[Samba] ADS security mode - authenticating non-domain Linux users

Rowland penny rpenny at samba.org
Tue Jun 4 20:00:09 UTC 2019 

On 04/06/2019 20:17, Tim Miller via samba wrote:
> Hi All,
>
> We've been beating our heads against a problem here with a new Samba 
> server that we're trying to bring into production, and I'm hoping that 
> the members of this list can provide some insight.
>
> Our server is on a Linux CentOS 7.6, Samba version 4.8.3 installed 
> from distribution packages. Our clients are a mixture of Windows, Mac, 
> and Linux systems. Most of these clients are joined to the enterprise 
> domain, as is the server (smb.conf has "server role = member server" 
> and "security = auto"; we've also set "security = ADS" explicitly).
>
> Users on domain joined systems, regardless of OS, can successfully map 
> the exports from the server, assumedly using their Kerberos tickets 
> from the domain controller.  However, non-domain joined clients 
> (various Linux systems) cannot use username/password authenticate to 
> map the network drives - they always get permission denied.
They would do, they are unknown to the domain
>
> If I go and get Kerberos tickets for the problem clients (using kinit 
> and friends against the domain controller), mount.cifs with sec=krb5i 
> works. But we cannot get sec=ntlmsspi to work. This was working on an 
> older server (CentOS 6.10, Samba 3.6.23), and I think the key is that 
> the "map untrusted to domain" option was deprecated and eventually 
> removed in Samba 4.8. Otherwise, the configurations between the older 
> and newer server are identical.
>
This is very probably for the same reason, the user is unknown to the 
domain.
> For non-domain joined clients without Kerberos tickets , I'm guessing 
> that "map untrusted to domain" was allowing the Samba server to accept 
> username/password credentials, authenticate them with the domain 
> controller, and allow access accordingly. However, I can't seem to 
> find an equivalent way of doing this under Samba 4.8. I found one 
> other user who seems to be having an identical issue (see 
> https://unix.stackexchange.com/questions/513169/linux-clients-cant-login-on-samba-share-while-windows-and-mac-can-active-direc 
> for details), but there does not appear to be a solution.
'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become 
'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has 
the correct password, then access will be allowed. The parameter 'map 
untrusted to domain was removed at Samba 4.8.0, it was deprecated at 4.7.0
>
> My questions are:
>
> 1. Is my diagnosis of the situation correct, based on the information 
> that I've given?
>
Yes
> 2. Is there any way to mimic the behavior of the "map untrusted to 
> domain" option or otherwise allow username/password authentication 
> against the domain joined Samba server to work against non-domain 
> joined systems?
>
Yes, it is called 'join the machine to the domain' or if the machine is 
joined to another domain, use trusts.

Rowland

More information about the samba mailing list