[Samba] Is Samba 4.9 and "map untrusted to domain" possible anymore?

Harald Hannelius harald+samba at arcada.fi
Thu Jun 4 13:46:44 UTC 2020

On Thu, 4 Jun 2020, Rowland penny via samba wrote:
> On 04/06/2020 13:49, Harald Hannelius via samba wrote:
>> Question 2)
>> Does a windows client behave differently when speaking to a NT4-domain or 
>> an
>> AD-domain in how they try passwords? I have a feeling that users in the 
>> "AD"-domain didn't need to (manually at least) enter any passwords to get 
>> their drives mapped from the "Samba" domain. "It just worked".
> An NT4-style domain relies on SMBv1 which Windows (and Samba) no longer wants 
> you to use. The latest Samba versions use a minimum of SMBv2 by default.

Thanks, now I remember.

>> Question 3)
>> If I would enable trust between "AD" and "SAD", would users trying to 
>> access files on a Samba fileserver be mapped to the uidNumber in "SAD" DS? 
>> Or would they be mapped to something entirely else? I'm not really 
>> understanding the idmap and identities it seems.
> No, you would have to give one set of users new uidNumbers and create another 
> 'idmap config' block in smb.conf. You could use autorid instead, but this 
> would mean totally new ID's everywhere.

So the best way for me would be to implement the RFC2307/SFU schema in the 
Windows AD "AD", add the same uidNumber for every user in "AD" as they had 
in the old "Samba" domain, and then just join the fileservers to the "AD" 

Then I change the map-range to be like it was for the "SAD" domain.

It's more like migrating filesystems with users and groups tied to files 
than just migrating users.


Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list