[Samba] to shares access from non-member clients/nodes

Joachim Lindenberg samba at lindenberg.one
Sun Sep 1 07:45:20 UTC 2019

To the original question
> Should nodes/clients outside of domain (non-members) be able to access (with user+pass) Samba shares?
I  was tempted to write "yes, of course", but then I realized the share I was thinking of is hosted by windows rather than samba... 
What does work: non-domain clients can connect to a windows share hosted by a domain member using domain\user + password. I am using that frequently. Now if I try similar with a samba share it fails. The only samba shares I run are those shared by the domain controllers, thus I tried "net use \\boa.samba.lindenberg.one\sysvol /user:samba\joachim", but after supplying the password several times I get system error 5 permission denied. Ok, sysvol is not really relevant to non-domain clients, but what that tells me is that there is a difference in behavior between samba and windows servers.
I am not ruling out it can be a configuration issue as well, but at least looking at the security tab of the shares with windows explorer I cannot really tell why it should fail.
Thanks, Joachim

-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba
Gesendet: Friday, 30 August 2019 20:35
An: samba at lists.samba.org
Betreff: Re: [Samba] to shares access from non-member clients/nodes

On 30/08/2019 19:13, lejeczek via samba wrote:
> On 30/08/2019 17:25, Rowland penny via samba wrote:
>> On 30/08/2019 17:12, lejeczek via samba wrote:
>>> hi guys,
>>> with Samba as below
>>> [global]
>>>       workgroup = NNNR
>>>       netbios name = PA2
>>>       realm = PRIVATE.REALM.MINE
>>>       kerberos method = dedicated keytab
>>>       dedicated keytab file = /etc/samba/samba.keytab
>>>       create krb5 conf = no
>>>       security = user
>>>       domain master = yes
>>>       domain logons = yes
>>> Should nodes/clients outside of domain (non-members) be able to 
>>> access (with user+pass) Samba shares?
>>> many thanks, L.
>> 99% of that smb.conf is for a Unix Domain member, but 'security = 
>> user' should be 'security = ADS' and it wouldn't be a PDC (domain 
>> master = yes) because it is using kerberos.
>> There are also no auth lines that are required for a Unix domain 
>> member.
>> To put it another way, that is a borked smb.conf.
>> If you just want a standalone server, see here:
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Ser
>> ver
>> If you want something else, please explain just what you are trying 
>> to achieve.
>> Rowland
> Yes, it's a unix domain for it's a "regular" FreeIPA's Samba. Out of 
> box this, I think, only does windows when trusted to an AD and from 
> there, from/via AD win clients work.
> But I was hoping that outside of kerberos/domain clients(win 10), 
> perhaps with user+pass could be mangled into such FreeIPA's Samba.
> many thanks, L.

I think you need to think the other way, how to use Samba with FreeIPA, which I haven't got a clue about, but here is a starting point:



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list