[Samba] accessing foreign AD users to NT domain
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 26 09:48:55 UTC 2020
That is because.. Your not sending the DOMAIN\username but COMPUTER\username, so access denied.
I know its something like that in the backgrond, but i dont code "Windows" ;-)
So, this is the only part i use:
net use g: \\server.fqdn.tld\share /persistent:yes /user:NT4DOM\%username%
net use k: \\server.fqdn.tld\share /persistent:yes /user:ADDOM\%username%
Stop using :
\\hostname\share
This only works if and due.
1) the search/primary domain is same in pc and servers.
2) netbios resolving works ( or due dns proxy = yes ) and/or due a working LLMNR setup. (default in windows 10)
Do read : https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials
\\IP\share
Only works good if..
1) the PTR record is registered to the correct "hostname.FQDN.TLD"
So, only use :
\\host.fqdn.tld\share for all servers
For all above you need A + PTR for a good working kerberos setup
Howto use your samba shares and setups, due all new security things in windows..
Follow these rules..
https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
And only use \\host.fqdn.tld\shares
I'm doing this since 2016, after microsoft adviced to use it.
Its somewhere in there docs..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Piviul via samba
> Verzonden: woensdag 26 augustus 2020 11:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
>
> Per chi vuole guardare il log generato aggiungo una piccola legenda:
> ZIZI (192.168.70.3) è il server samba, win7pro-v01
> (192.168.64.12) è il
> client win7; inoltre il dominio AD si chiama CSATEST mentre
> il dominio
> NT (anche se non compare nei logs) si chiama DOMINIOCSA.
>
> Piviul
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list