Web lists-archives.com

Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name





Just for reference,  on a working  Samba 4.x server in an AD domain I have the following  entries

	Idmap config *:backend = tdb
	Idmap config *:range = 2000-2999

	Idmap config MYDOMAIN:backend = ad
	Idmap config MYDOMAIN:schema_mode = rfc2307
	Idmap config *:range = 1000-1999



I use active directory users and groups to explicitly set the uid and gid numbers (this was to keep everything happy when migrating from a classic domain.)    The "*" range in idmap will handle accounts that are not in the domain (which there really shouldn't be any.) 

The "getent passwd'  command verifies that the winbind entry in nsswitch is working.      You should also fine that "wbinfo -n someuser" and "wbinfo -n YOURDOMAIN\someuser" should return the same SID.  And "wbinfo -s someid" should return the correct "YOURDOMAIN\someuser" value.

I really don't understand why the this should behave differently when connecting to server IP vs server name.     The various logs on the samba server should show if you are seeing connection attempts from "YOURDOMAIN\someuser" or use "someuser" and is maybe mapping the users differently.  You might need to bump up the logging level.



-----Original Message-----
From: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] On Behalf Of Rowland Penny via samba
Sent: Sunday, January 14, 2018 3:38 AM
To: samba@xxxxxxxxxxxxxxx
Cc: Rob Marshall <rob.marshall17@xxxxxxxxx>
Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name

On Sat, 13 Jan 2018 19:12:14 -0500
Rob Marshall via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> When I initially tested the "getent passwd testuser01" I got nothing 
> back. I then did: "getent passwd "wg\testuser01"" and got the entry. A 
> "troubleshooting" wiki I was reading suggested adding: "winbind use 
> default domain = yes" to fix that. I added that and was then able to 
> lookup the user without needing the "wg\".
> 
> In looking at the sources for libcli/security/dom_sid.c, which is 
> where the "invalid format" messages are displayed, I'm a bit confused.
> That function seems to be assuming it's received an actual SID and not 
> the group designation. Does anyone know why it would be checking the 
> @WG\dl_fred1_testshare_r?
> 
> Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED 
> when using the NETBIOS name to try and access the share. When using 
> the IP address it doesn't seem to be checking much of anything, but 
> allows access (at least read access) to the share. For example when 
> using the NETBIOS name I see it checking the kerberos ticket, which is 
> NOT happening when using the IP address.
> 
> Again, does the assumption make any sense that when using the IP 
> address the user is being granted some sort of "guest" access but when 
> using the NETBIOS (or FQDN) name the authentication is actually being 
> checked and failing for some reason?
> 
> Thanks,
> 
> Rob
> 

I will say it again, your smb.conf is incorrect, you are putting EVERYTHING into the '*' domain, please read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and this:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba