Rowland Penny
2018-Sep-24 15:54 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Mon, 24 Sep 2018 17:33:47 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I hope this helps you understanding your problem a bit more. > > See also: > > https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts > > No, wait. I'm probably mixed up too many things, and maked a lot of > confusion. Restart. > > Say may domain is 'LNFFVG', and my windows 7 box is 'DOMINIQUE'. > > > Before upgrading my domain members to samba 4.8 (from 4.5) i can > access a 'guest' share using DOMINIQUE\Administrator user without > trouble. Probably (and correctly, for my point of view) domain member > does not find 'DOMINIQUE\Administrator' user, and so map it to guest. > Bingo.The above would be true except for this line you have in smb.conf: winbind use default domain = Yes> > After upgrading to 4.8, i've found that i cannot anymore 'guest > access' the share, seems because the domain member server maps > 'DOMINIQUE\Administrator' to 'root' (as i'm expecting it will do, but > for 'LNFFVG\Administrator', a very different user ;) and, clearly, > credentials does not match). > > NOTE that, for other non-guest-access user shares i try an access with > 'DOMINIQUE\Administrator', windows explorer ask me credentials, as > expected. >So when either 'DOMINIQUE\Administrator' or 'LNFFVG\Administrator' connects, they both become 'Administrator', who then gets mapped to 'root'> > I don't want to alter the default 'Administrator' and 'guest' user on > my workstation, nor do something strange client side... i simply need > to restore old behaviour (or, speaking better: understand why mapping > changed from 4.5 ot 4.8...) to have 'DOMINIQUE\Administrator' be > mapped to guest. >I don't understand why you are trying to use a local user on a domain joined machine. Rowland
Marco Gaiarin
2018-Sep-25 08:15 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba In chel di` si favelave...> > Before upgrading my domain members to samba 4.8 (from 4.5) i can > > access a 'guest' share using DOMINIQUE\Administrator user without > > trouble. Probably (and correctly, for my point of view) domain member > > does not find 'DOMINIQUE\Administrator' user, and so map it to guest. > > Bingo. > The above would be true except for this line you have in smb.conf: > winbind use default domain = YesOk, but manpage seems say to me something different. winbind use default domain (G) This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benefit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system. so seems to me that apply only to domainless auth, not domainful ones...> So when either 'DOMINIQUE\Administrator' or 'LNFFVG\Administrator' > connects, they both become 'Administrator', who then gets mapped to > 'root'But looking at logs, seems to me that i connect with 'domeinful' user: [2018/09/25 09:54:26.944813, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [dominique]\[Administrator]@[DOMINIQUE] with the new password interface [2018/09/25 09:54:26.944826, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [dominique]\[Administrator]@[DOMINIQUE] [2018/09/25 09:54:26.944839, 5] ../lib/util/util.c:514(dump_data) [0000] D7 98 F6 F1 EC 11 A2 E9 ........ [2018/09/25 09:54:26.944862, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2018/09/25 09:54:26.944877, 4] ../source3/smbd/uid.c:493(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2018/09/25 09:54:26.944890, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2018/09/25 09:54:26.944907, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/09/25 09:54:26.944920, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2018/09/25 09:54:26.946828, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/09/25 09:54:26.946859, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 09:54:26.946889, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 09:54:26.946920, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018 09:54:26.946911 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:51457] m apped to [dominique]\[Administrator]. local host [ipv4:10.5.1.26:445] [2018/09/25 09:54:26.947266, 2] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-25T09:54:26.947167+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress" : "ipv4:10.5.1.26:445", "remoteAddress": "ipv4:10.5.2.37:51457", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "dominique", "clientAccount": "Administrator", "workstation": "DOMINIQ UE", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "Administrator", "mappedDomain": "dominique", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonN egotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} [2018/09/25 09:54:26.947315, 5] ../source3/auth/auth_ntlmssp.c:196(auth3_check_password) Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 09:54:26.947353, 5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send) ntlmssp_server_auth_send: Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD [2018/09/25 09:54:26.947379, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/09/25 09:54:26.947405, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: ntlmssp[0x5594f554d970]: NT_STATUS_WRONG_PASSWORD [2018/09/25 09:54:26.947422, 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD [2018/09/25 09:54:26.947438, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: spnego[0x5594f5518ae0]: NT_STATUS_WRONG_PASSWORD [2018/09/25 09:54:26.947454, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 And, removed from the map 'Administrator' (domainless) there's no more map to root. But still i get NT_STATUS_WRONG_PASSWORD, and not 'user unknown'...> I don't understand why you are trying to use a local user on a domain > joined machine.Bootstrapping. After initial setup the system works with machine account. But i need to bootstrap it... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-25 08:53 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: dinsdag 25 september 2018 10:16 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and > machine account access troubles. > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > Before upgrading my domain members to samba 4.8 (from 4.5) i can > > > access a 'guest' share using DOMINIQUE\Administrator user without > > > trouble. Probably (and correctly, for my point of view) > domain member > > > does not find 'DOMINIQUE\Administrator' user, and so map > it to guest. > > > Bingo. > > The above would be true except for this line you have in smb.conf: > > winbind use default domain = YesThis is true AND false!!! Linux <=> linux TRUE Linux <=> Windows FALSE Windows <=> Window TRUE Windows sends is always user at DOMAIN (or DOM\user(@REALM)..) Linux ( Samba ) make a linux system think its DOM+user or DOM\\user or \\USER or user Based on (if you use:) winbind use default domain (G) and possbile other settings. Now remove the : map to guest = Setting from your smb.conf, because you wil never get this right if you keep useing that. Check/test without the setting and post the logs so we can see the result of that. My guess here is.. And please correct me if im wrong. You used this as example. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server [guest] # This share allows anonymous (guest) access # without authentication! path = /srv/samba/guest/ read only = no guest ok = yes But your server is a domain member. Now with the setting : map to guest = Bad User Means user logins with an invalid password are rejected, unless the username does not exist. How Wait ! unless the username does not exist ... But the user Does exist, Adminstrator root, they exist. If the user does not exist, THEN it maps to guest. Bad Password - Means user logins with an invalid password are treated as a guest login and mapped into the guest account. Is an option, but you get the risk of ... Everybody is mapped to guest... Bad Uid, not discussing here. Are you setting up a "Guest" share services OR a GUEST SERVER access in total, also 2 different things. For example, you setup and have the following result. \\server ( access denied ) \\server\guestshare ( access granted ) Again i hope this helps you, but please try to forget the "guest" account mapping. If you setup as i've told you, you would be finish already.. And if you want the behaivior back as you had in 4.5, that is possible, but only by reverting back. Windows and Samba have has so many security fixed which resulted in your problem now with 4.8. A setup with isnt compatible to current standards. Greetz, Louis
Marco Gaiarin
2018-Sep-25 16:05 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Now remove the : map to guest = > Setting from your smb.conf, because you wil never get this right if you keep useing that. > Check/test without the setting and post the logs so we can see the result of that.Seems the same things. [2018/09/25 17:48:23.191423, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [dominique]\[Administrator]@[DOMINIQUE] with the new password interface [2018/09/25 17:48:23.191437, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [dominique]\[Administrator]@[DOMINIQUE] [2018/09/25 17:48:23.191450, 5] ../lib/util/util.c:514(dump_data) [0000] B3 87 AB FB 08 65 57 E9 .....eW. [2018/09/25 17:48:23.191479, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2018/09/25 17:48:23.191505, 4] ../source3/smbd/uid.c:493(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2018/09/25 17:48:23.191519, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2018/09/25 17:48:23.191532, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/09/25 17:48:23.191545, 5] ../source3/auth/token_util.c:810(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2018/09/25 17:48:23.193391, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/09/25 17:48:23.193422, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 17:48:23.193469, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 17:48:23.193501, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [dominique]\[Administrator] at [mar, 25 set 2018 17:48:23.193491 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [DOMINIQUE] remote host [ipv4:10.5.2.37:58918] mapped to [dominique]\[Administrator]. local host [ipv4:10.5.1.26:445] [2018/09/25 17:48:23.193810, 2] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2018-09-25T17:48:23.193744+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.5.1.26:445", "remoteAddress": "ipv4:10.5.2.37:58918", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "dominique", "clientAccount": "Administrator", "workstation": "DOMINIQUE", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "Administrator", "mappedDomain": "dominique", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} [2018/09/25 17:48:23.193851, 5] ../source3/auth/auth_ntlmssp.c:196(auth3_check_password) Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD, authoritative=1 [2018/09/25 17:48:23.193876, 5] ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send) ntlmssp_server_auth_send: Checking NTLMSSP password for dominique\Administrator failed: NT_STATUS_WRONG_PASSWORD [2018/09/25 17:48:23.193902, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/09/25 17:48:23.193933, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: ntlmssp[0x5594f55535d0]: NT_STATUS_WRONG_PASSWORD [2018/09/25 17:48:23.193956, 3] ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_PASSWORD [2018/09/25 17:48:23.194043, 5] ../auth/gensec/gensec.c:492(gensec_update_done) gensec_update_done: spnego[0x5594f5552720]: NT_STATUS_WRONG_PASSWORD> Are you setting up a "Guest" share services OR a GUEST SERVER access in total, also 2 different things. > For example, you setup and have the following result. > \\server ( access denied ) > \\server\guestshare ( access granted )No, guest share. If i do in explorer '\\server\', i input some domein credential and then rerun \\server\myguestshare\myscript.bat clearly works, because i'm using the previously input domain credentials.> And if you want the behaivior back as you had in 4.5, that is possible, but only by reverting back. > Windows and Samba have has so many security fixed which resulted in your problem now with 4.8. > A setup with isnt compatible to current standards.I need 'winbind use default domain = yes'. But i suppose applied only to ''current'' domain, eg if i have: security = ADS workgroup = LNFFVG winbind use default domain = yes 'LNFFVG\gaio' became 'gaio'. And manpage illude me: Users without a domain component are treated as is part of the winbindd server's own domain. for me 'own domain' is LNFFVG. OK, i'm reading this sentence on reverse, but by log seems clear to me that windows client present itself as DOMINIQUE\Admnistrator, so i don't understand why get 'mapped' to LNFFVG\Administrator... Clearly i cannot revert to 4.5, nor backport some patcjes and manage 'my' samba version. I'm simply asking why the behaviour changed between 4.5 and 4.8... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-26 09:20 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Hai marco,> > I'm simply asking why the behaviour changed between 4.5 and 4.8... >This somewhere started in 4.6. These changes where needed due to security leaks. See: https://www.samba.org/samba/history/security.html 24 May 2017 and up. If i could make it better for you i would, but it is as it is. Greetz, Louis
Possibly Parallel Threads
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- Upgraded a member server to 4.8, rfc2307 data?