ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld:> Hello Markus, > > Am 03.09.2014 09:26, schrieb Markus Carlstedt: > > Hello everybody, I have not found any answers on this issue on the > > internet and figured I'd try to send a mail to this list. > > > > We have an issue with Windows 7 and 8.1-computers (and also very new > > Mac's) that cannot login to one of our Samba servers. The server is a > > part of a domain and has security=domain set. > > The clients are not part of the domain. > > > > It seems like the newer clients send the servername as domain and the > > server therefore only looks in its own user database instead of the > > domains. > > The clients can login to the domain controller (also Samba) without any > > problem. > > > > Is there a way to make Samba force all local authentications to be done > > against the domain instead its own (empty) database? > > > > The workaround is to always add the domain when logging in to this > > server. > > > > On Mac, when connecting: > > smb://domain:user at servername > > > > On PC, when asked for username: > > domain\user > > > Can you please give use more details about your configuration (smb.conf, > Idmapping, nsswitch.conf, passdb backend, etc.)? > > Makes it easier to provide help. Otherwise we have to guess a lot. ;-)Absolutely, and thanks for answering! Here's some details. Two Samba servers (latest CentOS 6) Server1 is domain controller and also NIS server Server2 is domain member and NIS member for passwd ids are shares via NIS and 'ypcat passwd' works fine. The servers are in two different locations that are connected via openvpn. I attach nsswitch.conf, it is the default for CentOS6 smb.conf for Server1: --------------------- [global] workgroup = mydomain bind interfaces only = yes interfaces = br0 172.16.0.14/255.255.252.0 127.0.0.1 printcap name = /etc/printcap load printers = no passdb backend = tdbsam nt acl support = no map acl inherit = no map archive = no map hidden = no map read only = no map system = no store dos attributes = yes unix extensions = no cups options = raw log file = /var/log/samba/%m.log max log size = 5000 log level = 4 auth:4 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name resolve order = wins lmhosts hosts bcast local master = yes domain master = yes preferred master = yes domain logons = yes wins support = yes smb.conf for Server2: --------------------- [global] workgroup = mydomain netbios name = server2 server string = Samba Server Version %v log level = 2 auth:2 log file = /var/log/samba/log.%m max log size = 5000 interfaces = br0 172.18.0.10/255.255.192.0 127.0.0.1 security = domain password server = * domain logons = no domain master = no local master = yes os level = 33 preferred master = yes wins server = 172.16.0.14 wins proxy = yes load printers = no cups options = raw map archive = no map hidden = no map read only = no map system = no store dos attributes = yes unix extensions = no name resolve order = wins lmhosts hosts bcast Clients The clients are *not* part of the domain, which is probably why this happens. However they cannot be part of it either. As I said before, all clients can connect to server1 without any problems. And they can connect to server2 but only if they specify the correct domain for the user. When I check the logs it is clear that the client sends this to the server: User: server2\myuser This makes the login fail since the local smbpasswd database is empty and all users should be authenticated against the domain instead. I am not certain but it is possible that this would happen with windows servers aswell. I just thought that perhaps there was a way to make server2 always translate its own name to mean the domain name. server2\myuser --> mydomain\myuser / Markus -------------- next part -------------- # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files nis shadow: files nis group: files nis #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus
On 04/09/14 08:39, Markus Carlstedt wrote:> ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld: >> Hello Markus, >> >> Am 03.09.2014 09:26, schrieb Markus Carlstedt: >>> Hello everybody, I have not found any answers on this issue on the >>> internet and figured I'd try to send a mail to this list. >>> >>> We have an issue with Windows 7 and 8.1-computers (and also very new >>> Mac's) that cannot login to one of our Samba servers. The server is a >>> part of a domain and has security=domain set. >>> The clients are not part of the domain. >>> >>> It seems like the newer clients send the servername as domain and the >>> server therefore only looks in its own user database instead of the >>> domains. >>> The clients can login to the domain controller (also Samba) without any >>> problem. >>> >>> Is there a way to make Samba force all local authentications to be done >>> against the domain instead its own (empty) database? >>> >>> The workaround is to always add the domain when logging in to this >>> server. >>> >>> On Mac, when connecting: >>> smb://domain:user at servername >>> >>> On PC, when asked for username: >>> domain\user >> >> Can you please give use more details about your configuration (smb.conf, >> Idmapping, nsswitch.conf, passdb backend, etc.)? >> >> Makes it easier to provide help. Otherwise we have to guess a lot. ;-) > Absolutely, and thanks for answering! > Here's some details. > > Two Samba servers (latest CentOS 6) > Server1 is domain controller and also NIS server > Server2 is domain member and NIS member for passwd > > ids are shares via NIS and 'ypcat passwd' works fine. > > The servers are in two different locations that are connected via > openvpn. > > I attach nsswitch.conf, it is the default for CentOS6 > > smb.conf for Server1: > --------------------- > [global] > workgroup = mydomain > bind interfaces only = yes > interfaces = br0 172.16.0.14/255.255.252.0 127.0.0.1 > printcap name = /etc/printcap > load printers = no > > passdb backend = tdbsam > nt acl support = no > map acl inherit = no > map archive = no > map hidden = no > map read only = no > map system = no > store dos attributes = yes > unix extensions = no > > cups options = raw > log file = /var/log/samba/%m.log > max log size = 5000 > log level = 4 auth:4 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > name resolve order = wins lmhosts hosts bcast > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > wins support = yes > > smb.conf for Server2: > --------------------- > [global] > workgroup = mydomain > netbios name = server2 > server string = Samba Server Version %v > log level = 2 auth:2 > log file = /var/log/samba/log.%m > max log size = 5000 > interfaces = br0 172.18.0.10/255.255.192.0 127.0.0.1 > security = domain > password server = * > domain logons = no > domain master = no > local master = yes > os level = 33 > preferred master = yes > wins server = 172.16.0.14 > wins proxy = yes > load printers = no > cups options = raw > map archive = no > map hidden = no > map read only = no > map system = no > store dos attributes = yes > unix extensions = no > name resolve order = wins lmhosts hosts bcast > > Clients > The clients are *not* part of the domain, which is probably why this > happens. However they cannot be part of it either. > As I said before, all clients can connect to server1 without any > problems. And they can connect to server2 but only if they specify the > correct domain for the user. > When I check the logs it is clear that the client sends this to the > server: > User: server2\myuser > This makes the login fail since the local smbpasswd database is empty > and all users should be authenticated against the domain instead. > > I am not certain but it is possible that this would happen with windows > servers aswell. > > I just thought that perhaps there was a way to make server2 always > translate its own name to mean the domain name. > server2\myuser --> mydomain\myuser > > > / Markus > > >Hi, I would suggest that you run 'man smb.conf' in a terminal. You appear to have lines in your smb.conf's global area that should only be in a share. Server 2 seems to be set up to use server 1 but have you used the 'net' command to add this machine to the NT4 style domain? Do your users exist as 'Unix' users on both machines ? If not, you could investigate the 'map to guest' parameter. Rowland
tor 2014-09-04 klockan 09:58 +0100 skrev Rowland Penny:> On 04/09/14 08:39, Markus Carlstedt wrote: > > ons 2014-09-03 klockan 18:59 +0200 skrev Marc Muehlfeld: > >> Hello Markus, > >> > >> Am 03.09.2014 09:26, schrieb Markus Carlstedt: > >>> Hello everybody, I have not found any answers on this issue on the > >>> internet and figured I'd try to send a mail to this list. > >>> > >>> We have an issue with Windows 7 and 8.1-computers (and also very new > >>> Mac's) that cannot login to one of our Samba servers. The server is a > >>> part of a domain and has security=domain set. > >>> The clients are not part of the domain. > >>> > >>> It seems like the newer clients send the servername as domain and the > >>> server therefore only looks in its own user database instead of the > >>> domains. > >>> The clients can login to the domain controller (also Samba) without any > >>> problem. > >>> > >>> Is there a way to make Samba force all local authentications to be done > >>> against the domain instead its own (empty) database? > >>> > >>> The workaround is to always add the domain when logging in to this > >>> server. > >>> > >>> On Mac, when connecting: > >>> smb://domain:user at servername > >>> > >>> On PC, when asked for username: > >>> domain\user > >> > >> Can you please give use more details about your configuration (smb.conf, > >> Idmapping, nsswitch.conf, passdb backend, etc.)? > >> > >> Makes it easier to provide help. Otherwise we have to guess a lot. ;-) > > Absolutely, and thanks for answering! > > Here's some details. > > > > Two Samba servers (latest CentOS 6) > > Server1 is domain controller and also NIS server > > Server2 is domain member and NIS member for passwd > > > > ids are shares via NIS and 'ypcat passwd' works fine. > > > > The servers are in two different locations that are connected via > > openvpn. > > > > I attach nsswitch.conf, it is the default for CentOS6 > > > > smb.conf for Server1: > > --------------------- > > [global] > > workgroup = mydomain > > bind interfaces only = yes > > interfaces = br0 172.16.0.14/255.255.252.0 127.0.0.1 > > printcap name = /etc/printcap > > load printers = no > > > > passdb backend = tdbsam > > nt acl support = no > > map acl inherit = no > > map archive = no > > map hidden = no > > map read only = no > > map system = no > > store dos attributes = yes > > unix extensions = no > > > > cups options = raw > > log file = /var/log/samba/%m.log > > max log size = 5000 > > log level = 4 auth:4 > > > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > > > name resolve order = wins lmhosts hosts bcast > > local master = yes > > domain master = yes > > preferred master = yes > > domain logons = yes > > wins support = yes > > > > smb.conf for Server2: > > --------------------- > > [global] > > workgroup = mydomain > > netbios name = server2 > > server string = Samba Server Version %v > > log level = 2 auth:2 > > log file = /var/log/samba/log.%m > > max log size = 5000 > > interfaces = br0 172.18.0.10/255.255.192.0 127.0.0.1 > > security = domain > > password server = * > > domain logons = no > > domain master = no > > local master = yes > > os level = 33 > > preferred master = yes > > wins server = 172.16.0.14 > > wins proxy = yes > > load printers = no > > cups options = raw > > map archive = no > > map hidden = no > > map read only = no > > map system = no > > store dos attributes = yes > > unix extensions = no > > name resolve order = wins lmhosts hosts bcast > > > > Clients > > The clients are *not* part of the domain, which is probably why this > > happens. However they cannot be part of it either. > > As I said before, all clients can connect to server1 without any > > problems. And they can connect to server2 but only if they specify the > > correct domain for the user. > > When I check the logs it is clear that the client sends this to the > > server: > > User: server2\myuser > > This makes the login fail since the local smbpasswd database is empty > > and all users should be authenticated against the domain instead. > > > > I am not certain but it is possible that this would happen with windows > > servers aswell. > > > > I just thought that perhaps there was a way to make server2 always > > translate its own name to mean the domain name. > > server2\myuser --> mydomain\myuser > > > > > > / Markus > > > > > > > Hi, I would suggest that you run 'man smb.conf' in a terminal. You > appear to have lines in your smb.conf's global area that should only be > in a share. > > Server 2 seems to be set up to use server 1 but have you used the 'net' > command to add this machine to the NT4 style domain? > > Do your users exist as 'Unix' users on both machines ? If not, you could > investigate the 'map to guest' parameter.Hi, and thanks for the tips. The server is a part of the domain and logins work when the correct domain name is supplied aswell as the username. The Unix users also exist on both machines, they are shared via NIS. Thanks for pointing out that some of the Global options where Share only, I will look into those. The 'map to guest' did not do what I needed but it turns out that the next option in the man-file did. 'map untrusted to domain = yes' makes a domain member server use the domain to authenticate users. According to the man-file, the behaviour was changed in Samba 3.4. / Markus