[Samba] accessing foreign AD users to NT domain

L.P.H. van Belle belle at bazuin.nl
Wed Aug 26 09:48:55 UTC 2020

That is because.. Your not sending the DOMAIN\username but COMPUTER\username, so access denied. 
I know its something like that in the backgrond, but i dont code "Windows" ;-) 

So, this is the only part i use: 

net use g: \\server.fqdn.tld\share /persistent:yes /user:NT4DOM\%username% 
net use k: \\server.fqdn.tld\share /persistent:yes /user:ADDOM\%username% 

Stop using : 

This only works if and due. 
1) the search/primary domain is same in pc and servers. 
2) netbios resolving works ( or due dns proxy = yes ) and/or due a working LLMNR setup. (default in windows 10) 
  Do read : https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials 

Only works good if.. 
1) the PTR record is registered to the correct "hostname.FQDN.TLD" 

So, only use : 
\\host.fqdn.tld\share for all servers

For all above you need A + PTR for a good working kerberos setup

Howto use your samba shares and setups, due all new security things in windows.. 

Follow these rules.. 

And only use \\host.fqdn.tld\shares 

I'm doing this since 2016, after microsoft adviced to use it. 
Its somewhere in there docs.. 




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Piviul via samba
> Verzonden: woensdag 26 augustus 2020 11:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
> Per chi vuole guardare il log generato aggiungo una piccola legenda: 
> ZIZI ( è il server samba, win7pro-v01 
> ( è il 
> client win7; inoltre il dominio AD si chiama CSATEST mentre 
> il dominio 
> NT (anche se non compare nei logs) si chiama DOMINIOCSA.
> Piviul
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list