Logon name format with or without domain

julien · April 26, 2024, 2:22pm

Hi everyone,

actually my trueNAS Scale has joined my AD domain with the following parameters :

Use default Domain
idmap with AD backend

Running testparm -s I can see my smb configuration seems to be good :

security = ADS
allow trusted domains = No
winbind use default domain = Yes

If my windows workstation has joined domain ; I’m able to connect to SMB share providing login without domain name

if my windows workstation is outside domain I must provide domain name in the login (MYDOMAIN\MYLOGIN) and smb share will succeed otherwise it won’t work

I don’t want to provide domain name in my login in both case (laptop is inside / outside domain) → is it possible ?

Thanks for your helps

Rand · April 26, 2024, 5:56pm

If your workstation is domain joined and just not on the domain network this should work.

If you have a box that has not joined the domain then I don’t think there is a way around it.
You could try the other syntax for ease of use user@domain.com, or maybe save connection (map network drive), it should prompt for previous user/pw then…

julien · May 16, 2024, 3:33pm

Thanks for your answer Rand

I just ran few test and I don’t understand :

from a mac which is not in my windows domain : I can see that mappedDomain by default is the good one. Just providing login on my mac without domain name is working to access a samba share.
From a windows workstation not in my windows domain : providing login without domain is not working. Providing domain\login and i will get the access to the network share

Why it is working on a mac and not windows ? I don’t really understand. That means : you’re a mac user not in the domain : just providing your login to access the network share and it will work. You’re a windows user not in the domain : please provide credential such as domain\user otherwise it won’t work

detail log with a mac (mappedDomain and clientDomain get the good domain name by default) :

{
    "audit_id": "32c7f337-d141-426b-94bd-1d435b31e101",
    "message_timestamp": 1715868370,
    "timestamp": {
      "$date": 1715868370000
    },
    "address": "172.20.200.13",
    "username": "foo",
    "session": "",
    "service": "SMB",
    "service_data": {
      "vers": {
        "major": 0,
        "minor": 1
      },
      "service": null,
      "session_id": null,
      "tcon_id": null
    },
    "event": "AUTHENTICATION",
    "event_data": {
      "logonId": "0",
      "logonType": 3,
      "localAddress": "ipv4:172.20.200.53:445",
      "remoteAddress": "ipv4:172.20.202.13:58420",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "OSU",
      "clientAccount": "foo",
      "workstation": "CANETTE",
      "becameAccount": "foo",
      "becameDomain": "OSU",
      "becameSid": "S-1-5-21-1096999570-2198697884-94848477-1514",
      "mappedAccount": "foo",
      "mappedDomain": "OSU",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "clientPolicyAccessCheck": null,
      "serverPolicyAccessCheck": null,
      "vers": {
        "major": 0,
        "minor": 1
      },
      "result": {
        "type": "NTSTATUS",
        "value_raw": 0,
        "value_parsed": "SUCCESS"
      }
    },
    "success": true
  },

detail log with a windows (mappedDomain and clientDomain get the workstation name by default):

 {
    "audit_id": "54d83e55-d24a-41a4-a422-457a21747323",
    "message_timestamp": 1715869969,
    "timestamp": {
      "$date": 1715869969000
    },
    "address": "172.20.202.23",
    "username": "foo",
    "session": "",
    "service": "SMB",
    "service_data": {
      "vers": {
        "major": 0,
        "minor": 1
      },
      "service": null,
      "session_id": null,
      "tcon_id": null
    },
    "event": "AUTHENTICATION",
    "event_data": {
      "logonId": "0",
      "logonType": 3,
      "localAddress": "ipv4:172.20.200.53:445",
      "remoteAddress": "ipv4:172.20.202.23:62394",
      "serviceDescription": "SMB2",
      "authDescription": null,
      "clientDomain": "PCP",
      "clientAccount": "foo",
      "workstation": "PCP",
      "becameAccount": null,
      "becameDomain": null,
      "becameSid": null,
      "mappedAccount": "foo",
      "mappedDomain": "PCP",
      "netlogonComputer": null,
      "netlogonTrustAccount": null,
      "netlogonNegotiateFlags": "0x00000000",
      "netlogonSecureChannelType": 0,
      "netlogonTrustAccountSid": null,
      "passwordType": "NTLMv2",
      "clientPolicyAccessCheck": null,
      "serverPolicyAccessCheck": null,
      "vers": {
        "major": 0,
        "minor": 1
      },
      "result": {
        "type": "NTSTATUS",
        "value_raw": 3221225581,
        "value_parsed": "NT_STATUS_LOGON_FAILURE"
      }
    },
    "success": false
  },

Rand · May 16, 2024, 7:31pm

I dont use Mac so no idea.

It might be because on windows the “default” user would be localcomputer\username and that wont work on the share since you need domain\username.

On Mac that might work since its not thinking in “domains” per default (just guessing)