Re: [Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- Date: Tue, 2 Oct 2018 16:31:23 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Tue, 2 Oct 2018 17:00:43 +0200
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
> > No, but what I do know is this, you should not use guest access on a
> > domain member, Windows turns it off by default. Also 'Guest' doesn't
> > exist on a Unix domain member, you would have to map it to the Unix
> > domain user 'nobody'
> No, this is not exactly true. You forget the 'guest account' option,
> that have the default value 'nobody'.
> So, even not specifying guest mapping, guest account are mapped to
OK, Windows 'Guest' != Unix 'nobody'
It might seem if it does, but it doesn't
> > If you have 'winbind use default domain = yes' in smb.conf, winbind
> > will basically just strip off the leading 'DOMAIN\' from user and
> > group names. so the user 'DOMAIN\fred' will become 'fred'.
> > Okay so far ?
> > Now, if you have two domains in smb.conf 'DOMAINA' & 'DOMAINB' and
> > there is a user called 'fred' in both domains and you have 'winbind
> > use default domain = yes', you will end up with two users called
> > 'fred'.
> Ok, perfectly clear. But manpage seems to me say something different:
> This parameter specifies whether the winbindd(8) daemon should
> operate on users without domain component in their username. Users
> without a domain component are treated as is part of the winbindd
> server's own domain.
OK, it might say that, but, I have 'winbind use default domain = yes'
set on my Unix domain members and if I run 'getent passwd rowland' on
one, I get:
But on a DC, where the line has no affect:
The line removes the domain name and just leaves the username. You can
use 'winbind use default domain = yes' in smb.conf if you only have one
DOMAIN set, if you set another trusted DOMAIN, you must not use it.
To unsubscribe from this list go to the following URL and read the