[Samba] SMB share access for machines which are not joined to the domain?

[Goetz, Patrick G]

On 6/25/19 12:56 PM, Rowland penny via samba wrote:
>> C:\Users\cns-dbr2717>net use * \\cns-bio-krak1.austin.utexas.edu\emtifs
>> /user:austin.utexas.edu\dbr2717
>> System error 1311 has occurred.
>>
<snip>
> 
> First, what part of 'Red-hat doesn't support the use of sssd with Samba' 
> do you not understand ? ;-)
>

Hmmm, "support" and "works" are 2 different things.  We do have Samba 
4.8.3 working fine with sssd.


> You cannot run sssd and winbind on the same machine.
>

I don't understand why that would be, though.  This person appears to 
have it working, providing this comment:

"Please check the list archive for config examples. The main idea is to 
add idmap_sss to the Samba configuration to make sure winbind and SSSD 
use the same id-mapping, see man idmap_sss for details as well."  The 
very existence of idmap_sss calls the validity of your statement into 
question, doesn't it?

This URL includes an example, but -- disclaimer -- we were not able to 
get this working with the packaged versions shipped with CentOS 7.6.1810

https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/thread/U66MEJBMXVJWJVCBORS2KBP7BIAGZ57H/


> 
> If you are running Samba >= 4.8.0 on an Unix domain member, you must run 
> winbind.

See above; we have a fully functionally smbd from 4.8.3 running without 
winbind.


> 
> The problem with using user from an unjoined machine is probably the 
> username. Every computer running Windows or Samba is a member of a 
> workgroup unless it is joined to a domain. This means that it will be 
> sending WORKGROUP\username and a domain member will be expecting 
> DOMAIN\username, so try connecting as DOMAIN\username.
> 

But isn't DOMAIN\username exactly what I'm doing in the example provided 
at the top of this message?




> Rowland
> 
> 
>