Web lists-archives.com

Re: [Samba] User mapping/login issue




On 21/04/19 17:12, Rowland Penny wrote:
On Sun, 21 Apr 2019 08:59:01 +0930
Stephen Davies via samba <samba@xxxxxxxxxxxxxxx> wrote:

I have been a bit divorced from Samba for a while and am stumped by a
recently seen issue.

My Samba server (V4.8.3) is Centos 7 and the remote clients are
windoze boxes at the other end of a VPN (OpenVPN). At some point in
"recent" history, access to shares on the Centos server started to
fail with password failures. The reason seems to be associated with
user mapping. (See log fragment below).

I have added entries to smbusers trying to map the remote user to
local user simon without success.

There is no windoze domain server involved.

The clients can FTP to the server and retrieve emails via IMAP.

What am I missing?


[2019/04/18 16:10:52.327632,
3] ../source3/auth/auth.c:189(auth_check_ntlm_pass word)
check_ntlm_password: Checking password for unmapped user
[SIMON-DELLPC]\[simo n]@[SIMON-DELLPC] with the new password interface
[2019/04/18 16:10:52.327658,
3] ../source3/auth/auth.c:192(auth_check_ntlm_pass word)
check_ntlm_password: mapped user is:
[SIMON-DELLPC]\[simon]@[SIMON-DELLPC] [2019/04/18 16:10:52.327686,
4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) :
sec_ctx_stack_ndx = 2

By default NTLMv1 is now turned off, could this be your problem ?, try
(as a test) adding 'ntlm auth = yes' to your smb.conf and
reload/restart Samba.

If this doesn't work, can you please post your smb.conf and tells us
what the Windows machines are.

Rowland



There is no ntlm auth entry in smb.conf (included below) but I don't think the NTLM setting is the cause as I can use smbclient to successfully login as user simon and get the following log fragment:

[2019/04/23 14:33:59.978465, 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
  Got user=[simon] domain=[BENPARTS] workstation=[SERVER] len1=24 len2=224
[2019/04/23 14:33:59.978554,  3] ../source3/param/loadparm.c:3868(lp_load_ex)
  lp_load_ex: refreshing parameters
[2019/04/23 14:33:59.978656,  3] ../source3/param/loadparm.c:547(init_globals)
.
.
.
  adding IPC service
[2019/04/23 14:33:59.987819, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [BENPARTS]\[simon]@[SERVER] with the new password interface [2019/04/23 14:33:59.987843, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [BENPARTS]\[simon]@[SERVER]

No smbuser entry is required for this combination so it looks as if the remote Windows workgroup/domain is not being handled.

The remote client involved is running W10 Professional 64-bit.

The full smb.conf is:

#======================= Global Settings =====================================
[global]

    workgroup = BENPARTS

    netbios name = server

    # server string is the equivalent of the NT Description field
    server string = Samba Server %v

    printcap name = cups
    load printers = yes

    printing = cups

    log file = /var/log/samba/log.%m

    max log size = 50

    log level = 4

    guest account = benparts
    # Allow users to map to guest:
    map to guest = baduser

    # Security mode. Most people will want user level security. See
    # security_level.txt for details.
    security = user
    passdb backend = tdbsam
    # Use password server option only with security = server or security = domain
      username level = 8

    encrypt passwords = yes

    preferred master = yes

    name resolve order = host lmhosts wins bcast

    wins support = yes

    preserve case = yes
    dos charset = 850
    unix charset = ISO8859-1
    domain master = yes
    domain logons = yes
    os level = 128
add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u'
#============================ Share Definitions ==============================
[homes]
    comment = Home Directories
    browseable = no
    writable = yes

[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    # to allow user 'guest account' to print.
    guest ok = yes
    writable = no
    printable = yes
    create mode = 0700
    # =====================================
    # print command: see above for details.
    # =====================================
print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers.

[print$]
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    write list = @adm root
    guest ok = yes

[pdf-generator]
    path = /var/tmp
    guest ok = No
    printable = Yes
    comment = PDF Generator (only valid users)
#print command = /usr/share/samba/scripts/print-pdf file path win_path recipient IP doc_name &
    print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I &

[pdf-screen]
    copy = pdf-generator
    comment = PDF Generator - Screen quality (only valid users)
print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S &

[pdf-printer]
    copy = pdf-generator
    comment = PDF Generator - Print quality (only valid users)
print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S &

[pdf-prepress]
    copy = pdf-generator
    comment = PDF Generator - PrePress quality (only valid users)
print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S &

# This one is useful for people to share files
[tmp]
   comment = Temporary file space
   path = /tmp
   read only = no
   public = yes


[var]
    comment = General shared storage
    path = /var
    read only = no
    public = yes

Thank you,
Stephen

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba