[Samba] accessing foreign AD users to NT domain

Rowland penny rpenny at samba.org
Mon Aug 24 15:39:42 UTC 2020 

On 24/08/2020 16:18, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> Who was this 'someone' ?
> [...]
>> Yes, stop listening to spurious people who have never done the upgrade and
>> follow our documentation ;-)
> I'm 'someone'! ;-)
What is this ? Sparticus ? you are the second person to claim to be 
'someone' ;-)
>
> And, as you know, i've correctly migrated/merged 4 NT domains in an AD
> domain some year ago, following also hint from this list. ;-)
Yes, I have some recollection of that.
> As just discussed in this list, while 'classicupgrade' is clearly the
> main path for a migration, pose some glitches.
>   - there's no 'merge' of multiple domains
To be honest, I don't think most people will want to merge domains, but 
that is a valid point.
>   - it is a go/no go tool, there's no way back.
I think I already said that.
> So bulding a new domain is a, surely, longer path, but, at least for
> me, smoothest one.
You can also get rid of some of the old ways of doing things (using the 
RID as a Unix ID for one).
> Sure. But ACL are evaluated 'locally' to the server we are connecting,
> so we can buld a totally differend domain, with different goups and
> ACLs, this is not the point.
If you use 'acl_xattr', then the permissions might not be set locally.
>
> The point here is that, as Louis say, something changed in
> samba/windows client os and something that worked without trouble with
> Win7/samba4.5 two years ago seems does not work now.
I know that now, but I didn't before, but I have been banging on for at 
least the last two years, UPGRADE!
>
>
> I've suggested also to Paolo to:
>
>   + enable on servers/domain members 'winbind use default domain = yes'
>
>   + try to access shares with IP, to (try to) 'disable' kerberos auth
As kerberos cannot use IP's, there is a good chance of that.
> If was Win10, surely also SMB1 have to be enabled, but seems that also
> Win7 does not work anymore... so we are asking here...

As far as I am aware, SMBv1 is still readily available on Win7, but from 
Samba 4.11.0, it is now disabled on Samba, so if you must use SMBv1, you 
will need to set:

client min protocol = NT1

server min protocol = NT1

in smb.conf

Or make Windows only use NTLMv2 and loose network browsing and the 
ability to connect to NT4-style domains.

Rowland

More information about the samba mailing list