#StackBounty: #samba #samba4 Samba doesn't map users to domain

Bounty: 50

I’m starting to manually migrate my samba3 (or now samba4 classic)
servers into a new samba4 AD domain. (All new servers are running with
v4.7.4.) The DCs are running fine and I’m testing my first member server.
Works well with Windows 10 domain members, but we won’t be adding all
clients into the domain just yet.

Our old login scripts that map the drives do create problems now, since the non domain members try to login with “LOCALCOMPUTERusername”, passwords are of course the same.

For my old samba 3 PDC, I successfully used map untrusted to domain = yes to solve that problem. I’m now using the new default auto, which
will be the only value in 4.8 as far as I understand and it doesn’t seem
to work as I need it to. AFAIU the member server is supposed to delegate
the decision to the DC, which, in case it is unknown, should perform a
local authentication. I’m not sure what exactly “local” is (is it the AD
or the server?), but it doesn’t work here.

By default, and with map untrusted to domain = auto smbd will defer
the decision whether the domain name provided by the client is a valid
domain name to the Domain Controller (DC) of the domain it is a member
of, if it is not a DC. If the DC indicates that the domain portion is
unknown, then a local authentication is performed.
(man smb.conf v4.7.4)

So in short, is there an easy solution to map all unknown domains to
BSSuser? Since I don’t have more than this one domain, I don’t even
mind mapping everything.

DC smb.conf is fairly standard (left out netlogon/sysvol):

        workgroup = BSS
        realm = BSS.FQDN.EXAMPLE.COM
        netbios name = BARVA
        server role = active directory domain controller
        dns forwarder =
        idmap_ldb:use rfc2307 = yes
        time server = yes

Member (file) server, left out the share definitions:

    workgroup = BSS
    security = ADS

    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind refresh tickets = yes
    winbind nss info = template
    template shell = /bin/false
    template homedir = /srv/samba/homes/%U

    # Default idmap config for local BUILTIN accounts and groups
    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    # idmap config for the domain
    idmap config BSS : backend = rid
    idmap config BSS : range = 10000-999999

    store dos attributes = yes
    vfs objects = acl_xattr
    inherit acls = yes
    map acl inherit = yes

Thanks in advance,

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.