Web lists-archives.com

Re: [Samba] interpret non-domain users as domain users?




On Thu, 2019-05-02 at 02:07 +0200, Christian via samba wrote:
> Dear list,
> 
> when I connect to a samba AD member server from a windows 10 client not
> joined to the domain, it appears that I always have to connect as
> DOMAIN\USER. Is it possible to configure samba such that it always
> interprets the USER part as being the account name of the one domain
> that is configured, and to discard the DOMAIN part supplied by the
> client? This may be a dumb question, but thanks for any hints... Cheers,

Sadly not!

We used to have 'map untrusted to domain' but we had to get rid of it,
because for NTLMv2 it fails (because the domain is included in the
challenge/response password calculation).

If someone finds a truly critical situation where this matters we might
be able to solve it for pure samba domains, because on the DC we can
hold both names in memory, but for now we don't have a good solution.

Sorry!

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba