[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?

Harald Hannelius harald+samba at arcada.fi
Thu Jun 4 12:49:02 UTC 2020

We have a windows domain "AD" and a samba domain "SAD" running Samba 4.9 in 

We also have an old NT4 domain called "Samba" running Samba 3.6 + OpenLDAP.

We have the same users and passwords in all three. The user objects in the 
"SAD"-domain have the same uidNumber as in the "Samba"-domain.

Workstations and users log on to the windows domain "AD".

Previously users mapped their homedrive from the NT4-domain "Samba", running 
samba 3.6 + OpenLDAP. In order for this to go smoothly we where using the 
option "map untrusted to domain = yes" so the users from the "AD"-domain 
where able to map their drives from the "Samba" domain without entering 
their passwords.

Now we would like the users in the Windows domain "AD" to map their 
homedrive from a fileserver in the "SAD" domain.

Question 1)
Is this possible anymore? The option "map untrusted to domain" doesn't seem 
to exist anymore.

Question 2)
Does a windows client behave differently when speaking to a NT4-domain or an
AD-domain in how they try passwords? I have a feeling that users in the 
"AD"-domain didn't need to (manually at least) enter any passwords to get 
their drives mapped from the "Samba" domain. "It just worked".

Question 3)
If I would enable trust between "AD" and "SAD", would users trying to access 
files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? Or would 
they be mapped to something entirely else? I'm not really understanding the 
idmap and identities it seems.

Many thanks for your time!

The fileserver:

# Global parameters
 	dedicated keytab file = /etc/krb5.keytab
 	disable spoolss = Yes
 	kerberos method = secrets and keytab
 	load printers = No
 	printcap name = /dev/null
 	realm = SAD.ARCADA.FI
 	security = ADS
 	username map = /etc/samba/user.map
 	utmp = Yes
 	winbind enum groups = Yes
 	winbind enum users = Yes
 	winbind refresh tickets = Yes
 	winbind use default domain = Yes
 	workgroup = SAD
 	idmap config sad:unix_primary_group = yes
 	idmap config sad:unix_nss_info = yes
 	idmap config sad:range = 500-4000000
 	idmap config sad:schema_mode = rfc2307
 	idmap config sad:backend = ad
 	idmap config * : range = 5000000-9000000
 	idmap config * : backend = tdb
 	map acl inherit = Yes
 	printing = bsd
 	vfs objects = acl_xattr

 	browseable = No
 	comment = Home Directories
 	create mask = 0604
 	directory mask = 0705
 	force directory mode = 0705
 	read only = No


Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list