[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?

Rowland penny rpenny at samba.org
Thu Jun 4 13:11:03 UTC 2020 

On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>
>
> We have a windows domain "AD" and a samba domain "SAD" running Samba 
> 4.9 in AD-mode.
>
> We also have an old NT4 domain called "Samba" running Samba 3.6 + 
> OpenLDAP.
>
> We have the same users and passwords in all three. The user objects in 
> the "SAD"-domain have the same uidNumber as in the "Samba"-domain.
>
> Workstations and users log on to the windows domain "AD".
>
> Previously users mapped their homedrive from the NT4-domain "Samba", 
> running samba 3.6 + OpenLDAP. In order for this to go smoothly we 
> where using the option "map untrusted to domain = yes" so the users 
> from the "AD"-domain where able to map their drives from the "Samba" 
> domain without entering their passwords.
>
> Now we would like the users in the Windows domain "AD" to map their 
> homedrive from a fileserver in the "SAD" domain.
>
> Question 1)
> Is this possible anymore? The option "map untrusted to domain" doesn't 
> seem to exist anymore.
It was removed at 4.8.0
>
> Question 2)
> Does a windows client behave differently when speaking to a NT4-domain 
> or an
> AD-domain in how they try passwords? I have a feeling that users in 
> the "AD"-domain didn't need to (manually at least) enter any passwords 
> to get their drives mapped from the "Samba" domain. "It just worked".
An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer 
wants you to use. The latest Samba versions use a minimum of SMBv2 by 
default.
>
> Question 3)
> If I would enable trust between "AD" and "SAD", would users trying to 
> access files on a Samba fileserver be mapped to the uidNumber in "SAD" 
> DS? Or would they be mapped to something entirely else? I'm not really 
> understanding the idmap and identities it seems.
No, you would have to give one set of users new uidNumbers and create 
another 'idmap config' block in smb.conf. You could use autorid instead, 
but this would mean totally new ID's everywhere.

Rowland

More information about the samba mailing list