Web lists-archives.com

Re: [Samba] username map with “security = ads”




-<| Quoting Rowland Penny via samba <rpenny@xxxxxxxxx>, on Thursday, 2019-05-02 02:04:14 PM |>-
> On Thu, 2 May 2019 14:27:32 +0200
> Philipp Gesang <philipp.gesang@xxxxxxxxxxxxx> wrote:
> 
> > with
> > 
> >   server role = member server
> >   security = user
> 
> The 'security = user' overrides the 'server role = member server'
> It is a 'standalone server'

I wasn’t aware of that, makes sense though.

> What is more, unless you have changed the workgroup, you now have a
> 'workgroup' and a 'domain' with the same name.

They’re distinct values.

> > I can logon with smbclient as local user using username%password.
> 
> Well, yes, you would be able to, because it is a standalone server.
> 
> > With
> > 
> >   server role = member server
> >   security = ads
> > 
> > and all other things being equal, I can’t (“session setup failed:
> > NT_STATUS_NO_LOGON_SERVERS”). This is from a client without any
> > domain awareness whatsoever.
> 
> Just adding 'security = ads' doesn't make a computer a domain member,
> you have to join it to the domain and if it isn't a domain member, it
> wouldn't be able to find the DC.
> 
> > > Whilst you do not want to put your local users into AD, this might
> > > be your easiest and best way out of your problem. Create an AD
> > > group and add all your 'local unix users' to this group, then only
> > > allow access to the Samba shares to members of this group.  
> > 
> > Wouldn’t that also imply that accesses need to authenticate
> > against AD?
> 
> Yes, but why would this be a problem ?

These clients may not even know about AD and should be able to
access the shares from other networks behind VPN tunnels without
talking to some DC.

Plus backward compatibility trumps everything, I’m afraid.

Anyways, thanks for your input. This was very helpful!

Best regards,
Philipp

Attachment: signature.asc
Description: PGP signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba