our clients are a mixture of Windows, Mac,
> and Linux systems. Most of these clients are joined to the enterprise
> domain, as is the server (smb.conf has "server role = member server"
> and "security = auto"; we've also set "security = ADS" explicitly).
>
> Users on domain joined systems, regardless of OS, can successfully map
> the exports from the server, assumedly using their Kerberos tickets
> from the domain controller. However, non-domain joined clients
> (various Linux systems) cannot use username/password authenticate to
> map the network drives - they always get permission denied.
They would do, they are unknown to the domain
>
> If I go and get Kerberos tickets for the problem clients (using kinit
> and friends against the domain controller), mount.cifs with sec=krb5i
> works. But we cannot get sec=ntlmsspi to work. This was working on an
> older server (CentOS 6.10, Samba 3.6.23), and I think the key is that
> the "map untrusted to domain" option was deprecated and eventually
> removed in Samba 4.8. Otherwise, the configurations between the older
> and newer server are identical.
>
This is very probably for the same reason, the user is unknown to the
domain.
> For non-domain joined clients without Kerberos tickets , I'm guessing
> that "map untrusted to domain" was allowing the Samba server to accept
> username/password credentials, authenticate them with the domain
> controller, and allow access accordingly. However, I can't seem to
> find an equivalent way of doing this under Samba 4.8. I found one
> other user who seems to be having an identical issue (see
> https://unix.stackexchange.com/questions/513169/linux-clients-cant-login-on-samba-share-while-windows-and-mac-can-active-direc
> for details), but there does not appear to be a solution.
'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become
'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has
the correct password, then access will be allowed. The parameter 'map
untrusted to domain was removed at Samba 4.8.0, it was deprecated at 4.7.0
>
> My questions are:
>
> 1. Is my diagnosis of the situation correct, based on the information
> that I've given?
>
Yes
> 2. Is there any way to mimic the behavior of the "map untrusted to
> domain" option or otherwise allow username/password authentication
> against the domain joined Samba server to work against non-domain
> joined systems?
>
Yes, it is called 'join the machine to the domain' or if the machine is
joined to another domain, use trusts.
Rowland
More information about the samba
mailing list