[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?
Harald Hannelius
harald+samba at arcada.fi
Thu Jun 4 12:49:02 UTC 2020
We have a windows domain "AD" and a samba domain "SAD" running Samba 4.9 in
AD-mode.
We also have an old NT4 domain called "Samba" running Samba 3.6 + OpenLDAP.
We have the same users and passwords in all three. The user objects in the
"SAD"-domain have the same uidNumber as in the "Samba"-domain.
Workstations and users log on to the windows domain "AD".
Previously users mapped their homedrive from the NT4-domain "Samba", running
samba 3.6 + OpenLDAP. In order for this to go smoothly we where using the
option "map untrusted to domain = yes" so the users from the "AD"-domain
where able to map their drives from the "Samba" domain without entering
their passwords.
Now we would like the users in the Windows domain "AD" to map their
homedrive from a fileserver in the "SAD" domain.
Question 1)
Is this possible anymore? The option "map untrusted to domain" doesn't seem
to exist anymore.
Question 2)
Does a windows client behave differently when speaking to a NT4-domain or an
AD-domain in how they try passwords? I have a feeling that users in the
"AD"-domain didn't need to (manually at least) enter any passwords to get
their drives mapped from the "Samba" domain. "It just worked".
Question 3)
If I would enable trust between "AD" and "SAD", would users trying to access
files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? Or would
they be mapped to something entirely else? I'm not really understanding the
idmap and identities it seems.
Many thanks for your time!
The fileserver:
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
disable spoolss = Yes
kerberos method = secrets and keytab
load printers = No
printcap name = /dev/null
realm = SAD.ARCADA.FI
security = ADS
username map = /etc/samba/user.map
utmp = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = SAD
idmap config sad:unix_primary_group = yes
idmap config sad:unix_nss_info = yes
idmap config sad:range = 500-4000000
idmap config sad:schema_mode = rfc2307
idmap config sad:backend = ad
idmap config * : range = 5000000-9000000
idmap config * : backend = tdb
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
[homes]
browseable = No
comment = Home Directories
create mask = 0604
directory mask = 0705
force directory mode = 0705
read only = No
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba
mailing list