[Samba] accessing foreign AD users to NT domain

L.P.H. van Belle belle at bazuin.nl
Wed Aug 26 13:41:30 UTC 2020


Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Piviul via samba
> Verzonden: woensdag 26 augustus 2020 14:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] accessing foreign AD users to NT domain
> 
> L.P.H. van Belle via samba ha scritto il 26/08/20 alle 11:48:
> > That is because.. Your not sending the DOMAIN\username but 
> COMPUTER\username, so access denied.
> Why you say that? I didn't use the /user option at all; the 
> log I sent has been generated running the following command:
> net use g: \\IP\share /persistent:yes
Thats exacly what i see. 
This:  net use g: \\IP\share /persistent:yes

Used COMPUTERNAME\username at REALM Or DOM\USER at COMPUTERNAME 
And not not DOM\user at REALM
Thats what i mean, and if you look good in your logs you see this also. 

> 
> Anyway nothing change if I use
> net use g: \\F.Q.D.N.\share /persistent:yes
> 
> Furthermore if I use the option /user:NT4DOM\%username% the net use 
> command complete successfully; if I use 
> /user:ADDOM\%username% didn't, 
> that's all.

Ah, ok, i understand, 

> 
> 
> > [...]
> > \\hostname\share
> > This only works if and due.
> > 1) the search/primary domain is same in pc and servers.
> > 2) netbios resolving works ( or due dns proxy = yes ) 
> and/or due a working LLMNR setup. (default in windows 10)
> >    Do read : 
> https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving
> -away-credentials
> that's not so simple, network users are used to access shares 
> browsing 
> the network and windows doesn't shows FQDN in browsing network...

Which is going to be 
1) a problem in future.
2) is a security risk
3) users should not browse and should have drive mappings.. 
But.. Im not controlling your network, you do, just my opinion. 


> 
> 
> > [...] 
> > Follow these rules..
> > 
> https://support.microsoft.com/en-us/help/909264/naming-convent
> ions-in-active-directory-for-computers-domains-sites-and
> > 
> > And only use \\host.fqdn.tld\shares
> ok, I'll remember.

The longer you wait with changing these setups, the more problems you will hit in the future.
Not because im saying this.. Because

Microsoft is enforcing more security.
Google is enforcing more security. 
  like, how you setup your certificat chains, it must have a intermediate cert in latest chrome versions. 

Basicly all big companies are doing it now, i think a bit late.. 
But better late then never.. 

 
Greetz, 

Louis




More information about the samba mailing list