[Samba] Machines joined to a domain can't access shares on standalone Samba server

Robert Marcano robert at marcanoonline.com
Sun Sep 29 18:48:11 UTC 2019

Greetings. I updated and old server to run Samba 4.9, It was running a
distribution that still supported Samba 3.x. That Samba server has always
been standalone, there is no interest in joining it to the Windows AD
domain already in place.

When it was running on Samba 3, users from a Windows domain joined machine,
users were able to use the defined user on the Samba server to access the
share. The user was added to the server as a normal Linux user, and
password for Samba is added with smbpasswd -a.

Now on the updated installation users from Windows domain joined machines
can't access the shares. no matter if the user used <hostname>\user,
localhost\user, <workgroup>\user or simply user.

We know the user authentication is working fine because from another Linux
machine or a Windows laptop that isn't joined to the domain the user is
perfectly authenticated and can access the share contents.

The problem could be an extra security setting on the Windows based AD
domain that I don't manage but wish to give the admins a hint of a fix,
hopefully someone already has experienced this. Maybe the way to refer to a
local user on the standalone server is different of the names already tried

The smb.conf is pretty simple (some little redaction on the names), Any
help is greatly appreciated

- Played unsuccessfully with "username map" setting just to check if I
could map the user.
- Accessing the standalone server by IP still fails with authentication
(trying to fallback to SMB1 for testing)
- Increasing logs verbosity, I see things like:

check_ntlm_password:  Checking password for unmapped user
[WIN_DOMAIN]\[Windows User]@[Windows_host] with the new password interface
check_ntlm_password:  mapped user is: [WIN_DOMAIN]\[Windows


auth_check_ntlm_password: sam_ignoredomain authentication for user
[linux_user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1

# Tried with the workgroup being the same than the Windows AD domain and
workgroup = DOMAIN
security = user
netbios aliases = ALIAS

# Added only to allow browsing the shares without authentication (tried
without this too)
map to guest = Bad User

passdb backend = tdbsam

load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes

comment = <comment here>
path = <valid_path_here>
browsable = no
create mask = 0660
directory mask = 0770
force group = our_group
write list = @our_group
valid users = @our_group

Robert Marcano

More information about the samba mailing list