Web lists-archives.com

Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name




Do the   "getent passwd" and "getent group" commands show the domain users?

I would - at least for testing - skip the "valid users" and "write list" options .   I believe that file system level security is sufficient.  

I think the "wins support" line means this machine is a WINS server.  (the "wins server" option would tell the machine which WINS server to us, not to be a WINS server, so that can be a little confusing.)    My general experience with WINS servers is that it is simpler to have a domain controller/directory server be the WINS server.



-----Original Message-----
From: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] On Behalf Of Rob Marshall via samba
Sent: Friday, January 12, 2018 6:35 PM
To: Luke Barone <lukebarone@xxxxxxxxx>
Cc: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name

Hi,

Here's a modified (to protect the customer's information) truncated smb.conf that, for the most part, mirrors what they have:

[global]
        log level = 3
        os level = 1
        security = ADS
        server string = TEST CIFS Server
        workgroup = WG
        netbios name = FRED1
        realm = WB.DOM-NAME.COM
        idmap config * : range = 10000-20000
        log file = /var/log/samba/%m.log
        encrypt passwords = yes
        syslog = 1
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        wins support = yes
        printcap name = /dev/null
        socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
        strict sync = yes
        oplocks = yes
        kernel oplocks = no
        wide links = yes
        deadtime = 1
        case sensitive = no
        map to guest = bad user
        guest account = nobody
        unix extensions = no

[TestShare]
        comment = Test Share for further testing
        path = /cifs/TestShare_test
        hosts allow =ALL
        hosts deny = ALL
        browseable = yes
        writeable = no
        directory mask = 0777
        force user = cifs_user
        guest ok = No
        valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
        write list = @WG\dl_fred1_testshare_m

My questions are:

1) What does the error:

string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format

mean?

2) For the connections using the NETBIOS name, I see lots of messages similar to:

[2018/01/12 23:10:38.716169,  2]
smbd/service.c:627(create_connection_session_info)
  user 'WG\testuser01' (from session setup) not permitted to access this share (TestShare)
[2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Given the above smb.conf is it possible that the attempts using the IP address, rather than the NETBIOS name, are being allowed access (in this case read only) because Samba can't determine who the user is and is, therefore, allowing some sort of guest access? I don't really have any other way to explain why the access via the NETBIOS name, which appears to correctly see that the user doesn't have access to the share, fails and the access via the IP address works. Does that even make sense?

Thanks,

Rob

On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba <samba@xxxxxxxxxxxxxxx> wrote:
> In a perfect world, SysVol would be on an AD Domain Controller, but 
> there are people on here who do things out of the perfect world ;-)
>
> If the answer was yes though, then I would be able to post the Reg 
> Setting to enable access from Windows 10 and above to those shares. I 
> needed to apply it as we are still running PDCs in almost every site. 
> Trust me, I can't wait to roll out AD
>
> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba < 
> samba@xxxxxxxxxxxxxxx> wrote:
>
>> On Fri, 12 Jan 2018 09:21:42 -0800
>> Luke Barone <lukebarone@xxxxxxxxx> wrote:
>>
>> > As well as what share... Are you trying to access the \\*\netlogon 
>> > or \\*\sysvol shares of a PDC?
>> >
>>
>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba