Marco Gaiarin
2018-Sep-24 09:44 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
I've just upgraded my DM from samba 4.5 to 4.8, using luois repos (also, debian jessie -> stretch). I'm experimenting some troubles on some shares, seems that both guest access and 'machine account' access does not work. The share is rather simple: [wpkg] browseable = No comment = WPKG Automated Software Deploying System force create mode = 0664 force directory mode = 02775 guest ok = Yes path = /srv/samba/wpkg wide links = Yes I've got two troubles. a) seems there's no more a guest access on the share. EG, if i use the loca administrator user to access the share, i got 'access denied'. Logs say: [2018/09/24 11:31:02.650786, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [unci-unci]\[Administrator]@[UNCI-UNCI] with the new password interface [2018/09/24 11:31:02.650799, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [unci-unci]\[root]@[UNCI-UNCI] [2018/09/24 11:31:02.650811, 5] ../lib/util/util.c:514(dump_data) [0000] 4B 1E 50 9E 92 74 FA 9C K.P..t.. [2018/09/24 11:31:02.650833, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2018/09/24 11:31:02.650846, 4] ../source3/smbd/uid.c:493(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2018/09/24 11:31:02.650859, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2018/09/24 11:31:02.650871, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/09/24 11:31:02.650882, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2018/09/24 11:31:02.652805, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/09/24 11:31:02.652840, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/24 11:31:02.652887, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [Administrator] -> [root] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/24 11:31:02.652917, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. local host [ipv4:10.5.1.26:445] [2018/09/24 11:31:02.653242, 2] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-24T11:31:02.653150+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.5.1.26:445", "remoteAddress": "ipv4:10.5.2.145:63155", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "unci-unci", "clientAccount": "Administrator", "workstation": "UNCI-UNCI", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "root", "mappedDomain": "unci-unci", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} [2018/09/24 11:31:02.653281, 5] ../source3/auth/auth_ntlmssp.c:196(auth3_check_password) Checking NTLMSSP password for unci-unci\Administrator failed: NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/24 11:31:02.653299, 5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send) ntlmssp_server_auth_send: Checking NTLMSSP password for unci-unci\Administrator failed: NT_STATUS_WRONG_PASSWORD [2018/09/24 11:31:02.653324, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/09/24 11:31:02.653375, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: ntlmssp[0x5594f5555760]: NT_STATUS_WRONG_PASSWORD [2018/09/24 11:31:02.653409, 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD [2018/09/24 11:31:02.653427, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: spnego[0x5594f5554d20]: NT_STATUS_WRONG_PASSWORD [2018/09/24 11:31:02.653444, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2018/09/24 11:31:02.653459, 4] ../source3/smbd/uid.c:493(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2018/09/24 11:31:02.653472, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/09/24 11:31:02.653485, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) clearly, i've on [globals] 'map to guest = Bad User'. b) most of the WPKG scripts access the share with the SYSTEM users, eg, using the machine account; seems this does not work anymore, even if users seems mapped correctly and share permissione have permission to 'everyone' set. Relevant log here seems: [2018/09/24 11:20:29.023447, 3] ../lib/util/access.c:365(allow_access) Allowed connection from 10.5.2.145 (10.5.2.145) [2018/09/24 11:20:29.023511, 3] ../source3/smbd/service.c:595(make_connection_snum) Connect path is '/srv/samba/wpkg' for service [wpkg] [2018/09/24 11:20:29.023558, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2018/09/24 11:20:29.023597, 5] ../source3/smbd/vfs.c:103(smb_register_vfs) Successfully added vfs backend '/[Default VFS]/' [2018/09/24 11:20:29.023619, 5] ../source3/smbd/vfs.c:103(smb_register_vfs) Successfully added vfs backend 'posixacl' [2018/09/24 11:20:29.023637, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2018/09/24 11:20:29.023676, 5] ../source3/lib/messages.c:678(messaging_register) Registering messaging pointer for type 784 - private_data=0x5594f5558ea0 [2018/09/24 11:20:29.023699, 5] ../source3/lib/messages.c:678(messaging_register) Registering messaging pointer for type 793 - private_data=0x5594f5551260 [2018/09/24 11:20:29.023713, 5] ../source3/lib/messages.c:678(messaging_register) Registering messaging pointer for type 799 - private_data=0x5594f5551260 [2018/09/24 11:20:29.023791, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (49976, 10515) - sec_ctx_stack_ndx = 0 [2018/09/24 11:20:29.023816, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-160080369-3601385002-3131615632-1811 SID[ 1]: S-1-5-21-160080369-3601385002-3131615632-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-49976 SID[ 6]: S-1-22-2-10515 SID[ 7]: S-1-22-2-5002 SID[ 8]: S-1-22-2-5003 SID[ 9]: S-1-22-2-5004 Privileges (0x 0): Rights (0x 0): [2018/09/24 11:20:29.023913, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 49976 Primary group is 10515 and contains 4 supplementary groups Group[ 0]: 10515 Group[ 1]: 5002 Group[ 2]: 5003 Group[ 3]: 5004 [2018/09/24 11:20:29.023990, 5] ../source3/smbd/uid.c:365(change_to_user_internal) Impersonated user: uid=(49976,49976), gid=(0,10515) [2018/09/24 11:20:29.024019, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/09/24 11:20:29.024041, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/09/24 11:20:29.024054, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2018/09/24 11:20:29.024091, 5] ../source3/smbd/uid.c:427(smbd_change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2018/09/24 11:20:29.024143, 2] ../source3/smbd/service.c:841(make_connection_snum) 10.5.2.145 (ipv4:10.5.2.145:49207) connect to service wpkg initially as user LNFFVG\unci-unci$ (uid=49976, gid=10515) (pid 18207) [2018/09/24 11:20:29.024188, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2018/09/24 11:20:29.024212, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2018/09/24 11:20:29.024719, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (49976, 10515) - sec_ctx_stack_ndx = 0 [2018/09/24 11:20:29.024749, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-160080369-3601385002-3131615632-1811 SID[ 1]: S-1-5-21-160080369-3601385002-3131615632-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-49976 SID[ 6]: S-1-22-2-10515 SID[ 7]: S-1-22-2-5002 SID[ 8]: S-1-22-2-5003 SID[ 9]: S-1-22-2-5004 Privileges (0x 0): Rights (0x 0): [2018/09/24 11:20:29.024834, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 49976 Primary group is 10515 and contains 4 supplementary groups Group[ 0]: 10515 Group[ 1]: 5002 Group[ 2]: 5003 Group[ 3]: 5004 [2018/09/24 11:20:29.024903, 5] ../source3/smbd/uid.c:365(change_to_user_internal) Impersonated user: uid=(49976,49976), gid=(0,10515) [2018/09/24 11:20:29.024937, 4] ../source3/smbd/vfs.c:888(vfs_ChDir) vfs_ChDir to /srv/samba/wpkg [2018/09/24 11:20:29.024981, 4] ../source3/smbd/vfs.c:946(vfs_ChDir) vfs_ChDir got /srv/samba/wpkg [2018/09/24 11:20:29.025010, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2018/09/24 11:20:29.025039, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_tcon_global.tdb [2018/09/24 11:20:29.025072, 5] ../source3/smbd/filename.c:461(unix_convert) unix_convert called on file "wpkg-gp.bat" [2018/09/24 11:20:29.025096, 5] ../source3/smbd/filename.c:662(unix_convert) unix_convert begin: name = wpkg-gp.bat, dirpath = , start = wpkg-gp.bat [2018/09/24 11:20:29.025115, 5] ../source3/smbd/statcache.c:144(stat_cache_add) stat_cache_add: Added entry (5594f5510ed0:size b) WPKG-GP.BAT -> wpkg-gp.bat [2018/09/24 11:20:29.025130, 5] ../source3/smbd/filename.c:685(unix_convert) conversion of base_name finished wpkg-gp.bat -> wpkg-gp.bat [2018/09/24 11:20:29.025151, 5] ../source3/smbd/vfs.c:1458(check_reduced_name) check_reduced_name: wpkg-gp.bat reduced to /srv/samba/wpkg/wpkg-gp.bat [2018/09/24 11:20:29.025187, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.025259, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.025302, 5] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 200074477 (1 used) [2018/09/24 11:20:29.025346, 5] ../source3/smbd/dosmode.c:206(unix_mode) unix_mode: unix_mode(wpkg-gp.bat) returning 0744 [2018/09/24 11:20:29.025367, 4] ../source3/smbd/open.c:3253(open_file_ntcreate) calling open_file with flags=0x0 flags2=0x0 mode=0744, access_mask = 0x80, open_access_mask = 0x80 [2018/09/24 11:20:29.025454, 2] ../source3/smbd/open.c:1404(open_file) LNFFVG\unci-unci$ opened file wpkg-gp.bat read=No write=No (numopen=1) [2018/09/24 11:20:29.025485, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.025623, 5] ../source3/smbd/oplock.c:89(set_file_oplock) set_file_oplock: granted oplock on file wpkg-gp.bat, 812:f596:0/2945936448, tv_sec = 5ba8ac5d, tv_usec = 625e [2018/09/24 11:20:29.025672, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.025732, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a" [2018/09/24 11:20:29.025756, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x20): "a" [2018/09/24 11:20:29.026159, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.026194, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.026225, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.026256, 2] ../source3/smbd/close.c:805(close_normal_file) LNFFVG\unci-unci$ closed file wpkg-gp.bat (numopen=0) NT_STATUS_OK [2018/09/24 11:20:29.026303, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.026329, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.026362, 5] ../source3/smbd/files.c:563(file_free) freed files structure 200074477 (0 used) [2018/09/24 11:20:29.027185, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.027233, 5] ../source3/smbd/filename.c:461(unix_convert) unix_convert called on file "wpkg-gp.bat" [2018/09/24 11:20:29.027267, 5] ../source3/smbd/vfs.c:1458(check_reduced_name) check_reduced_name: wpkg-gp.bat reduced to /srv/samba/wpkg/wpkg-gp.bat [2018/09/24 11:20:29.027339, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.027379, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.027402, 5] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 79099422 (1 used) [2018/09/24 11:20:29.027424, 5] ../source3/smbd/dosmode.c:206(unix_mode) unix_mode: unix_mode(wpkg-gp.bat) returning 0744 [2018/09/24 11:20:29.027450, 4] ../source3/smbd/open.c:3253(open_file_ntcreate) calling open_file with flags=0x0 flags2=0x0 mode=0744, access_mask = 0x1000a1, open_access_mask = 0x1000a1 [2018/09/24 11:20:29.027520, 5] ../source3/smbd/vfs.c:1458(check_reduced_name) check_reduced_name: wpkg-gp.bat reduced to /srv/samba/wpkg/wpkg-gp.bat [2018/09/24 11:20:29.027553, 2] ../source3/smbd/open.c:1404(open_file) LNFFVG\unci-unci$ opened file wpkg-gp.bat read=Yes write=No (numopen=1) [2018/09/24 11:20:29.027576, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.027639, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 2 for /var/run/samba/leases.tdb [2018/09/24 11:20:29.027692, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 2 for /var/run/samba/leases.tdb [2018/09/24 11:20:29.027719, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 2 for /var/run/samba/brlock.tdb [2018/09/24 11:20:29.027743, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 2 for /var/run/samba/brlock.tdb [2018/09/24 11:20:29.027775, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.027836, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a" [2018/09/24 11:20:29.027861, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x20): "a" [2018/09/24 11:20:29.028472, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.028606, 3] ../source3/smbd/smb2_read.c:421(smb2_read_complete) smbd_smb2_read: fnum 79099422, file wpkg-gp.bat, length=941 offset=0 read=941 [2018/09/24 11:20:29.038353, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.038404, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_getinfo.c:159 [2018/09/24 11:20:29.039628, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.039680, 5] ../source3/smbd/filename.c:461(unix_convert) unix_convert called on file "" [2018/09/24 11:20:29.039700, 5] ../source3/smbd/filename.c:495(unix_convert) conversion finished "" -> . [2018/09/24 11:20:29.039723, 5] ../source3/smbd/vfs.c:1458(check_reduced_name) check_reduced_name: . reduced to /srv/samba/wpkg [2018/09/24 11:20:29.039756, 5] ../source3/smbd/open.c:3945(open_directory) open_directory: opening directory ., access_mask = 0x100081, share_access = 0x3 create_options = 0x1, create_disposition = 0x1, file_attributes = 0x10 [2018/09/24 11:20:29.039818, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.039869, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb [2018/09/24 11:20:29.039893, 5] ../source3/smbd/files.c:128(file_new) allocated file structure fnum 412447570 (2 used) [2018/09/24 11:20:29.039927, 5] ../source3/smbd/vfs.c:1458(check_reduced_name) check_reduced_name: . reduced to /srv/samba/wpkg [2018/09/24 11:20:29.039982, 5] ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) dbwrap_lock_order_lock: check lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.040047, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) dbwrap_lock_order_unlock: release lock order 1 for /var/run/samba/locking.tdb [2018/09/24 11:20:29.040124, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode_from_sbuf returning (0x10): "d" [2018/09/24 11:20:29.040150, 5] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x10): "d" [2018/09/24 11:20:29.040677, 4] ../source3/smbd/uid.c:386(change_to_user) Skipping user change - already user [2018/09/24 11:20:29.040711, 5] ../source3/smbd/dir.c:475(dptr_create) dptr_create dir=. [2018/09/24 11:20:29.040737, 3] ../source3/smbd/dir.c:657(dptr_create) creating new dirptr 0 for path ., expect_close = 0 So, while both errors seems to came froma 'guest access' trouble, they are very different indeed. I've tried to read samba changelog to seeks some clue, but with no luck (or with no sufficient knowledge). Please, help me. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-24 10:17 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Hai Marco, Few pointers. First, time is in sync? I guess it is, but check it. Second. Guest access enabled on a domain joint PC ? If you really really want that, then enable user guest in the AD also. But better is avoiding Guest access completely. Join the domain, dont allow guest access and configure it correctly, best tip i can give, for the software deploying share. [wpkg] path = /srv/samba/wpkg browseable = No comment = WPKG Automated Software Deploying System acl_xattr:ignore system acls = yes acl_xattr:default acl style = windows wide links = Yes Now setup the share from a windows client. On the Share tab: activate sharing. - Allow read access to that share for the special group "Domain Computers", or to everyone, and write access for yourself. - On the Security tab: grant read access to the special group "Domain Computers", or to everyone, and write access for yourself. And try again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 24 september 2018 11:44 > Aan: samba at lists.samba.org > Onderwerp: [Samba] DM: samba 4.5 -> 4.8, guest access and > machine account access troubles. > > > I've just upgraded my DM from samba 4.5 to 4.8, using luois repos > (also, debian jessie -> stretch). > > I'm experimenting some troubles on some shares, seems that both guest > access and 'machine account' access does not work. > > The share is rather simple: > > [wpkg] > browseable = No > comment = WPKG Automated Software Deploying System > force create mode = 0664 > force directory mode = 02775 > guest ok = Yes > path = /srv/samba/wpkg > wide links = Yes > > > I've got two troubles. > > > a) seems there's no more a guest access on the share. EG, if i use the > loca administrator user to access the share, i got 'access denied'. > Logs say: > > [2018/09/24 11:31:02.650786, 3] > ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [unci-unci]\[Administrator]@[UNCI-UNCI] with the new password > interface > [2018/09/24 11:31:02.650799, 3] > ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [unci-unci]\[root]@[UNCI-UNCI] > [2018/09/24 11:31:02.650811, 5] ../lib/util/util.c:514(dump_data) > [0000] 4B 1E 50 9E 92 74 FA 9C K.P..t.. > [2018/09/24 11:31:02.650833, 4] > ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > [2018/09/24 11:31:02.650846, 4] > ../source3/smbd/uid.c:493(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 1 > [2018/09/24 11:31:02.650859, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > [2018/09/24 11:31:02.650871, 5] > ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > [2018/09/24 11:31:02.650882, 5] > ../source3/auth/token_util.c:810(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2018/09/24 11:31:02.652805, 4] > ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2018/09/24 11:31:02.652840, 5] > ../source3/auth/auth.c:251(auth_check_ntlm_password) > auth_check_ntlm_password: winbind authentication for user > [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, > authoritative=1 > [2018/09/24 11:31:02.652887, 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > check_ntlm_password: Authentication for user > [Administrator] -> [root] FAILED with error > NT_STATUS_WRONG_PASSWORD, authoritative=1 > [2018/09/24 11:31:02.652917, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at > [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status > [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote > host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. > local host [ipv4:10.5.1.26:445] > [2018/09/24 11:31:02.653242, 2] ../auth/auth_log.c:220(log_json) > JSON Authentication: {"timestamp": > "2018-09-24T11:31:02.653150+0200", "type": "Authentication", > "Authentication": {"version": {"major": 1, "minor": 0}, > "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": > "ipv4:10.5.1.26:445", "remoteAddress": > "ipv4:10.5.2.145:63155", "serviceDescription": "SMB2", > "authDescription": null, "clientDomain": "unci-unci", > "clientAccount": "Administrator", "workstation": "UNCI-UNCI", > "becameAccount": null, "becameDomain": null, "becameSid": > "(NULL SID)", "mappedAccount": "root", "mappedDomain": > "unci-unci", "netlogonComputer": null, > "netlogonTrustAccount": null, "netlogonNegotiateFlags": > "0x00000000", "netlogonSecureChannelType": 0, > "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} > [2018/09/24 11:31:02.653281, 5] > ../source3/auth/auth_ntlmssp.c:196(auth3_check_password) > Checking NTLMSSP password for unci-unci\Administrator > failed: NT_STATUS_WRONG_PASSWORD, authoritative=1 > [2018/09/24 11:31:02.653299, 5] > ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send) > ntlmssp_server_auth_send: Checking NTLMSSP password for > unci-unci\Administrator failed: NT_STATUS_WRONG_PASSWORD > [2018/09/24 11:31:02.653324, 4] > ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/09/24 11:31:02.653375, 5] > ../auth/gensec/gensec.c:492(gensec_update_done) > gensec_update_done: ntlmssp[0x5594f5555760]: > NT_STATUS_WRONG_PASSWORD > [2018/09/24 11:31:02.653409, 3] > ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) > login failed: NT_STATUS_WRONG_PASSWORD > [2018/09/24 11:31:02.653427, 5] > ../auth/gensec/gensec.c:492(gensec_update_done) > gensec_update_done: spnego[0x5594f5554d20]: NT_STATUS_WRONG_PASSWORD > [2018/09/24 11:31:02.653444, 4] > ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2018/09/24 11:31:02.653459, 4] > ../source3/smbd/uid.c:493(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2018/09/24 11:31:02.653472, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2018/09/24 11:31:02.653485, 5] > ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > > clearly, i've on [globals] 'map to guest = Bad User'. > > > b) most of the WPKG scripts access the share with the SYSTEM > users, eg, > using the machine account; seems this does not work anymore, even if > users seems mapped correctly and share permissione have permission to > 'everyone' set. > > Relevant log here seems: > > [2018/09/24 11:20:29.023447, 3] > ../lib/util/access.c:365(allow_access) > Allowed connection from 10.5.2.145 (10.5.2.145) > [2018/09/24 11:20:29.023511, 3] > ../source3/smbd/service.c:595(make_connection_snum) > Connect path is '/srv/samba/wpkg' for service [wpkg] > [2018/09/24 11:20:29.023558, 3] > ../source3/smbd/vfs.c:113(vfs_init_default) > Initialising default vfs hooks > [2018/09/24 11:20:29.023597, 5] > ../source3/smbd/vfs.c:103(smb_register_vfs) > Successfully added vfs backend '/[Default VFS]/' > [2018/09/24 11:20:29.023619, 5] > ../source3/smbd/vfs.c:103(smb_register_vfs) > Successfully added vfs backend 'posixacl' > [2018/09/24 11:20:29.023637, 3] > ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [/[Default VFS]/] > Successfully loaded vfs module [/[Default VFS]/] with the > new modules system > [2018/09/24 11:20:29.023676, 5] > ../source3/lib/messages.c:678(messaging_register) > Registering messaging pointer for type 784 - > private_data=0x5594f5558ea0 > [2018/09/24 11:20:29.023699, 5] > ../source3/lib/messages.c:678(messaging_register) > Registering messaging pointer for type 793 - > private_data=0x5594f5551260 > [2018/09/24 11:20:29.023713, 5] > ../source3/lib/messages.c:678(messaging_register) > Registering messaging pointer for type 799 - > private_data=0x5594f5551260 > [2018/09/24 11:20:29.023791, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (49976, 10515) - sec_ctx_stack_ndx = 0 > [2018/09/24 11:20:29.023816, 5] > ../libcli/security/security_token.c:63(security_token_debug) > Security token SIDs (10): > SID[ 0]: S-1-5-21-160080369-3601385002-3131615632-1811 > SID[ 1]: S-1-5-21-160080369-3601385002-3131615632-515 > SID[ 2]: S-1-1-0 > SID[ 3]: S-1-5-2 > SID[ 4]: S-1-5-11 > SID[ 5]: S-1-22-1-49976 > SID[ 6]: S-1-22-2-10515 > SID[ 7]: S-1-22-2-5002 > SID[ 8]: S-1-22-2-5003 > SID[ 9]: S-1-22-2-5004 > Privileges (0x 0): > Rights (0x 0): > [2018/09/24 11:20:29.023913, 5] > ../source3/auth/token_util.c:810(debug_unix_user_token) > UNIX token of user 49976 > Primary group is 10515 and contains 4 supplementary groups > Group[ 0]: 10515 > Group[ 1]: 5002 > Group[ 2]: 5003 > Group[ 3]: 5004 > [2018/09/24 11:20:29.023990, 5] > ../source3/smbd/uid.c:365(change_to_user_internal) > Impersonated user: uid=(49976,49976), gid=(0,10515) > [2018/09/24 11:20:29.024019, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/09/24 11:20:29.024041, 5] > ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > [2018/09/24 11:20:29.024054, 5] > ../source3/auth/token_util.c:810(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2018/09/24 11:20:29.024091, 5] > ../source3/smbd/uid.c:427(smbd_change_to_root_user) > change_to_root_user: now uid=(0,0) gid=(0,0) > [2018/09/24 11:20:29.024143, 2] > ../source3/smbd/service.c:841(make_connection_snum) > 10.5.2.145 (ipv4:10.5.2.145:49207) connect to service wpkg > initially as user LNFFVG\unci-unci$ (uid=49976, gid=10515) (pid 18207) > [2018/09/24 11:20:29.024188, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_tcon_global.tdb > [2018/09/24 11:20:29.024212, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_tcon_global.tdb > [2018/09/24 11:20:29.024719, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (49976, 10515) - sec_ctx_stack_ndx = 0 > [2018/09/24 11:20:29.024749, 5] > ../libcli/security/security_token.c:63(security_token_debug) > Security token SIDs (10): > SID[ 0]: S-1-5-21-160080369-3601385002-3131615632-1811 > SID[ 1]: S-1-5-21-160080369-3601385002-3131615632-515 > SID[ 2]: S-1-1-0 > SID[ 3]: S-1-5-2 > SID[ 4]: S-1-5-11 > SID[ 5]: S-1-22-1-49976 > SID[ 6]: S-1-22-2-10515 > SID[ 7]: S-1-22-2-5002 > SID[ 8]: S-1-22-2-5003 > SID[ 9]: S-1-22-2-5004 > Privileges (0x 0): > Rights (0x 0): > [2018/09/24 11:20:29.024834, 5] > ../source3/auth/token_util.c:810(debug_unix_user_token) > UNIX token of user 49976 > Primary group is 10515 and contains 4 supplementary groups > Group[ 0]: 10515 > Group[ 1]: 5002 > Group[ 2]: 5003 > Group[ 3]: 5004 > [2018/09/24 11:20:29.024903, 5] > ../source3/smbd/uid.c:365(change_to_user_internal) > Impersonated user: uid=(49976,49976), gid=(0,10515) > [2018/09/24 11:20:29.024937, 4] ../source3/smbd/vfs.c:888(vfs_ChDir) > vfs_ChDir to /srv/samba/wpkg > [2018/09/24 11:20:29.024981, 4] ../source3/smbd/vfs.c:946(vfs_ChDir) > vfs_ChDir got /srv/samba/wpkg > [2018/09/24 11:20:29.025010, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_tcon_global.tdb > [2018/09/24 11:20:29.025039, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_tcon_global.tdb > [2018/09/24 11:20:29.025072, 5] > ../source3/smbd/filename.c:461(unix_convert) > unix_convert called on file "wpkg-gp.bat" > [2018/09/24 11:20:29.025096, 5] > ../source3/smbd/filename.c:662(unix_convert) > unix_convert begin: name = wpkg-gp.bat, dirpath = , start = > wpkg-gp.bat > [2018/09/24 11:20:29.025115, 5] > ../source3/smbd/statcache.c:144(stat_cache_add) > stat_cache_add: Added entry (5594f5510ed0:size b) > WPKG-GP.BAT -> wpkg-gp.bat > [2018/09/24 11:20:29.025130, 5] > ../source3/smbd/filename.c:685(unix_convert) > conversion of base_name finished wpkg-gp.bat -> wpkg-gp.bat > [2018/09/24 11:20:29.025151, 5] > ../source3/smbd/vfs.c:1458(check_reduced_name) > check_reduced_name: wpkg-gp.bat reduced to > /srv/samba/wpkg/wpkg-gp.bat > [2018/09/24 11:20:29.025187, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.025259, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.025302, 5] ../source3/smbd/files.c:128(file_new) > allocated file structure fnum 200074477 (1 used) > [2018/09/24 11:20:29.025346, 5] > ../source3/smbd/dosmode.c:206(unix_mode) > unix_mode: unix_mode(wpkg-gp.bat) returning 0744 > [2018/09/24 11:20:29.025367, 4] > ../source3/smbd/open.c:3253(open_file_ntcreate) > calling open_file with flags=0x0 flags2=0x0 mode=0744, > access_mask = 0x80, open_access_mask = 0x80 > [2018/09/24 11:20:29.025454, 2] > ../source3/smbd/open.c:1404(open_file) > LNFFVG\unci-unci$ opened file wpkg-gp.bat read=No write=No > (numopen=1) > [2018/09/24 11:20:29.025485, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.025623, 5] > ../source3/smbd/oplock.c:89(set_file_oplock) > set_file_oplock: granted oplock on file wpkg-gp.bat, > 812:f596:0/2945936448, tv_sec = 5ba8ac5d, tv_usec = 625e > [2018/09/24 11:20:29.025672, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.025732, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a" > [2018/09/24 11:20:29.025756, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode returning (0x20): "a" > [2018/09/24 11:20:29.026159, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.026194, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.026225, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.026256, 2] > ../source3/smbd/close.c:805(close_normal_file) > LNFFVG\unci-unci$ closed file wpkg-gp.bat (numopen=0) NT_STATUS_OK > [2018/09/24 11:20:29.026303, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.026329, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.026362, 5] > ../source3/smbd/files.c:563(file_free) > freed files structure 200074477 (0 used) > [2018/09/24 11:20:29.027185, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.027233, 5] > ../source3/smbd/filename.c:461(unix_convert) > unix_convert called on file "wpkg-gp.bat" > [2018/09/24 11:20:29.027267, 5] > ../source3/smbd/vfs.c:1458(check_reduced_name) > check_reduced_name: wpkg-gp.bat reduced to > /srv/samba/wpkg/wpkg-gp.bat > [2018/09/24 11:20:29.027339, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.027379, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.027402, 5] ../source3/smbd/files.c:128(file_new) > allocated file structure fnum 79099422 (1 used) > [2018/09/24 11:20:29.027424, 5] > ../source3/smbd/dosmode.c:206(unix_mode) > unix_mode: unix_mode(wpkg-gp.bat) returning 0744 > [2018/09/24 11:20:29.027450, 4] > ../source3/smbd/open.c:3253(open_file_ntcreate) > calling open_file with flags=0x0 flags2=0x0 mode=0744, > access_mask = 0x1000a1, open_access_mask = 0x1000a1 > [2018/09/24 11:20:29.027520, 5] > ../source3/smbd/vfs.c:1458(check_reduced_name) > check_reduced_name: wpkg-gp.bat reduced to > /srv/samba/wpkg/wpkg-gp.bat > [2018/09/24 11:20:29.027553, 2] > ../source3/smbd/open.c:1404(open_file) > LNFFVG\unci-unci$ opened file wpkg-gp.bat read=Yes write=No > (numopen=1) > [2018/09/24 11:20:29.027576, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.027639, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 2 for > /var/run/samba/leases.tdb > [2018/09/24 11:20:29.027692, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 2 for > /var/run/samba/leases.tdb > [2018/09/24 11:20:29.027719, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 2 for > /var/run/samba/brlock.tdb > [2018/09/24 11:20:29.027743, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 2 for > /var/run/samba/brlock.tdb > [2018/09/24 11:20:29.027775, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.027836, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode_from_sbuf returning (0x20): "a" > [2018/09/24 11:20:29.027861, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode returning (0x20): "a" > [2018/09/24 11:20:29.028472, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.028606, 3] > ../source3/smbd/smb2_read.c:421(smb2_read_complete) > smbd_smb2_read: fnum 79099422, file wpkg-gp.bat, length=941 > offset=0 read=941 > [2018/09/24 11:20:29.038353, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.038404, 3] > ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: > idx[1] status[NT_STATUS_ACCESS_DENIED] || at > ../source3/smbd/smb2_getinfo.c:159 > [2018/09/24 11:20:29.039628, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.039680, 5] > ../source3/smbd/filename.c:461(unix_convert) > unix_convert called on file "" > [2018/09/24 11:20:29.039700, 5] > ../source3/smbd/filename.c:495(unix_convert) > conversion finished "" -> . > [2018/09/24 11:20:29.039723, 5] > ../source3/smbd/vfs.c:1458(check_reduced_name) > check_reduced_name: . reduced to /srv/samba/wpkg > [2018/09/24 11:20:29.039756, 5] > ../source3/smbd/open.c:3945(open_directory) > open_directory: opening directory ., access_mask = > 0x100081, share_access = 0x3 create_options = 0x1, > create_disposition = 0x1, file_attributes = 0x10 > [2018/09/24 11:20:29.039818, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.039869, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/smbXsrv_open_global.tdb > [2018/09/24 11:20:29.039893, 5] ../source3/smbd/files.c:128(file_new) > allocated file structure fnum 412447570 (2 used) > [2018/09/24 11:20:29.039927, 5] > ../source3/smbd/vfs.c:1458(check_reduced_name) > check_reduced_name: . reduced to /srv/samba/wpkg > [2018/09/24 11:20:29.039982, 5] > ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock) > dbwrap_lock_order_lock: check lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.040047, 5] > ../lib/dbwrap/dbwrap.c:159(dbwrap_lock_order_unlock) > dbwrap_lock_order_unlock: release lock order 1 for > /var/run/samba/locking.tdb > [2018/09/24 11:20:29.040124, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode_from_sbuf returning (0x10): "d" > [2018/09/24 11:20:29.040150, 5] > ../source3/smbd/dosmode.c:70(dos_mode_debug_print) > dos_mode_debug_print: dos_mode returning (0x10): "d" > [2018/09/24 11:20:29.040677, 4] > ../source3/smbd/uid.c:386(change_to_user) > Skipping user change - already user > [2018/09/24 11:20:29.040711, 5] > ../source3/smbd/dir.c:475(dptr_create) > dptr_create dir=. > [2018/09/24 11:20:29.040737, 3] > ../source3/smbd/dir.c:657(dptr_create) > creating new dirptr 0 for path ., expect_close = 0 > > > So, while both errors seems to came froma 'guest access' trouble, they > are very different indeed. > > I've tried to read samba changelog to seeks some clue, but > with no luck > (or with no sufficient knowledge). > > > Please, help me. Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Sep-24 10:21 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Mon, 24 Sep 2018 11:44:09 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> > I've just upgraded my DM from samba 4.5 to 4.8, using luois repos > (also, debian jessie -> stretch). > > I'm experimenting some troubles on some shares, seems that both guest > access and 'machine account' access does not work. > > The share is rather simple: > > [wpkg] > browseable = No > comment = WPKG Automated Software Deploying System > force create mode = 0664 > force directory mode = 02775 > guest ok = Yes > path = /srv/samba/wpkg > wide links = Yes > > > I've got two troubles. > > > a) seems there's no more a guest access on the share. EG, if i use the > loca administrator user to access the share, i got 'access denied'. > Logs say: > > clearly, i've on [globals] 'map to guest = Bad User'.That is how it is supposed to work, if a known user tries to use a wrong password, the user is rejected. If the user is unknown, it is mapped to the guest user (usually 'nobody') and allowed access to shares where 'guest ok = yes' is set.> > > b) most of the WPKG scripts access the share with the SYSTEM users, > eg, using the machine account; seems this does not work anymore, even > if users seems mapped correctly and share permissione have permission > to 'everyone' set. >Not sure about this, perhaps it is the same reason as above, but we need more info, what is in the [global] section of the smb.conf ? Rowland
Marco Gaiarin
2018-Sep-24 12:38 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> First, time is in sync? I guess it is, but check it.Yes.> Second. > Guest access enabled on a domain joint PC ? > If you really really want that, then enable user guest in the AD also.Eh? I need to enable guest access for every PC? In AD (i'm supposing that) i've correctly enabled guest access. See next response to Rowland.> But better is avoiding Guest access completely.Sure. But that share contain a bunch of script and xml files that i manage by linux, and really windows have only to read them, so... guest access fit perfectly! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Marco Gaiarin
2018-Sep-24 12:48 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba In chel di` si favelave...> > clearly, i've on [globals] 'map to guest = Bad User'. > That is how it is supposed to work, if a known user tries to use a > wrong password, the user is rejected. If the user is unknown, it is > mapped to the guest user (usually 'nobody') and allowed access to > shares where 'guest ok = yes' is set.Exactly. I restate, roughly the same config file on samba 4.5 permit correctly guest access from local Administrator user...> Not sure about this, perhaps it is the same reason as above, but we > need more info, what is in the [global] section of the smb.conf ?Domain member: # Global parameters [global] load printers = Yes log file = /var/log/samba/log.%M log level = 0 map to guest = Bad User max log size = 5000 netbios aliases = CUPSSV FILESV HOMESV panic action = /usr/share/samba/panic-action %d printcap name = cups realm = AD.FVG.LNF.IT security = ADS username map = /etc/samba/user.map winbind offline logon = Yes winbind use default domain = Yes workgroup = LNFFVG spoolss: architecture = Windows x64 rpc_daemon:spoolssd = fork rpc_server:spoolss = external idmap config lnffvg : unix_nss_info = yes idmap config lnffvg : schema_mode = rfc2307 idmap config lnffvg : range = 10000-49999 idmap config lnffvg : backend = ad idmap config * : range = 5000-9999 idmap config * : backend = tdb printing = cups root at vdmsv1:/etc/samba# cat /etc/samba/user.map !root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator domain controller (still samba 4.5): [global] netbios name = VDCSV1 realm = AD.FVG.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG log level = 0 server role = active directory domain controller template homedir = /home/%U template shell = /bin/bash idmap_ldb:use rfc2307 = yes Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-24 14:34 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Hai marco, It has nothing todo with samba and it has all todo with samba and windows combined.> Sure. But that share contain a bunch of script and xml files that i > manage by linux, and really windows have only to read them, > so... Guest access fit perfectly!Imo a bad idea, but hee.. Its your network.. Only trying to help here. And : https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc755130(v=ws.11) Is telling : The Guest account is disabled by default, and we recommend that it stay disabled.> > b) most of the WPKG scripts access the share with the SYSTEM users, > eg, using the machine account; seems this does not work anymore, even > if users seems mapped correctly and share permissione have permission > to 'everyone' set.Yes, correct, because SYSTEM is not guest or nobody. Its SYSTEM. This is your problem, one you created yourself. (sorry) This has all todo with the windows security updates of the last 1.5 years. Samba 4.5 is not the same as 4.8, and security has been up a lot. This is why i follow the windows way and transform these settings into samba. ( as close as possible ) Whats results in a hardly having any problems. I suggest try the settings like this then. [wpkg] path = /srv/samba/wpkg browseable = No comment = WPKG Automated Software Deploying System acl_xattr:ignore system acls = yes wide links = Yes You see i removed 1 line the : acl_xattr:default acl style Now with posix you should be able to manage this from linux and use it on windows. ( without guest ) And you really only need. But you do need the correct settings configured from windows computer for the share and security rights. Sorry, i dont have an other settings (that i can recommend), i try to follow the MS recommendations, just because it helps in avoiding problems. And i know this works. I deploy with GPO, useing the same settings. ( except the wide links. ) I dont see why that should not work with WPKG. This is what i use for the software i deploy with GPO. [deploy] path = /home/samba/deploy read only = no drwxrwx---+ 12 root root 4096 Aug 31 2017 deploy A getfacl show. # file: home/samba/deploy # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:2004:r-x group:2005:rwx group:domain\040users:r-x group:domain\040admins:rwx group:domain\040computers:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::r-x default:group:root:r-x default:group:2004:r-x default:group:2005:rwx default:group:domain\040users:r-x default:group:domain\040admins:rwx default:group:domain\040computers:r-x default:mask::rwx default:other::--- Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 24 september 2018 14:39 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and > machine account access troubles. > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > First, time is in sync? I guess it is, but check it. > > Yes. > > > > Second. > > Guest access enabled on a domain joint PC ? > > If you really really want that, then enable user guest in > the AD also. > > Eh? I need to enable guest access for every PC? > In AD (i'm supposing that) i've correctly enabled guest access. See > next response to Rowland. > > > > But better is avoiding Guest access completely. > > Sure. But that share contain a bunch of script and xml files that i > manage by linux, and really windows have only to read them, > so... Guest access fit perfectly! > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Apparently Analagous Threads
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM and ''offline'' PAM (and NSS?)...