Web lists-archives.com

Re: [Samba] username map with “security = ads”




On Thu, 2 May 2019 14:27:32 +0200
Philipp Gesang <philipp.gesang@xxxxxxxxxxxxx> wrote:

> with
> 
>   server role = member server
>   security = user

The 'security = user' overrides the 'server role = member server'
It is a 'standalone server'
What is more, unless you have changed the workgroup, you now have a
'workgroup' and a 'domain' with the same name.

> 
> I can logon with smbclient as local user using username%password.

Well, yes, you would be able to, because it is a standalone server.

> With
> 
>   server role = member server
>   security = ads
> 
> and all other things being equal, I can’t (“session setup failed:
> NT_STATUS_NO_LOGON_SERVERS”). This is from a client without any
> domain awareness whatsoever.

Just adding 'security = ads' doesn't make a computer a domain member,
you have to join it to the domain and if it isn't a domain member, it
wouldn't be able to find the DC.

> > Whilst you do not want to put your local users into AD, this might
> > be your easiest and best way out of your problem. Create an AD
> > group and add all your 'local unix users' to this group, then only
> > allow access to the Samba shares to members of this group.  
> 
> Wouldn’t that also imply that accesses need to authenticate
> against AD?

Yes, but why would this be a problem ?

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba