On 21/04/19 17:12, Rowland Penny wrote:> On Sun, 21 Apr 2019 08:59:01 +0930 > Stephen Davies via samba <samba at lists.samba.org> wrote: > >> I have been a bit divorced from Samba for a while and am stumped by a >> recently seen issue. >> >> My Samba server (V4.8.3) is Centos 7 and the remote clients are >> windoze boxes at the other end of a VPN (OpenVPN). At some point in >> "recent" history, access to shares on the Centos server started to >> fail with password failures. The reason seems to be associated with >> user mapping. (See log fragment below). >> >> I have added entries to smbusers trying to map the remote user to >> local user simon without success. >> >> There is no windoze domain server involved. >> >> The clients can FTP to the server and retrieve emails via IMAP. >> >> What am I missing? >> >> >> [2019/04/18 16:10:52.327632, >> 3] ../source3/auth/auth.c:189(auth_check_ntlm_pass word) >> check_ntlm_password: Checking password for unmapped user >> [SIMON-DELLPC]\[simo n]@[SIMON-DELLPC] with the new password interface >> [2019/04/18 16:10:52.327658, >> 3] ../source3/auth/auth.c:192(auth_check_ntlm_pass word) >> check_ntlm_password: mapped user is: >> [SIMON-DELLPC]\[simon]@[SIMON-DELLPC] [2019/04/18 16:10:52.327686, >> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : >> sec_ctx_stack_ndx = 2 > > By default NTLMv1 is now turned off, could this be your problem ?, try > (as a test) adding 'ntlm auth = yes' to your smb.conf and > reload/restart Samba. > > If this doesn't work, can you please post your smb.conf and tells us > what the Windows machines are. > > Rowland > >There is no ntlm auth entry in smb.conf (included below) but I don't think the NTLM setting is the cause as I can use smbclient to successfully login as user simon and get the following log fragment: [2019/04/23 14:33:59.978465, 3] ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) Got user=[simon] domain=[BENPARTS] workstation=[SERVER] len1=24 len2=224 [2019/04/23 14:33:59.978554, 3] ../source3/param/loadparm.c:3868(lp_load_ex) lp_load_ex: refreshing parameters [2019/04/23 14:33:59.978656, 3] ../source3/param/loadparm.c:547(init_globals) . . . adding IPC service [2019/04/23 14:33:59.987819, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [BENPARTS]\[simon]@[SERVER] with the new password interface [2019/04/23 14:33:59.987843, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [BENPARTS]\[simon]@[SERVER] No smbuser entry is required for this combination so it looks as if the remote Windows workgroup/domain is not being handled. The remote client involved is running W10 Professional 64-bit. The full smb.conf is: #======================= Global Settings ====================================[global] workgroup = BENPARTS netbios name = server # server string is the equivalent of the NT Description field server string = Samba Server %v printcap name = cups load printers = yes printing = cups log file = /var/log/samba/log.%m max log size = 50 log level = 4 guest account = benparts # Allow users to map to guest: map to guest = baduser # Security mode. Most people will want user level security. See # security_level.txt for details. security = user passdb backend = tdbsam # Use password server option only with security = server or security = domain username level = 8 encrypt passwords = yes preferred master = yes name resolve order = host lmhosts wins bcast wins support = yes preserve case = yes dos charset = 850 unix charset = ISO8859-1 domain master = yes domain logons = yes os level = 128 add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u' #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no # to allow user 'guest account' to print. guest ok = yes writable = no printable = yes create mode = 0700 # ==================================== # print command: see above for details. # ==================================== print command = lpr-cups -P %p -o raw %s -r # using client side printer drivers. [print$] path = /var/lib/samba/printers browseable = yes read only = yes write list = @adm root guest ok = yes [pdf-generator] path = /var/tmp guest ok = No printable = Yes comment = PDF Generator (only valid users) #print command = /usr/share/samba/scripts/print-pdf file path win_path recipient IP doc_name & print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I & [pdf-screen] copy = pdf-generator comment = PDF Generator - Screen quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & [pdf-printer] copy = pdf-generator comment = PDF Generator - Print quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & [pdf-prepress] copy = pdf-generator comment = PDF Generator - PrePress quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & # This one is useful for people to share files [tmp] comment = Temporary file space path = /tmp read only = no public = yes [var] comment = General shared storage path = /var read only = no public = yes Thank you, Stephen
On Tue, 23 Apr 2019 15:01:24 +0930 Stephen Davies via samba <samba at lists.samba.org> wrote:> There is no ntlm auth entry in smb.confJust because you do not have an 'ntlm auth' line in your visible smb.conf, this does not mean you do not have one, it defaults to 'ntlm auth = no' which turns off NTLMv1> [global] > workgroup = BENPARTS > netbios name = server > server string = Samba Server %v > printcap name = cups > load printers = yes > printing = cups > log file = /var/log/samba/log.%m > max log size = 50 > log level = 4 > guest account = benpartsDo you actually have a user called 'benparts' (which incidentally is the same as your workgroup) ?> # Allow users to map to guest: > map to guest = baduserIt is 'Bad User' not 'baduser'> security = user > username level = 8 > preferred master = yes > name resolve order = host lmhosts wins bcast > wins support = yes > preserve case = yes > dos charset = 850 > unix charset = ISO8859-1 > domain master = yes > domain logons = yesAh, it is a PDC You could try adding 'server max protocol = NT1' Rowland
On 23/04/19 18:01, Rowland Penny wrote:> On Tue, 23 Apr 2019 15:01:24 +0930 > Stephen Davies via samba <samba at lists.samba.org> wrote: > > >> There is no ntlm auth entry in smb.conf > > Just because you do not have an 'ntlm auth' line in your visible > smb.conf, this does not mean you do not have one, it defaults to 'ntlm > auth = no' which turns off NTLMv1 > > >> [global] >> workgroup = BENPARTS >> netbios name = server >> server string = Samba Server %v >> printcap name = cups >> load printers = yes >> printing = cups >> log file = /var/log/samba/log.%m >> max log size = 50 >> log level = 4 >> guest account = benparts > > Do you actually have a user called 'benparts' (which incidentally is > the same as your workgroup) ? > >> # Allow users to map to guest: >> map to guest = baduser > > It is 'Bad User' not 'baduser' > >> security = user >> username level = 8 >> preferred master = yes >> name resolve order = host lmhosts wins bcast >> wins support = yes >> preserve case = yes >> dos charset = 850 >> unix charset = ISO8859-1 >> domain master = yes >> domain logons = yes > > Ah, it is a PDC > > You could try adding 'server max protocol = NT1' > > Rowland > >The baduser entry was a recent change where I got confused with my attempts to reconfigure Sendmail to use baduser. Spotted "bad user" in smb.conf and thought it was the same thing. Now fixed. I have added ntlm auth and server max protocol entries as suggested but now get: [2019/04/24 11:03:05.885593, 3] ../source3/smbd/negprot.c:419(reply_nt1) using SPNEGO [2019/04/24 11:03:05.885624, 3] ../source3/smbd/negprot.c:761(reply_negprot) Selected protocol NT LM 0.12 [2019/04/24 11:03:06.087417, 1] ../source3/smbd/process.c:554(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:10.55.66.82:59271 read error = NT_STATUS_CONNECTION_RESET. where 10.55.66.82 is the VPN-assigned IP of the windows client. The firewall accepts all protocols from the VPN. --
Hai, Im wondering here.. If the client is a windows 10 pc connecting,> ../source3/smbd/negprot.c:419(reply_nt1) using SPNEGO > ../source3/smbd/negprot.c:761(reply_negprot) Selected protocol NT LM 0.12 > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client > ipv4:10.55.66.82:59271 read error = NT_STATUS_CONNECTION_RESET.And i see this.. Then why use these settings if its win10? Remove: ntlm auth and server max protocol = NT1 again. @Rowland your are mislead.. ;-)> > Ah, it is a PDCHm, no its a stand alone, the member references in my option.> >> security = user << stand alone ? > >> domain logons = yes << member ?> >> guest account = benparts > >> # Allow users to map to guest: > >> map to guest = baduserGuest definitions? . I think best here is first choose the setup type. Or member or stand alone and change the setting to it. Members? Add the guest to the share not global. Stand alone, guest in globals settings is fine. But what he want should be possible in both cases. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen Davies via samba > Verzonden: woensdag 24 april 2019 5:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] User mapping/login issue > > On 23/04/19 18:01, Rowland Penny wrote: > > On Tue, 23 Apr 2019 15:01:24 +0930 > > Stephen Davies via samba <samba at lists.samba.org> wrote: > > > > > >> There is no ntlm auth entry in smb.conf > > > > Just because you do not have an 'ntlm auth' line in your visible > > smb.conf, this does not mean you do not have one, it > defaults to 'ntlm > > auth = no' which turns off NTLMv1 > > > > > >> [global] > >> workgroup = BENPARTS > >> netbios name = server > >> server string = Samba Server %v > >> printcap name = cups > >> load printers = yes > >> printing = cups > >> log file = /var/log/samba/log.%m > >> max log size = 50 > >> log level = 4 > >> guest account = benparts > > > > Do you actually have a user called 'benparts' (which incidentally is > > the same as your workgroup) ? > > > >> # Allow users to map to guest: > >> map to guest = baduser > > > > It is 'Bad User' not 'baduser' > > > >> security = user > >> username level = 8 > >> preferred master = yes > >> name resolve order = host lmhosts wins bcast > >> wins support = yes > >> preserve case = yes > >> dos charset = 850 > >> unix charset = ISO8859-1 > >> domain master = yes > >> domain logons = yes > > > > Ah, it is a PDC > > > > You could try adding 'server max protocol = NT1' > > > > Rowland > > > > > The baduser entry was a recent change where I got confused > with my attempts to > reconfigure Sendmail to use baduser. Spotted "bad user" in > smb.conf and > thought it was the same thing. Now fixed. > > I have added ntlm auth and server max protocol entries as > suggested but now get: > > [2019/04/24 11:03:05.885593, 3] > ../source3/smbd/negprot.c:419(reply_nt1) > using SPNEGO > [2019/04/24 11:03:05.885624, 3] > ../source3/smbd/negprot.c:761(reply_negprot) > Selected protocol NT LM 0.12 > [2019/04/24 11:03:06.087417, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client > ipv4:10.55.66.82:59271 read error > = NT_STATUS_CONNECTION_RESET. > > where 10.55.66.82 is the VPN-assigned IP of the windows client. > The firewall accepts all protocols from the VPN. > > -- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >