[Samba] to shares access from non-member clients/nodes
samba at lindenberg.one
Sun Sep 1 07:45:20 UTC 2019
To the original question
> Should nodes/clients outside of domain (non-members) be able to access (with user+pass) Samba shares?
I was tempted to write "yes, of course", but then I realized the share I was thinking of is hosted by windows rather than samba...
What does work: non-domain clients can connect to a windows share hosted by a domain member using domain\user + password. I am using that frequently. Now if I try similar with a samba share it fails. The only samba shares I run are those shared by the domain controllers, thus I tried "net use \\boa.samba.lindenberg.one\sysvol /user:samba\joachim", but after supplying the password several times I get system error 5 permission denied. Ok, sysvol is not really relevant to non-domain clients, but what that tells me is that there is a difference in behavior between samba and windows servers.
I am not ruling out it can be a configuration issue as well, but at least looking at the security tab of the shares with windows explorer I cannot really tell why it should fail.
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland penny via samba
Gesendet: Friday, 30 August 2019 20:35
An: samba at lists.samba.org
Betreff: Re: [Samba] to shares access from non-member clients/nodes
On 30/08/2019 19:13, lejeczek via samba wrote:
> On 30/08/2019 17:25, Rowland penny via samba wrote:
>> On 30/08/2019 17:12, lejeczek via samba wrote:
>>> hi guys,
>>> with Samba as below
>>> workgroup = NNNR
>>> netbios name = PA2
>>> realm = PRIVATE.REALM.MINE
>>> kerberos method = dedicated keytab
>>> dedicated keytab file = /etc/samba/samba.keytab
>>> create krb5 conf = no
>>> security = user
>>> domain master = yes
>>> domain logons = yes
>>> Should nodes/clients outside of domain (non-members) be able to
>>> access (with user+pass) Samba shares?
>>> many thanks, L.
>> 99% of that smb.conf is for a Unix Domain member, but 'security =
>> user' should be 'security = ADS' and it wouldn't be a PDC (domain
>> master = yes) because it is using kerberos.
>> There are also no auth lines that are required for a Unix domain
>> To put it another way, that is a borked smb.conf.
>> If you just want a standalone server, see here:
>> If you want something else, please explain just what you are trying
>> to achieve.
> Yes, it's a unix domain for it's a "regular" FreeIPA's Samba. Out of
> box this, I think, only does windows when trusted to an AD and from
> there, from/via AD win clients work.
> But I was hoping that outside of kerberos/domain clients(win 10),
> perhaps with user+pass could be mangled into such FreeIPA's Samba.
> many thanks, L.
I think you need to think the other way, how to use Samba with FreeIPA, which I haven't got a clue about, but here is a starting point:
To unsubscribe from this list go to the following URL and read the
More information about the samba