samba - Jan 2018 - Access to Windows 2016 server works with IP but not with netbios name

Hi,

Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:

[global]
        log level = 3
        os level = 1
        security = ADS
        server string = TEST CIFS Server
        workgroup = WG
        netbios name = FRED1
        realm = WB.DOM-NAME.COM
        idmap config * : range = 10000-20000
        log file = /var/log/samba/%m.log
        encrypt passwords = yes
        syslog = 1
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        wins support = yes
        printcap name = /dev/null
        socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
        strict sync = yes
        oplocks = yes
        kernel oplocks = no
        wide links = yes
        deadtime = 1
        case sensitive = no
        map to guest = bad user
        guest account = nobody
        unix extensions = no

[TestShare]
        comment = Test Share for further testing
        path = /cifs/TestShare_test
        hosts allow =ALL
        hosts deny = ALL
        browseable = yes
        writeable = no
        directory mask = 0777
        force user = cifs_user
        guest ok = No
        valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
        write list = @WG\dl_fred1_testshare_m

My questions are:

1) What does the error:

string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format

mean?

2) For the connections using the NETBIOS name, I see lots of messages
similar to:

[2018/01/12 23:10:38.716169,  2]
smbd/service.c:627(create_connection_session_info)
  user 'WG\testuser01' (from session setup) not permitted to access
this share (TestShare)
[2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Given the above smb.conf is it possible that the attempts using the IP
address, rather than the NETBIOS name, are being allowed access (in
this case read only) because Samba can't determine who the user is and
is, therefore, allowing some sort of guest access? I don't really have
any other way to explain why the access via the NETBIOS name, which
appears to correctly see that the user doesn't have access to the
share, fails and the access via the IP address works. Does that even
make sense?

Thanks,

Rob

On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba
<samba at lists.samba.org> wrote:
> In a perfect world, SysVol would be on an AD Domain Controller, but there
> are people on here who do things out of the perfect world ;-)
>
> If the answer was yes though, then I would be able to post the Reg Setting
> to enable access from Windows 10 and above to those shares. I needed to
> apply it as we are still running PDCs in almost every site. Trust me, I
> can't wait to roll out AD
>
> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 12 Jan 2018 09:21:42 -0800
>> Luke Barone <lukebarone at gmail.com> wrote:
>>
>> > As well as what share... Are you trying to access the \\*\netlogon
or
>> > \\*\sysvol shares of a PDC?
>> >
>>
>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 12 Jan 2018 18:34:35 -0500
Rob Marshall <rob.marshall17 at gmail.com> wrote:
> Hi,
> 
> Here's a modified (to protect the customer's information) truncated
> smb.conf that, for the most part, mirrors what they have:
> 
> [global]
>         log level = 3
>         os level = 1
>         security = ADS
>         server string = TEST CIFS Server
>         workgroup = WG
>         netbios name = FRED1
>         realm = WB.DOM-NAME.COM
>         idmap config * : range = 10000-20000
>         log file = /var/log/samba/%m.log
>         encrypt passwords = yes
>         syslog = 1
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         wins support = yes
>         printcap name = /dev/null
>         socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
>         strict sync = yes
>         oplocks = yes
>         kernel oplocks = no
>         wide links = yes
>         deadtime = 1
>         case sensitive = no
>         map to guest = bad user
>         guest account = nobody
>         unix extensions = no
> 
> [TestShare]
>         comment = Test Share for further testing
>         path = /cifs/TestShare_test
>         hosts allow =ALL
>         hosts deny = ALL
>         browseable = yes
>         writeable = no
>         directory mask = 0777
>         force user = cifs_user
>         guest ok = No
>         valid users = @WG\dl_fred1_testshare_m,
> @WG\dl_fred1_testshare_r write list = @WG\dl_fred1_testshare_m
> 
> My questions are:
> 
> 1) What does the error:
> 
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
> 
> mean?
> 
> 2) For the connections using the NETBIOS name, I see lots of messages
> similar to:
> 
> [2018/01/12 23:10:38.716169,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access
> this share (TestShare)
> [2018/01/12 23:10:38.716216,  1]
> smbd/service.c:805(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> Given the above smb.conf is it possible that the attempts using the IP
> address, rather than the NETBIOS name, are being allowed access (in
> this case read only) because Samba can't determine who the user is and
> is, therefore, allowing some sort of guest access? I don't really have
> any other way to explain why the access via the NETBIOS name, which
> appears to correctly see that the user doesn't have access to the
> share, fails and the access via the IP address works. Does that even
> make sense?
> 
> Thanks,
> 
You do not seem to have correct authentication lines, you have:

idmap config * : range = 10000-20000

I would expect to see something like this:

    ## map ids outside of domain to tdb files.
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

Also are the 'passwd' & 'group' lines in /etc/nsswitch.conf
set up to
use winbind ?

Rowland

Do the   "getent passwd" and "getent group" commands show
the domain users?

I would - at least for testing - skip the "valid users" and
"write list" options .   I believe that file system level security is
sufficient.

I think the "wins support" line means this machine is a WINS server. 
(the "wins server" option would tell the machine which WINS server to
us, not to be a WINS server, so that can be a little confusing.)    My general
experience with WINS servers is that it is simpler to have a domain
controller/directory server be the WINS server.



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rob Marshall
via samba
Sent: Friday, January 12, 2018 6:35 PM
To: Luke Barone <lukebarone at gmail.com>
Cc: samba at lists.samba.org
Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with
netbios name

Hi,

Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:

[global]
        log level = 3
        os level = 1
        security = ADS
        server string = TEST CIFS Server
        workgroup = WG
        netbios name = FRED1
        realm = WB.DOM-NAME.COM
        idmap config * : range = 10000-20000
        log file = /var/log/samba/%m.log
        encrypt passwords = yes
        syslog = 1
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        wins support = yes
        printcap name = /dev/null
        socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
        strict sync = yes
        oplocks = yes
        kernel oplocks = no
        wide links = yes
        deadtime = 1
        case sensitive = no
        map to guest = bad user
        guest account = nobody
        unix extensions = no

[TestShare]
        comment = Test Share for further testing
        path = /cifs/TestShare_test
        hosts allow =ALL
        hosts deny = ALL
        browseable = yes
        writeable = no
        directory mask = 0777
        force user = cifs_user
        guest ok = No
        valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
        write list = @WG\dl_fred1_testshare_m

My questions are:

1) What does the error:

string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format

mean?

2) For the connections using the NETBIOS name, I see lots of messages similar
to:

[2018/01/12 23:10:38.716169,  2]
smbd/service.c:627(create_connection_session_info)
  user 'WG\testuser01' (from session setup) not permitted to access this
share (TestShare)
[2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Given the above smb.conf is it possible that the attempts using the IP address,
rather than the NETBIOS name, are being allowed access (in this case read only)
because Samba can't determine who the user is and is, therefore, allowing
some sort of guest access? I don't really have any other way to explain why
the access via the NETBIOS name, which appears to correctly see that the user
doesn't have access to the share, fails and the access via the IP address
works. Does that even make sense?

Thanks,

Rob

On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba <samba at
lists.samba.org> wrote:
> In a perfect world, SysVol would be on an AD Domain Controller, but 
> there are people on here who do things out of the perfect world ;-)
>
> If the answer was yes though, then I would be able to post the Reg 
> Setting to enable access from Windows 10 and above to those shares. I 
> needed to apply it as we are still running PDCs in almost every site. 
> Trust me, I can't wait to roll out AD
>
> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba < 
> samba at lists.samba.org> wrote:
>
>> On Fri, 12 Jan 2018 09:21:42 -0800
>> Luke Barone <lukebarone at gmail.com> wrote:
>>
>> > As well as what share... Are you trying to access the \\*\netlogon
>> > or \\*\sysvol shares of a PDC?
>> >
>>
>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi,

When I initially tested the "getent passwd testuser01" I got nothing
back. I then did: "getent passwd "wg\testuser01"" and got
the entry. A
"troubleshooting" wiki I was reading suggested adding: "winbind
use
default domain = yes" to fix that. I added that and was then able to
lookup the user without needing the "wg\".

In looking at the sources for libcli/security/dom_sid.c, which is
where the "invalid format" messages are displayed, I'm a bit
confused.
That function seems to be assuming it's received an actual SID and not
the group designation. Does anyone know why it would be checking the
@WG\dl_fred1_testshare_r?

Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED
when using the NETBIOS name to try and access the share. When using
the IP address it doesn't seem to be checking much of anything, but
allows access (at least read access) to the share. For example when
using the NETBIOS name I see it checking the kerberos ticket, which is
NOT happening when using the IP address.

Again, does the assumption make any sense that when using the IP
address the user is being granted some sort of "guest" access but when
using the NETBIOS (or FQDN) name the authentication is actually being
checked and failing for some reason?

Thanks,

Rob

On Sat, Jan 13, 2018 at 10:26 AM, Gaeseric Vandal via samba
<samba at lists.samba.org> wrote:
> Do the   "getent passwd" and "getent group" commands
show the domain users?
>
> I would - at least for testing - skip the "valid users" and
"write list" options .   I believe that file system level security is
sufficient.
>
> I think the "wins support" line means this machine is a WINS
server.  (the "wins server" option would tell the machine which WINS
server to us, not to be a WINS server, so that can be a little confusing.)    My
general experience with WINS servers is that it is simpler to have a domain
controller/directory server be the WINS server.
>
>
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rob
Marshall via samba
> Sent: Friday, January 12, 2018 6:35 PM
> To: Luke Barone <lukebarone at gmail.com>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Access to Windows 2016 server works with IP but not
with netbios name
>
> Hi,
>
> Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:
>
> [global]
>         log level = 3
>         os level = 1
>         security = ADS
>         server string = TEST CIFS Server
>         workgroup = WG
>         netbios name = FRED1
>         realm = WB.DOM-NAME.COM
>         idmap config * : range = 10000-20000
>         log file = /var/log/samba/%m.log
>         encrypt passwords = yes
>         syslog = 1
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         wins support = yes
>         printcap name = /dev/null
>         socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
>         strict sync = yes
>         oplocks = yes
>         kernel oplocks = no
>         wide links = yes
>         deadtime = 1
>         case sensitive = no
>         map to guest = bad user
>         guest account = nobody
>         unix extensions = no
>
> [TestShare]
>         comment = Test Share for further testing
>         path = /cifs/TestShare_test
>         hosts allow =ALL
>         hosts deny = ALL
>         browseable = yes
>         writeable = no
>         directory mask = 0777
>         force user = cifs_user
>         guest ok = No
>         valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
>         write list = @WG\dl_fred1_testshare_m
>
> My questions are:
>
> 1) What does the error:
>
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
>
> mean?
>
> 2) For the connections using the NETBIOS name, I see lots of messages
similar to:
>
> [2018/01/12 23:10:38.716169,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access
this share (TestShare)
> [2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
>
> Given the above smb.conf is it possible that the attempts using the IP
address, rather than the NETBIOS name, are being allowed access (in this case
read only) because Samba can't determine who the user is and is, therefore,
allowing some sort of guest access? I don't really have any other way to
explain why the access via the NETBIOS name, which appears to correctly see that
the user doesn't have access to the share, fails and the access via the IP
address works. Does that even make sense?
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba <samba at
lists.samba.org> wrote:
>> In a perfect world, SysVol would be on an AD Domain Controller, but
>> there are people on here who do things out of the perfect world ;-)
>>
>> If the answer was yes though, then I would be able to post the Reg
>> Setting to enable access from Windows 10 and above to those shares. I
>> needed to apply it as we are still running PDCs in almost every site.
>> Trust me, I can't wait to roll out AD
>>
>> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Fri, 12 Jan 2018 09:21:42 -0800
>>> Luke Barone <lukebarone at gmail.com> wrote:
>>>
>>> > As well as what share... Are you trying to access the
\\*\netlogon
>>> > or \\*\sysvol shares of a PDC?
>>> >
>>>
>>> There wouldn't be a sysvol share on a PDC, or do you mean a DC
?
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba