Samba / AD: ignore "DOMAIN\" for share logins

[lwa]

Hello,

I am using FreeNAS-11.3-U3.1 connected to a Samba 4.11.6 Domain Controller.
All domain users can login to the samba shares on FreeNAS without problems, but local users can't access the shares without adding "DOMAIN\" in front of the username.

We'd like to ignore the "DOMAIN\" part at the smb login, because we are using a local admin account to access some shares (a user with identical username and password exists in the domain for that purpose). With shares directly on the domain controller (netlogon, sysvol) this works fine, but FreeNAS tries to mount the shares with "PC-NAME\username" which obviously does not work.

I found a solution using "map untrusted to domain" but unfortunately this is deprecated since Samba 4.8.

Does anyone have a solution for this? Thank you in advance.

Kind regards,

Lwa

 

[Samuel Tai]

Hmm. Aren't the PCs joined to the domain? The users should be logging into the domain, not locally. Then they'll see the desired behavior.

 

[lwa]

The users are logging into the domain. This affects our local admin account.

 

[Samuel Tai]

Unfortunately, this is how domain and local logins are supposed to work, according to Microsoft. Samba dropped that option to more closely match Microsoft's defined behavior.

 

[lwa]

But this works directly on the Samba DC, so this has to be an issue with the configuration on FreeNAS.

 

[anodos]

Try checking the "allow trusted domains" checkbox in the AD form.

 

[lwa]

I tried "allow trusted domains" and "use default domain" (each alone and both together) but it did not work. I am now thinking about using a domain account as local administrator account to circumvent this as this is the expected behavior as stated in post #4.