[Samba] accessing foreign AD users to NT domain

[Piviul]

Rowland penny via samba ha scritto il 24/08/20 alle 17:39:
> [...]
> As far as I am aware, SMBv1 is still readily available on Win7, but from 
> Samba 4.11.0, it is now disabled on Samba, so if you must use SMBv1, you 
> will need to set:
> 
> client min protocol = NT1
> 
> server min protocol = NT1
> 
> in smb.conf

ok, the samba server I'm using as test has samba 4.5.16-Debian installed 
and these are the global parameters of the smb.conf (after adding the 
client/server min protocol):
> # Global parameters
> [global]
> 	server string = %h server
> 	workgroup = DOMINIOCSA
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	allow insecure wide links = Yes
> 	panic action = /usr/share/samba/panic-action %d
> 	printcap name = cups
> 	client min protocol = NT1
> 	server min protocol = NT1
> 	unix extensions = No
> 	allow trusted domains = No
> 	client ipc signing = if_required
> 	client signing = if_required
> 	map to guest = Bad User
> 	obey pam restrictions = Yes
> 	pam password change = Yes
> 	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> 	passwd program = /usr/bin/passwd %u
> 	security = DOMAIN
> 	server signing = if_required
> 	unix password sync = Yes
> 	template shell = /bin/bash
> 	winbind cache time = 1
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind use default domain = Yes
> 	dns proxy = No
> 	wins server = 192.168.70.2
> 	idmap config * : range = 25000-30000
> 	idmap config dominiocsa : range = 10000-25000
> 	idmap config dominiocsa : backend = rid
> 	idmap config * : backend = tdb
> 	map archive = No
> 	map acl inherit = Yes
> 	inherit acls = Yes
> 	invalid users = root

when a user of the AD domain try to access to a share of this server 
(even accessing using the IP instead of the name) the authentication 
fails even if the user has the same credentials in both domains...

The win10 client has smbv1 client enabled...

Piviul