Problem: Cross-domain share access via same user and password doesn't work any more

Problem

Problem: Cross-domain share access via same user and password doesn’t work any more after updating to UCS 4.3.
(The “map untrusted to domain” option is deprecated)

Solution

The following option can be set on all Samba AD/DCs of the domain. Do not set it on the affected member server.

ucr set samba/global/options/"auth methods"="anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain"
/etc/init.d/samba restart

Note:
This may cause unintended changes of behavior. Unfortunately there is only “auth methods” and it affects both, local logon and netlogon. In this case only the netlogon behavior needed adjustment.

samba 4.10
With samba Version 4.10 the “auth methods” option has been removed from upstream Samba source code. We re-added the option to Samba 4.10, to allow the workaround mentioned above. Now set the following UCR-Variable on Samba/AD 4.10 Domaincontrollers:

ucr set samba/global/options/"auth methods"="sam winbind sam_ignoredomain"

Root Cause

More details about the root cause can be found in Bug #47314.

Mastodon