Jakub Veselý
2015-Aug-16 15:55 UTC
[Samba] Make Samba4 ignore domain prefix on share logon
I am trying to log in with my domain credentials, that are valid, because when I prefix the login it succeeds. S pozdravom, Jakub Veselý Správca siete GJH Novohradská 3, 82109 Bratislava 02/210 28 328 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 16/08/15 16:38, Jakub Veselý wrote: > >> Unfortunately 'map untrusted to domain = yes' did not help, I still keep >> getting wrong username or password error while accessing the share. I do >> have 'winbind use default domain = yes' in the configuration, but seem to >> have no effect on windows either. I am trying it from windows 10 PC that >> is >> not joined to domain, could the os be an issue? >> >> Jakub Vesely >> > > possibly, but you are trying to connect as a user that just doesn't exist > (i.e. a user from outside the domain), you may need to use 'map to Bad > User', but as I said, post your smb.conf > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Aug-16 18:35 UTC
[Samba] Make Samba4 ignore domain prefix on share logon
On 16/08/15 16:55, Jakub Veselý wrote:> I am trying to log in with my domain credentials, that are valid, > because when I prefix the login it succeeds. > > S pozdravom, > > Jakub Veselý > Správca siete GJH > Novohradská 3, 82109 Bratislava > 02/210 28 328 > > 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>>: > > On 16/08/15 16:38, Jakub Veselý wrote: > > Unfortunately 'map untrusted to domain = yes' did not help, I > still keep > getting wrong username or password error while accessing the > share. I do > have 'winbind use default domain = yes' in the configuration, > but seem to > have no effect on windows either. I am trying it from windows > 10 PC that is > not joined to domain, could the os be an issue? > > Jakub Vesely > > > possibly, but you are trying to connect as a user that just > doesn't exist (i.e. a user from outside the domain), you may need > to use 'map to Bad User', but as I said, post your smb.conf > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >OK, I tried to login from a VM that isn't connected to my domain with a domain user to a share on a member server and it works, the share is owned by root:Domain Users with 0775 permissions My smb.conf is very similar to yours with the addition of these lines: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind expand groups = 4 winbind refresh tickets = Yes winbind normalize names = Yes I do not have these lines: winbind trusted domains only = no map untrusted to domain = yes The share stanza is just this: [testshare] path = /home/share read only = no The command I used on the VM is this: smbclient \\\\computer.example.com\\testshare -U rowland%password The member server is running Linux Mint 17 (aka Ubuntu 14.04) with samba 4.1.6 My users have a uidNumber and Domain Users has a gidNumber. Rowland
Jakub Veselý
2015-Aug-16 18:51 UTC
[Samba] Make Samba4 ignore domain prefix on share logon
Edited smb.conf to match yours and restarted both smbd and winbind. Did not work. Tried to smbclient from another server: session setup failed: NT_STATUS_LOGON_FAILURE. Our member server is also running Ubuntu 14.04 and Samba-4.1.6 (I might have mistakenly wirtten it was 4.1.7 in original email, dont remember now). Domain Users do have gid and users have uids. S pozdravom, Jakub Veselý Správca siete GJH Novohradská 3, 82109 Bratislava 02/210 28 328 2015-08-16 20:35 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 16/08/15 16:55, Jakub Veselý wrote: > >> I am trying to log in with my domain credentials, that are valid, because >> when I prefix the login it succeeds. >> >> S pozdravom, >> >> Jakub Veselý >> Správca siete GJH >> Novohradská 3, 82109 Bratislava >> 02/210 28 328 >> >> 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>>: >> >> On 16/08/15 16:38, Jakub Veselý wrote: >> >> Unfortunately 'map untrusted to domain = yes' did not help, I >> still keep >> getting wrong username or password error while accessing the >> share. I do >> have 'winbind use default domain = yes' in the configuration, >> but seem to >> have no effect on windows either. I am trying it from windows >> 10 PC that is >> not joined to domain, could the os be an issue? >> >> Jakub Vesely >> >> >> possibly, but you are trying to connect as a user that just >> doesn't exist (i.e. a user from outside the domain), you may need >> to use 'map to Bad User', but as I said, post your smb.conf >> >> >> Rowland >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > OK, I tried to login from a VM that isn't connected to my domain with a > domain user to a share on a member server and it works, the share is owned > by root:Domain Users with 0775 permissions > > My smb.conf is very similar to yours with the addition of these lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind expand groups = 4 > winbind refresh tickets = Yes > winbind normalize names = Yes > > I do not have these lines: > > winbind trusted domains only = no > map untrusted to domain = yes > > The share stanza is just this: > > [testshare] > path = /home/share > read only = no > > The command I used on the VM is this: > > smbclient \\\\computer.example.com\\testshare -U rowland%password > > The member server is running Linux Mint 17 (aka Ubuntu 14.04) with samba > 4.1.6 > > My users have a uidNumber and Domain Users has a gidNumber. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >