[Samba] accessing foreign AD users to NT domain
Rowland penny
rpenny at samba.org
Tue Aug 25 10:21:41 UTC 2020
On 25/08/2020 08:28, Piviul via samba wrote:
> Rowland penny via samba ha scritto il 24/08/20 alle 17:39:
>> [...]
>> As far as I am aware, SMBv1 is still readily available on Win7, but
>> from Samba 4.11.0, it is now disabled on Samba, so if you must use
>> SMBv1, you will need to set:
>>
>> client min protocol = NT1
>>
>> server min protocol = NT1
>>
>> in smb.conf
>
> ok, the samba server I'm using as test has samba 4.5.16-Debian
> installed and these are the global parameters of the smb.conf (after
> adding the client/server min protocol):
>> # Global parameters
>> [global]
>> server string = %h server
>> workgroup = DOMINIOCSA
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> allow insecure wide links = Yes
>> panic action = /usr/share/samba/panic-action %d
>> printcap name = cups
>> client min protocol = NT1
>> server min protocol = NT1
>> unix extensions = No
>> allow trusted domains = No
>> client ipc signing = if_required
>> client signing = if_required
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> pam password change = Yes
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>> passwd program = /usr/bin/passwd %u
>> security = DOMAIN
>> server signing = if_required
>> unix password sync = Yes
>> template shell = /bin/bash
>> winbind cache time = 1
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind use default domain = Yes
>> dns proxy = No
>> wins server = 192.168.70.2
>> idmap config * : range = 25000-30000
>> idmap config dominiocsa : range = 10000-25000
>> idmap config dominiocsa : backend = rid
>> idmap config * : backend = tdb
>> map archive = No
>> map acl inherit = Yes
>> inherit acls = Yes
>> invalid users = root
>
> when a user of the AD domain try to access to a share of this server
> (even accessing using the IP instead of the name) the authentication
> fails even if the user has the same credentials in both domains...
>
> The win10 client has smbv1 client enabled...
>
> Piviul
>
Try adding 'nltm auth = yes' to the smb.conf, it defaulted to 'no' at 4.5.0
Rowland
More information about the samba
mailing list