[Samba] SMB share access for machines which are not joined to the domain?
rpenny at samba.org
Tue Jun 25 17:56:32 UTC 2019
On 25/06/2019 18:37, Goetz, Patrick G via samba wrote:
> On 6/25/19 11:21 AM, Gregory Sloop via samba wrote:
>> You can always connect to the SMB share using a domain user/password credential set, even if you're not a member of the domain.
>> Something like - Connect as: User: "somedomain\pat" with Pat's password.
> When we try this from a machine that is not connected to the domain,
> authentication fails:
> C:\Users\cns-dbr2717>net use * \\cns-bio-krak1.austin.utexas.edu\emtifs
> System error 1311 has occurred.
> We can't sign you in with this credential because your domain isn't
> available. Make sure your device is connected to your organization's
> network and try again. If you previously signed in on this device with
> another credential, you can sign in with that credential.
> We experimented, switching between
> security = ADS
> security = user
> This doesn't seem to matter for domain users connecting from a domain
> host, but neither work for a domain user connecting from a non-domain
> host. Connecting to a Windows SMB server, this does work.
> Some information found online seems to suggest that this (domain user,
> non-domain host) *would* work if we were running winbind, but Rowland
> seems to suggest this isn't the case, either. In theory it should be
> possible to run sssd and winbind on the SMB server, but we put some
> minimal effort into this and couldn't get it to work. Likely will work
> in a couple of software iterations.
First, what part of 'Red-hat doesn't support the use of sssd with Samba'
do you not understand ? ;-)
You cannot run sssd and winbind on the same machine.
You must use 'security = ADS' on an AD joined machine
If you are running Samba >= 4.8.0 on an Unix domain member, you must run
The problem with using user from an unjoined machine is probably the
username. Every computer running Windows or Samba is a member of a
workgroup unless it is joined to a domain. This means that it will be
sending WORKGROUP\username and a domain member will be expecting
DOMAIN\username, so try connecting as DOMAIN\username.
More information about the samba