[Samba] ADS security mode - authenticating non-domain Linux users

Tim Miller btmiller at hpc.nih.gov
Wed Jun 5 01:49:43 UTC 2019

Hi Rowland,

Thanks very much for the reply and confirming what I suspected. One 
quick questions in-line, if I may:

On 6/4/19 4:00 PM, Rowland penny via samba wrote:
> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become 
> 'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has 
> the correct password, then access will be allowed. The parameter 'map 
> untrusted to domain was removed at Samba 4.8.0, it was deprecated at 
> 4.7.0
I found the patch that deprecated the option, with the comment (quoting 
from Volker Lendecke in 

 > In an active directory environment, we don't know of
 >a good way to enumerate all domains that we have to accept as trusted,
 >in particular with multiple forests, one-way and external trusts. We
 >hope to replace this parameter in the future with something that matches
 >Windows behaviour better, after the deprecation phase of this parameter
 >is over and we can remove it.

Any notion of whether such a replacement is on the horizon at present? 
If not, we'll live with the behavior as-is.


More information about the samba mailing list