[Samba] ADS security mode - authenticating non-domain Linux users

Rowland penny rpenny at samba.org
Wed Jun 5 07:17:55 UTC 2019

On 05/06/2019 02:49, Tim Miller via samba wrote:
> Hi Rowland,
> Thanks very much for the reply and confirming what I suspected. One 
> quick questions in-line, if I may:
> On 6/4/19 4:00 PM, Rowland penny via samba wrote:
>> 'map untrusted to domain' made 'UNKNOWNDOMAIN\fred' become 
>> 'LOCALDOMAIN\fred' and if 'fred' is a member of 'LOCALDOMAIN' and has 
>> the correct password, then access will be allowed. The parameter 'map 
>> untrusted to domain was removed at Samba 4.8.0, it was deprecated at 
>> 4.7.0
> I found the patch that deprecated the option, with the comment 
> (quoting from Volker Lendecke in 
> https://lists.samba.org/archive/samba-technical/2017-March/119417.html):
> > In an active directory environment, we don't know of
> >a good way to enumerate all domains that we have to accept as trusted,
> >in particular with multiple forests, one-way and external trusts. We
> >hope to replace this parameter in the future with something that matches
> >Windows behaviour better, after the deprecation phase of this parameter
> >is over and we can remove it.
> Any notion of whether such a replacement is on the horizon at present? 
> If not, we'll live with the behavior as-is.
> Regards,
> Tim
Sorry, but I have no idea what Volker is planning, if anything. That 'we 
hope' has the sound of 'perhaps' to me ;-)


More information about the samba mailing list