[Samba] SMB share access for machines which are not joined to the domain?

Rowland penny rpenny at samba.org
Tue Jun 25 17:56:32 UTC 2019 

On 25/06/2019 18:37, Goetz, Patrick G via samba wrote:
>
> On 6/25/19 11:21 AM, Gregory Sloop via samba wrote:
>> You can always connect to the SMB share using a domain user/password credential set, even if you're not a member of the domain.
>> Something like - Connect as: User: "somedomain\pat" with Pat's password.
>>
>
> When we try this from a machine that is not connected to the domain,
> authentication fails:
>
>
> C:\Users\cns-dbr2717>net use * \\cns-bio-krak1.austin.utexas.edu\emtifs
> /user:austin.utexas.edu\dbr2717
> System error 1311 has occurred.
>
> We can't sign you in with this credential because your domain isn't
> available. Make sure your device is connected to your organization's
> network and try again. If you previously signed in on this device with
> another credential, you can sign in with that credential.
>
> We experimented, switching between
>
>       security = ADS
> and
>       security = user
>
> This doesn't seem to matter for domain users connecting from a domain
> host, but neither work for a domain user connecting from a non-domain
> host.  Connecting to a Windows SMB server, this does work.
>
> Some information found online seems to suggest that this (domain user,
> non-domain host) *would* work if we were running winbind, but Rowland
> seems to suggest this isn't the case, either.  In theory it should be
> possible to run sssd and winbind on the SMB server, but we put some
> minimal effort into this and couldn't get it to work.  Likely will work
> in a couple of software iterations.

First, what part of 'Red-hat doesn't support the use of sssd with Samba' 
do you not understand ? ;-)

You cannot run sssd and winbind on the same machine.

You must use 'security = ADS' on an AD joined machine

If you are running Samba >= 4.8.0 on an Unix domain member, you must run 
winbind.

The problem with using user from an unjoined machine is probably the 
username. Every computer running Windows or Samba is a member of a 
workgroup unless it is joined to a domain. This means that it will be 
sending WORKGROUP\username and a domain member will be expecting 
DOMAIN\username, so try connecting as DOMAIN\username.

Rowland

More information about the samba mailing list