On 24/04/19 19:51, L.P.H. van Belle wrote:> Hai, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: woensdag 24 april 2019 12:13 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] User mapping/login issue >> >> On Wed, 24 Apr 2019 11:38:58 +0200 >> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: >> >>> Hai, >>> >>> >>> Im wondering here.. If the client is a windows 10 pc connecting, >>> >>>> ../source3/smbd/negprot.c:419(reply_nt1) using SPNEGO >>>> ../source3/smbd/negprot.c:761(reply_negprot) Selected protocol NT >>>> LM 0.12 ../source3/smbd/process.c:554(receive_smb_talloc) >>>> receive_smb_raw_talloc failed for client >>>> ipv4:10.55.66.82:59271 read error = NT_STATUS_CONNECTION_RESET. >>> And i see this.. >>> >>> Then why use these settings if its win10? >> >> I sort of wondered about that, but only way to be sure was to add it >> to the smb.conf for testing purposes. If it worked, then go one way, >> if it didn't then go another way ;-) >> >>> @Rowland your are mislead.. ;-) >>> >>>>> Ah, it is a PDC >>> Hm, no its a stand alone, the member references in my option. >>> >>>>>> security = user << stand alone ? >>>>>> domain logons = yes << member ? >> >> Nope, it is a PDC, from 'man smb.conf': >> >> domain master (G) >> >> ............ >> >> When domain logons = Yes the default setting for this >> parameter is Yes, with the result that Samba will be a PDC. >> >> The OP has: >> >> domain master = yes >> domain logons = yes > > Oeps, your totaly right. I missed that. >It would appear that there may be more than one issue with my smb.conf. The scenario is a Centos 7 Linux server with a bunch of LAN connected windows 10 clients and several remote windows 10 clients which connect via VPN. The server firewall accepts everything from the VPN. The server and local clients are all in workgroup BENPARTS while the remote clients are either stand-alone or in different workgroups/domains. Local SMB access works as expected but remote access does not due to password failures (as described in earlier log excerpts). What should the domain-related entries in smb.conf be to support this scenario? Cheers and thanks, Stephen
Ps. Smb1 in Win10 ! I mean ofcourse.. Step 1: Go to Start button and type Control Panel. You will get Control Panel; Desktop app. Click on it. Step 2: You will get a window with a list of software on it, go to the left side of the panel and click Turn Windows Features On or Off. Step 3: You need to remove the checkmark beside SMB 1.0/CFs File Sharing Support to disable SMB1 for good. If you want to enable it, put a checkmark beside the same. And after seeing this, https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/fac3655a-7eb5-4337-b0ab-244bbcd014e8 @Rowland, can you do a read in this one. Your english is better then mine, but i do think this is related. Could bug#13698 (marked fixed today) also have influence here. And might be related: https://support.microsoft.com/en-us/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser Cant think of much more. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: donderdag 25 april 2019 10:00 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] User mapping/login issue > > Hai, > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Stephen Davies via samba > > Verzonden: donderdag 25 april 2019 8:34 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] User mapping/login issue > > > > > > > It would appear that there may be more than one issue with > my smb.conf. > > The scenario is a Centos 7 Linux server with a bunch of LAN > connected windows > > 10 clients and several remote windows 10 clients which > connect via VPN. > > The server firewall accepts everything from the VPN. > > The server and local clients are all in workgroup BENPARTS > while the remote > > clients are either stand-alone or in different workgroups/domains. > > Local SMB access works as expected but remote access does > not due to password > > failures (as described in earlier log excerpts). > > What should the domain-related entries in smb.conf be to > support this scenario? > > > > Cheers and thanks, > > Stephen > > > > I can only think of these last 3 things. > First try enable smb1 again in windows 10 again. I noticed ms > changed things again. > Thinking here that the "older samba" your using, with a > latest windows is the problem. > Enable smb1 again, think that will fix a lot. > > And your sure you vpn line is ok and you dont have packetloss? > Think in test with mtr or smokeping, something like that. > > Are the MTU sizes are handled by the firewall? > This is to prevent IP packet fragmentation, so IPTables is > set to reduce the size of packets by adjusting the packets' > maximum segment size. > Something like this: iptables -A PREROUTING -i ethX -p tcp -m > tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j > TCPMSS --set-mss 1360 > > Greetz, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Thu, 25 Apr 2019 16:04:18 +0930 Stephen Davies via samba <samba at lists.samba.org> wrote:> It would appear that there may be more than one issue with my > smb.conf. The scenario is a Centos 7 Linux server with a bunch of LAN > connected windows 10 clients and several remote windows 10 clients > which connect via VPN. The server firewall accepts everything from > the VPN. The server and local clients are all in workgroup BENPARTS > while the remote clients are either stand-alone or in different > workgroups/domains. Local SMB access works as expected but remote > access does not due to password failures (as described in earlier log > excerpts). What should the domain-related entries in smb.conf be to > support this scenario? Cheers and thanks, > Stephen >It sounds like you are trying to run a workgroup, but your smb.conf is set up as a PDC, can I suggest you try this smb.conf: [global] workgroup = BENPARTS server string = Samba Server %v printcap name = cups load printers = yes printing = cups log file = /var/log/samba/log.%m max log size = 50 log level = 4 map to guest = Bad User security = user username level = 8 unix password sync = yes name resolve order = host lmhosts wins bcast # only turn the next line on if it isn't on any other Samba machine #wins support = yes unix charset = ISO8859-1 #============================ Share Definitions =============================[homes] comment = Home Directories browseable = no read only = no [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = yes printable = yes create mode = 0700 print command = lpr-cups -P %p -o raw %s -r [print$] path = /var/lib/samba/printers write list = @adm root guest ok = yes [pdf-generator] path = /var/tmp printable = Yes comment = PDF Generator (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I & [pdf-screen] copy = pdf-generator comment = PDF Generator - Screen quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & [pdf-printer] copy = pdf-generator comment = PDF Generator - Print quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & [pdf-prepress] copy = pdf-generator comment = PDF Generator - PrePress quality (only valid users) print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I "" %S & # This one is useful for people to share files [tmp] comment = Temporary file space path = /tmp read only = no guest ok = yes [var] comment = General shared storage path = /var read only = no guest ok = yes That will turn it into a standalone server, but if you want authenticated users to connect to the shares, they must exist on the Samba machine with the same password as on the Windows machine. Any unknown users will be silently mapped to the guest user 'nobody' and allowed access to any shares where 'guest ok = yes' is set. Rowland
On Thu, 25 Apr 2019 10:24:36 +0200 L.P.H. van Belle <belle at bazuin.nl> wrote:> Ps. Smb1 in Win10 ! I mean ofcourse.. > > Step 1: Go to Start button and type Control Panel. You will get > Control Panel; Desktop app. Click on it. Step 2: You will get a > window with a list of software on it, go to the left side of the > panel and click Turn Windows Features On or Off. Step 3: You need to > remove the checkmark beside SMB 1.0/CFs File Sharing Support to > disable SMB1 for good. If you want to enable it, put a checkmark > beside the same. > > And after seeing this, > https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/fac3655a-7eb5-4337-b0ab-244bbcd014e8 > @Rowland, can you do a read in this one. > > Your english is better then mine, but i do think this is related.That isn't written in English, it is written by someone who knows exactly what it means, but in GEEK Basically, I think it means that whatever protocol is used by the client, the server has to reply in.> Could bug#13698 (marked fixed today) also have influence here.Not sure a MacOS bug has anything to do with it.> > And might be related: > https://support.microsoft.com/en-us/help/4046019/guest-access-in-smb2-disabled-by-default-in-windows-10-and-windows-ser > Cant think of much more.I will say this again, the Windows 'Guest' user has nothing to do with the Linux guest user. On a Samba machine, any user can be mapped to the guest user (usually 'nobody') provided the conditions are right. Rowland>
Hai,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 25 april 2019 11:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] User mapping/login issue > > On Thu, 25 Apr 2019 10:24:36 +0200 > L.P.H. van Belle <belle at bazuin.nl> wrote: > > > Ps. Smb1 in Win10 ! I mean ofcourse.. > > > > Step 1: Go to Start button and type Control Panel. You will get > > Control Panel; Desktop app. Click on it. Step 2: You will get a > > window with a list of software on it, go to the left side of the > > panel and click Turn Windows Features On or Off. Step 3: > You need to > > remove the checkmark beside SMB 1.0/CFs File Sharing Support to > > disable SMB1 for good. If you want to enable it, put a checkmark > > beside the same. > > > > And after seeing this, > > > https://docs.microsoft.com/en-us/openspecs/windows_protocols/m > s-smb2/fac3655a-7eb5-4337-b0ab-244bbcd014e8 > > @Rowland, can you do a read in this one. > > > > Your english is better then mine, but i do think this is related. > > That isn't written in English, it is written by someone who knows > exactly what it means, but in GEEK > > Basically, I think it means that whatever protocol is used by the > client, the server has to reply in. > > > Could bug#13698 (marked fixed today) also have influence here. > > Not sure a MacOS bug has anything to do with it. > > > > > And might be related: > > > https://support.microsoft.com/en-us/help/4046019/guest-access- > in-smb2-disabled-by-default-in-windows-10-and-windows-ser > > Cant think of much more. > > I will say this again, the Windows 'Guest' user has nothing to do with > the Linux guest user. On a Samba machine, any user can be mapped to > the guest user (usually 'nobody') provided the conditions are right.Yes, but then negotitate is going on, which user is send back from samba to windows? ( withing the smb protocol ?) And keep in mind user "guest" also disabled in windows side... I dont know the depth of this.. As shown in the MS link, ( the one close above here), does say.. SMB1 continues to use guest access and guest fallback. But that implicates that you need SMB2 for this and.. if you want to enable insecure guest access, you can configure the following Group Policy settings: Computer configuration\administrative templates\network\Lanman Workstation "Enable insecure guest logons" Its one he could try also. But with you settings, if it does work, i still have a mixed feeling here..> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >