Web lists-archives.com

Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name




Hi,

When I initially tested the "getent passwd testuser01" I got nothing
back. I then did: "getent passwd "wg\testuser01"" and got the entry. A
"troubleshooting" wiki I was reading suggested adding: "winbind use
default domain = yes" to fix that. I added that and was then able to
lookup the user without needing the "wg\".

In looking at the sources for libcli/security/dom_sid.c, which is
where the "invalid format" messages are displayed, I'm a bit confused.
That function seems to be assuming it's received an actual SID and not
the group designation. Does anyone know why it would be checking the
@WG\dl_fred1_testshare_r?

Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED
when using the NETBIOS name to try and access the share. When using
the IP address it doesn't seem to be checking much of anything, but
allows access (at least read access) to the share. For example when
using the NETBIOS name I see it checking the kerberos ticket, which is
NOT happening when using the IP address.

Again, does the assumption make any sense that when using the IP
address the user is being granted some sort of "guest" access but when
using the NETBIOS (or FQDN) name the authentication is actually being
checked and failing for some reason?

Thanks,

Rob

On Sat, Jan 13, 2018 at 10:26 AM, Gaeseric Vandal via samba
<samba@xxxxxxxxxxxxxxx> wrote:
> Do the   "getent passwd" and "getent group" commands show the domain users?
>
> I would - at least for testing - skip the "valid users" and "write list" options .   I believe that file system level security is sufficient.
>
> I think the "wins support" line means this machine is a WINS server.  (the "wins server" option would tell the machine which WINS server to us, not to be a WINS server, so that can be a little confusing.)    My general experience with WINS servers is that it is simpler to have a domain controller/directory server be the WINS server.
>
>
>
> -----Original Message-----
> From: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] On Behalf Of Rob Marshall via samba
> Sent: Friday, January 12, 2018 6:35 PM
> To: Luke Barone <lukebarone@xxxxxxxxx>
> Cc: samba@xxxxxxxxxxxxxxx
> Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name
>
> Hi,
>
> Here's a modified (to protect the customer's information) truncated smb.conf that, for the most part, mirrors what they have:
>
> [global]
>         log level = 3
>         os level = 1
>         security = ADS
>         server string = TEST CIFS Server
>         workgroup = WG
>         netbios name = FRED1
>         realm = WB.DOM-NAME.COM
>         idmap config * : range = 10000-20000
>         log file = /var/log/samba/%m.log
>         encrypt passwords = yes
>         syslog = 1
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         wins support = yes
>         printcap name = /dev/null
>         socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
>         strict sync = yes
>         oplocks = yes
>         kernel oplocks = no
>         wide links = yes
>         deadtime = 1
>         case sensitive = no
>         map to guest = bad user
>         guest account = nobody
>         unix extensions = no
>
> [TestShare]
>         comment = Test Share for further testing
>         path = /cifs/TestShare_test
>         hosts allow =ALL
>         hosts deny = ALL
>         browseable = yes
>         writeable = no
>         directory mask = 0777
>         force user = cifs_user
>         guest ok = No
>         valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
>         write list = @WG\dl_fred1_testshare_m
>
> My questions are:
>
> 1) What does the error:
>
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
>
> mean?
>
> 2) For the connections using the NETBIOS name, I see lots of messages similar to:
>
> [2018/01/12 23:10:38.716169,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access this share (TestShare)
> [2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
>
> Given the above smb.conf is it possible that the attempts using the IP address, rather than the NETBIOS name, are being allowed access (in this case read only) because Samba can't determine who the user is and is, therefore, allowing some sort of guest access? I don't really have any other way to explain why the access via the NETBIOS name, which appears to correctly see that the user doesn't have access to the share, fails and the access via the IP address works. Does that even make sense?
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> In a perfect world, SysVol would be on an AD Domain Controller, but
>> there are people on here who do things out of the perfect world ;-)
>>
>> If the answer was yes though, then I would be able to post the Reg
>> Setting to enable access from Windows 10 and above to those shares. I
>> needed to apply it as we are still running PDCs in almost every site.
>> Trust me, I can't wait to roll out AD
>>
>> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
>> samba@xxxxxxxxxxxxxxx> wrote:
>>
>>> On Fri, 12 Jan 2018 09:21:42 -0800
>>> Luke Barone <lukebarone@xxxxxxxxx> wrote:
>>>
>>> > As well as what share... Are you trying to access the \\*\netlogon
>>> > or \\*\sysvol shares of a PDC?
>>> >
>>>
>>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba