2

I'm starting to manually migrate my samba3 (or now samba4 classic) servers into a new samba4 AD domain. (All new servers are running with v4.7.4.) The DCs are running fine and I'm testing my first member server. Works well with Windows 10 domain members, but we won't be adding all clients into the domain just yet.

Our old login scripts that map the drives do create problems now, since the non domain members try to login with "LOCALCOMPUTER\username", passwords are of course the same.

For my old samba 3 PDC, I successfully used map untrusted to domain = yes to solve that problem. I'm now using the new default auto, which will be the only value in 4.8 as far as I understand and it doesn't seem to work as I need it to. AFAIU the member server is supposed to delegate the decision to the DC, which, in case it is unknown, should perform a local authentication. I'm not sure what exactly "local" is (is it the AD or the server?), but it doesn't work here.

By default, and with map untrusted to domain = auto smbd will defer the decision whether the domain name provided by the client is a valid domain name to the Domain Controller (DC) of the domain it is a member of, if it is not a DC. If the DC indicates that the domain portion is unknown, then a local authentication is performed. (man smb.conf v4.7.4)

So in short, is there an easy solution to map all unknown domains to BSS\user? Since I don't have more than this one domain, I don't even mind mapping everything.

DC smb.conf is fairly standard (left out netlogon/sysvol):

[global]
        workgroup = BSS
        realm = BSS.FQDN.EXAMPLE.COM
        netbios name = BARVA
        server role = active directory domain controller
        dns forwarder = 1.2.3.4
        idmap_ldb:use rfc2307 = yes
        time server = yes

Member (file) server, left out the share definitions:

[global]
    workgroup = BSS
    realm = BSS.FQDN.EXAMPLE.COM
    security = ADS

    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind nss info = template
    template shell = /bin/false
    template homedir = /srv/samba/homes/%U

    #
https://wiki.samba.org/index.php/Idmap_config_rid#Planning_the_ID_Ranges
    # Default idmap config for local BUILTIN accounts and groups
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    # idmap config for the domain
    idmap config BSS : backend = rid
    idmap config BSS : range = 10000-999999

    store dos attributes = yes
    vfs objects = acl_xattr
    inherit acls = yes
    map acl inherit = yes

Thanks in advance, Jakob

Jakob Lenfers
  • 114
  • 1
  • 11
  • Did you find a solution? – Francis Apr 09 '18 at 18:20
  • To my surprise, no. Asked at the samba mailinglist, in IRC and here (with a bounty) without any answer at all. Changed stuff in our login scripts, so far I'm fine with that. But confused, the way I want it feels natural to me. – Jakob Lenfers Apr 09 '18 at 18:47

0 Answers0