Web lists-archives.com

Re: [Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.




Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > Before upgrading my domain members to samba 4.8 (from 4.5) i can
> > access a 'guest' share using DOMINIQUE\Administrator user without
> > trouble. Probably (and correctly, for my point of view) domain member
> > does not find 'DOMINIQUE\Administrator' user, and so map it to guest.
> > Bingo.
> The above would be true except for this line you have in smb.conf:
> 	winbind use default domain = Yes

Ok, but manpage seems say to me something different.

       winbind use default domain (G)

           This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the
           winbindd server's own domain. While this does not benefit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system.

so seems to me that apply only to domainless auth, not domainful
ones...


> So when either 'DOMINIQUE\Administrator' or 'LNFFVG\Administrator'
> connects, they both become 'Administrator', who then gets mapped to
> 'root'

But looking at logs, seems to me that i connect with 'domeinful' user:

[2018/09/25 09:54:26.944813,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [dominique]\[Administrator]@[DOMINIQUE] with the new password interface
[2018/09/25 09:54:26.944826,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [dominique]\[Administrator]@[DOMINIQUE]
[2018/09/25 09:54:26.944839,  5] ../lib/util/util.c:514(dump_data)
  [0000] D7 98 F6 F1 EC 11 A2 E9                             ........ 
[2018/09/25 09:54:26.944862,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2018/09/25 09:54:26.944877,  4] ../source3/smbd/uid.c:493(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2018/09/25 09:54:26.944890,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2018/09/25 09:54:26.944907,  5] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2018/09/25 09:54:26.944920,  5] ../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2018/09/25 09:54:26.946828,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2018/09/25 09:54:26.946859,  5] ../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.946889,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.946920,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018 09:54:26.946911 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:51457] m
apped to [dominique]\[Administrator]. local host [ipv4:10.5.1.26:445] 
[2018/09/25 09:54:26.947266,  2] ../auth/auth_log.c:220(log_json)
  JSON Authentication: {"timestamp": "2018-09-25T09:54:26.947167+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress"
: "ipv4:10.5.1.26:445", "remoteAddress": "ipv4:10.5.2.37:51457", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "dominique", "clientAccount": "Administrator", "workstation": "DOMINIQ
UE", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "Administrator", "mappedDomain": "dominique", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonN
egotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}
[2018/09/25 09:54:26.947315,  5] ../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
  Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
[2018/09/25 09:54:26.947353,  5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
  ntlmssp_server_auth_send: Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947379,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/09/25 09:54:26.947405,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: ntlmssp[0x5594f554d970]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947422,  3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
  gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947438,  5] ../auth/gensec/gensec.c:492(gensec_update_done)
  gensec_update_done: spnego[0x5594f5518ae0]: NT_STATUS_WRONG_PASSWORD
[2018/09/25 09:54:26.947454,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1


And, removed from the map 'Administrator' (domainless) there's no more
map to root.

But still i get NT_STATUS_WRONG_PASSWORD, and not 'user unknown'...


> I don't understand why you are trying to use a local user on a domain
> joined machine.

Bootstrapping. After initial setup the system works with machine
account.

But i need to bootstrap it...

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba