Web lists-archives.com

Re: [Samba] is "map untrusted to domain" possible?




On Fri, 29 Jun 2018 16:56:47 +0800
d tbsky <tbskyd@xxxxxxxxx> wrote:

> 2018-06-29 16:26 GMT+08:00 Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx>:
> > OK, if I remove all the default and unnecessary lines, I am left
> > with this:
> >
> > [global]
> >    workgroup = SAM-DOM
> >    realm = AD.SAM-DOM.EXAMPLE.COM
> >    security = ads
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 1000000-1999999
> >    idmap config SAM-DOM:backend = ad
> >    idmap config SAM-DOM:range = 1000-999999
> >    idmap config SAM-DOM:schema_mode = rfc2307
> >
> >    winbind use default domain = yes
> >
> >    template homedir = /share/samba/home/%U
> >    template shell = /bin/bash
> >
> >    lanman auth = yes
> >    map untrusted to domain = yes
> >
> > Just a couple of comments:
> > Because you start 'SAM-DOM' at '1000', you cannot have ANY local
> > Unix users.
> 
>    that's ok. we don't have any local unix users at samba file server.

Er, no its not, what happens if something goes wrong and you need to
'SSH' in to fix something ???
You need a few local Unix users, but hey, its your domain.

> 
> > You have 'lanman auth' set to yes, do you really have any Win95/98
> > clients ? If not, you should remove this security risk line.
> 
>   we have dos client. although win95/98 is useless, but dos is still
> sometimes necessary today.

Why do you still have a dos client, even I (an inept programmer) could
crack its password in minutes.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba