[Samba] accessing foreign AD users to NT domain

Rowland penny rpenny at samba.org
Tue Aug 25 10:21:41 UTC 2020 

On 25/08/2020 08:28, Piviul via samba wrote:
> Rowland penny via samba ha scritto il 24/08/20 alle 17:39:
>> [...]
>> As far as I am aware, SMBv1 is still readily available on Win7, but 
>> from Samba 4.11.0, it is now disabled on Samba, so if you must use 
>> SMBv1, you will need to set:
>>
>> client min protocol = NT1
>>
>> server min protocol = NT1
>>
>> in smb.conf
>
> ok, the samba server I'm using as test has samba 4.5.16-Debian 
> installed and these are the global parameters of the smb.conf (after 
> adding the client/server min protocol):
>> # Global parameters
>> [global]
>>     server string = %h server
>>     workgroup = DOMINIOCSA
>>     log file = /var/log/samba/log.%m
>>     max log size = 1000
>>     allow insecure wide links = Yes
>>     panic action = /usr/share/samba/panic-action %d
>>     printcap name = cups
>>     client min protocol = NT1
>>     server min protocol = NT1
>>     unix extensions = No
>>     allow trusted domains = No
>>     client ipc signing = if_required
>>     client signing = if_required
>>     map to guest = Bad User
>>     obey pam restrictions = Yes
>>     pam password change = Yes
>>     passwd chat = *Enter\snew\s*\spassword:* %n\n 
>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>     passwd program = /usr/bin/passwd %u
>>     security = DOMAIN
>>     server signing = if_required
>>     unix password sync = Yes
>>     template shell = /bin/bash
>>     winbind cache time = 1
>>     winbind enum groups = Yes
>>     winbind enum users = Yes
>>     winbind use default domain = Yes
>>     dns proxy = No
>>     wins server = 192.168.70.2
>>     idmap config * : range = 25000-30000
>>     idmap config dominiocsa : range = 10000-25000
>>     idmap config dominiocsa : backend = rid
>>     idmap config * : backend = tdb
>>     map archive = No
>>     map acl inherit = Yes
>>     inherit acls = Yes
>>     invalid users = root
>
> when a user of the AD domain try to access to a share of this server 
> (even accessing using the IP instead of the name) the authentication 
> fails even if the user has the same credentials in both domains...
>
> The win10 client has smbv1 client enabled...
>
> Piviul
>
Try adding 'nltm auth = yes' to the smb.conf, it defaulted to 'no' at 4.5.0

Rowland

More information about the samba mailing list