Robert Marcano
2019-Sep-29 18:48 UTC
[Samba] Machines joined to a domain can't access shares on standalone Samba server
Greetings. I updated and old server to run Samba 4.9, It was running a distribution that still supported Samba 3.x. That Samba server has always been standalone, there is no interest in joining it to the Windows AD domain already in place. When it was running on Samba 3, users from a Windows domain joined machine, users were able to use the defined user on the Samba server to access the share. The user was added to the server as a normal Linux user, and password for Samba is added with smbpasswd -a. Now on the updated installation users from Windows domain joined machines can't access the shares. no matter if the user used <hostname>\user, localhost\user, <workgroup>\user or simply user. We know the user authentication is working fine because from another Linux machine or a Windows laptop that isn't joined to the domain the user is perfectly authenticated and can access the share contents. The problem could be an extra security setting on the Windows based AD domain that I don't manage but wish to give the admins a hint of a fix, hopefully someone already has experienced this. Maybe the way to refer to a local user on the standalone server is different of the names already tried above. The smb.conf is pretty simple (some little redaction on the names), Any help is greatly appreciated Notes: - Played unsuccessfully with "username map" setting just to check if I could map the user. - Accessing the standalone server by IP still fails with authentication (trying to fallback to SMB1 for testing) - Increasing logs verbosity, I see things like: check_ntlm_password: Checking password for unmapped user [WIN_DOMAIN]\[Windows User]@[Windows_host] with the new password interface check_ntlm_password: mapped user is: [WIN_DOMAIN]\[Windows User]@[Windows_host] and auth_check_ntlm_password: sam_ignoredomain authentication for user [linux_user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 [global] # Tried with the workgroup being the same than the Windows AD domain and different workgroup = DOMAIN security = user netbios aliases = ALIAS # Added only to allow browsing the shares without authentication (tried without this too) map to guest = Bad User passdb backend = tdbsam load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes map archive = no map hidden = no map read only = no map system = no store dos attributes = yes [our_share] comment = <comment here> path = <valid_path_here> browsable = no create mask = 0660 directory mask = 0770 force group = our_group write list = @our_group valid users = @our_group -- Robert Marcano
Rowland penny
2019-Sep-29 19:32 UTC
[Samba] Machines joined to a domain can't access shares on standalone Samba server
On 29/09/2019 19:48, Robert Marcano via samba wrote:> Greetings. I updated and old server to run Samba 4.9, It was running a > distribution that still supported Samba 3.x. That Samba server has always > been standalone, there is no interest in joining it to the Windows AD > domain already in place. > > When it was running on Samba 3, users from a Windows domain joined machine, > users were able to use the defined user on the Samba server to access the > share. The user was added to the server as a normal Linux user, and > password for Samba is added with smbpasswd -a. > > Now on the updated installation users from Windows domain joined machines > can't access the shares. no matter if the user used <hostname>\user, > localhost\user, <workgroup>\user or simply user. > > We know the user authentication is working fine because from another Linux > machine or a Windows laptop that isn't joined to the domain the user is > perfectly authenticated and can access the share contents. > > The problem could be an extra security setting on the Windows based AD > domain that I don't manage but wish to give the admins a hint of a fix, > hopefully someone already has experienced this. Maybe the way to refer to a > local user on the standalone server is different of the names already tried > above. > > The smb.conf is pretty simple (some little redaction on the names), Any > help is greatly appreciated > > Notes: > - Played unsuccessfully with "username map" setting just to check if I > could map the user. > - Accessing the standalone server by IP still fails with authentication > (trying to fallback to SMB1 for testing) > - Increasing logs verbosity, I see things like: > > check_ntlm_password: Checking password for unmapped user > [WIN_DOMAIN]\[Windows User]@[Windows_host] with the new password interface > check_ntlm_password: mapped user is: [WIN_DOMAIN]\[Windows > User]@[Windows_host] > > and > > auth_check_ntlm_password: sam_ignoredomain authentication for user > [linux_user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 > > [global] > # Tried with the workgroup being the same than the Windows AD domain and > different > workgroup = DOMAIN > security = user > netbios aliases = ALIAS > > # Added only to allow browsing the shares without authentication (tried > without this too) > map to guest = Bad User > > passdb backend = tdbsam > > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > map archive = no > map hidden = no > map read only = no > map system = no > store dos attributes = yes > > [our_share] > comment = <comment here> > path = <valid_path_here> > browsable = no > create mask = 0660 > directory mask = 0770 > force group = our_group > write list = @our_group > valid users = @our_group > >This is interesting, from a Unix domain member using smbclient it works: rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland Enter rowland at SAMDOM.EXAMPLE.COM's password: tree connect failed: NT_STATUS_ACCESS_DENIED rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland -U WORKGROUP\\rowland Enter WORKGROUP\rowland's password: Try "help" to get a list of possible commands. smb: \> ls ? .?????????????????????????????????? D??????? 0? Mon May 22 10:11:00 2017 ? ..????????????????????????????????? D??????? 0? Sun Sep 22 10:14:17 2019 ? .bash_logout??????????????????????? H????? 220? Fri Oct? 7 16:41:03 2016 ? .profile??????????????????????????? H????? 675? Fri Oct? 7 16:41:03 2016 ? .bashrc???????????????????????????? H???? 3515? Fri Oct? 7 16:41:03 2016 ? sprinkler.sh??????????????????????? N????? 307? Mon May 22 13:20:48 2017 ? .bash_history?????????????????????? H????? 102? Wed Dec 28 11:02:35 2016 ? sprinkler?????????????????????????? D??????? 0? Mon May 22 13:22:29 2017 ? ftptest.txt???????????????????????? N??????? 9? Fri Oct? 7 16:42:33 2016 ??? ??? 7736784 blocks of size 1024. 1752716 blocks available smb: \> q As you can see, without the workgroup, it uses the domain workgroup and fails, but with the workgroup on the standalone server, it works. However, I cannot get it work from the GUI, I have tried numerous different settings, but it just fails. This would lead me to suspect a problem with the GUI and not Samba. Rowland
Robert Marcano
2019-Sep-29 19:54 UTC
[Samba] Machines joined to a domain can't access shares on standalone Samba server
On Sun, Sep 29, 2019 at 3:33 PM Rowland penny via samba < samba at lists.samba.org> wrote:> >... > This is interesting, from a Unix domain member using smbclient it works: > > rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland > Enter rowland at SAMDOM.EXAMPLE.COM's password: > tree connect failed: NT_STATUS_ACCESS_DENIED > rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland -U > WORKGROUP\\rowland > Enter WORKGROUP\rowland's password: > Try "help" to get a list of possible commands. > smb: \> ls > . D 0 Mon May 22 10:11:00 2017 > .. D 0 Sun Sep 22 10:14:17 2019 > .bash_logout H 220 Fri Oct 7 16:41:03 2016 > .profile H 675 Fri Oct 7 16:41:03 2016 > .bashrc H 3515 Fri Oct 7 16:41:03 2016 > sprinkler.sh N 307 Mon May 22 13:20:48 2017 > .bash_history H 102 Wed Dec 28 11:02:35 2016 > sprinkler D 0 Mon May 22 13:22:29 2017 > ftptest.txt N 9 Fri Oct 7 16:42:33 2016 > > 7736784 blocks of size 1024. 1752716 blocks available > smb: \> q > > As you can see, without the workgroup, it uses the domain workgroup and > fails, but with the workgroup on the standalone server, it works. > > However, I cannot get it work from the GUI, I have tried numerous > different settings, but it just fails. This would lead me to suspect a > problem with the GUI and not Samba. >Thanks for checking it, I was wondering if with the new Samba, Windows used the wrong user, tried downgrading, for testing with: server max protocol = NT1 without success either. Now that you tell me that it happens to you too from the Windows UI makes me think is is not some kind of hardening feature on the Windows AD domain the server is installed. I tested with Windows 7 and Windows 10 on that domain.> Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Robert Marcano
Apparently Analagous Threads
- Machines joined to a domain can't access shares on standalone Samba server
- Machines joined to a domain can't access shares on standalone Samba server
- interdomain trusts / wbinfo and listent_recv: returned no users
- Difficulties retrieving randomly assigned password for newly created Samba user acounts
- Why do Interdomain trusts try to use kerberos