[Samba] accessing foreign AD users to NT domain

L.P.H. van Belle belle at bazuin.nl
Tue Aug 25 07:31:58 UTC 2020

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: maandag 24 augustus 2020 17:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
> On 24/08/2020 16:18, Marco Gaiarin via samba wrote:
> > Mandi! Rowland penny via samba
> >    In chel di` si favelave...
> >
> >> Who was this 'someone' ?
> > [...]
> >> Yes, stop listening to spurious people who have never done 
> the upgrade and
> >> follow our documentation ;-)
> > I'm 'someone'! ;-)
> What is this ? Sparticus ? you are the second person to claim to be 
> 'someone' ;-)

LoL :-) but Marco is correct, we both said it :-) heheh..

> >
> > And, as you know, i've correctly migrated/merged 4 NT 
> domains in an AD
> > domain some year ago, following also hint from this list. ;-)
> Yes, I have some recollection of that.
> > As just discussed in this list, while 'classicupgrade' is 
> clearly the
> > main path for a migration, pose some glitches.
> >   - there's no 'merge' of multiple domains

> To be honest, I don't think most people will want to merge 
> domains, but that is a valid point.

> >   - it is a go/no go tool, there's no way back.
> I think I already said that.
> > So bulding a new domain is a, surely, longer path, but, at least for
> > me, smoothest one.

> You can also get rid of some of the old ways of doing things 
> (using the  RID as a Unix ID for one).

Why use RID. I cant use RID.. And RID is bad in my opionion. 
Sure if you have one server RID, fine but multple servers, well dont use RID
RID is just a cheap way to make things work. 
And ( in my opinion) the biggest dis-advantage of RID isnt even on the RID page. 
But you can find that on the backend AD page as advantage. 

> IDs are only cached locally, they are stored in the AD database on DC's. 
> This means that if the local cache becomes corrupt the file ownerships are not lost.

So imagine your in stress your server went down. 
Now you setting up a new one, restoring backups, hastly you let your users connect and..

Everything is wrong, all you ACL's are messed up. 

The biggest dis-advantage...

> If the Windows Active Directory Users and Computers (ADUC) program is not used, 
> you have to manual track ID values to avoid duplicates.

Im still waiting for Rowland's its patch to go in samba. 
Its just crazy that even when we can use and add UnixAttributes, its not stored in the AD. 
This would help so much if its in, maintaining UID/GIDs manualy is not an option, that's crazyness
And forces you into RID, but this is my personal opinion.

I dont like RID backends in general, but you can use it. 
It all depends on your needs and what your willing to risk what and where. 

> > Sure. But ACL are evaluated 'locally' to the server we are connecting,
> > so we can buld a totally differend domain, with different goups and
> > ACLs, this is not the point.

> If you use 'acl_xattr', then the permissions might not be set locally.
? Uhm,, acl_xattr and the permissions might not be set locally.? 

What did i miss here? 
the permissions might not be set locally.?  But then where are the stored? 

> >
> > The point here is that, as Louis said, something changed in
> > samba/windows client os and something that worked without 
> trouble with
> > Win7/samba4.5 two years ago seems does not work now.

> I know that now, but I didn't before, but I have been banging 
> on for at least the last two years, UPGRADE!

> >
> >
> > I've suggested also to Paolo to:
> >
> >   + enable on servers/domain members 'winbind use default 
> domain = yes'
> >
> >   + try to access shares with IP, to (try to) 'disable' 
> kerberos auth
> As kerberos cannot use IP's, there is a good chance of that.
> > If was Win10, surely also SMB1 have to be enabled, but 
> seems that also
> > Win7 does not work anymore... so we are asking here...

> As far as I am aware, SMBv1 is still readily available on 
> Win7, but from 
> Samba 4.11.0, it is now disabled on Samba, so if you must use 
> SMBv1, you 
> will need to set:
> client min protocol = NT1
> server min protocol = NT1
> in smb.conf
> Or make Windows only use NTLMv2 and loose network browsing and the 
> ability to connect to NT4-style domains.
> Rowland

> The point here is that, as Louis say, something changed in
> samba/windows client os and something that worked without trouble with
> Win7/samba4.5 two years ago seems does not work now.
15 years for me now, im replacing the server, i wrote a manual for 15y ago. 

Here the windows xp, windows 7 and windows 10 do work, do login without problems. 
Only the drivermappings are shown disabled so now and then. 

And this shift users, so what happend, I really dont know, but the simple net use command
Fix my problem, the problem is only with 1 server, and that runs a samba 3.6.6 
Im replacing it this week. Finaly. 



More information about the samba mailing list