[Samba] samba as a domain member: a way to ignore groups?
Rowland Penny
rpenny at samba.org
Fri Apr 5 15:20:40 UTC 2024
On Fri, 5 Apr 2024 18:01:58 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> 05.04.2024 17:50, Rowland Penny via samba:
> > On Fri, 5 Apr 2024 17:24:33 +0300
> > Michael Tokarev <mjt at tls.msk.ru> wrote:
> >
> >> 05.04.2024 17:16, Rowland Penny via samba wrote:
> >>> On Fri, 5 Apr 2024 16:43:42 +0300
> >>> Michael Tokarev via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi!
> >>>>
> >>>> We had stand-alone anonymous samba server serving a read-only
> >>>> share as guest account. It worked well but had a few strange
> >>>> issues (like lots of noise in logs about bad smb2 signature).
> >>>>
> >>>> Its been suggested to switch to a domain member server. I didn't
> >>>> see the point since we don't need different user IDs and security
> >>>> model, but okay, - I joined a new server to a domain.
> >>>
> >>> Just one other thing, As far as I can see, no one on the list said
> >>> use a Unix domain member, they just suggested using a valid
> >>> username and password on your standalone server. Something like
> >>> 'sambauser%sambapass'
> >>
> >> It was you who suggested to switch from anonymous server to a
> >> domain member, way earlier, - more than a year ago when I first
> >> asked about how to run an application from a samba share and be
> >> able to update files.
> >
> > I might have done so, a year ago, in a different context, but in
> > this thread, sharing non critical information (I take it is non
> > critical),
>
> I don't think I understand what do you mean by "non critical".
> I gave the context, where I come from. We're finally moving to a
> domain member as has been suggested long ago.
I took it that, because you were using a standalone server, the data it
held wasn't super secret (or non critical) and it didn't matter that
anyone could read it (which guest access allows), in which case, to
stop the errors you were getting, using a username and password was the
way to go.
>
> > you could just use a standalone server with one user 'sambauser' who
> > has the password 'sambapass' and tell everybody. This will stop the
> > annoying log messages.
>
> Server should not ask for a password, or else there will be *huge*
> support team burden.
Why ? if you just tell everybody to use 'sambauser' with the password
'sambapass', it would be virtually the same as guest access.
>
> Unfortunately all this does not answer to my question, - whether it is
> possible to ignore domain groups of domain users.
>
> Thanks,
>
> /mjt
>
The only way that I can think of doing this would be to use the 'ad'
backend on your new Unix domain member. Give Domain Users a gidNumber
and the required users a uidNumber, do not give any other group a
gidNumber, that way they will be ignored.
Rowland
More information about the samba
mailing list