samba - Aug 2015 - Make Samba4 ignore domain prefix on share logon

Edited smb.conf to match yours and restarted both smbd and winbind. Did not
work. Tried to smbclient from another server: session setup failed:
NT_STATUS_LOGON_FAILURE. Our member server is also running Ubuntu 14.04 and
Samba-4.1.6 (I might have mistakenly wirtten it was 4.1.7 in original
email, dont remember now). Domain Users do have gid and users have uids.


S pozdravom,

Jakub Veselý
Správca siete GJH
Novohradská 3, 82109 Bratislava
02/210 28 328

2015-08-16 20:35 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 16/08/15 16:55, Jakub Veselý wrote:
>
>> I am trying to log in with my domain credentials, that are valid,
because
>> when I prefix the login it succeeds.
>>
>> S pozdravom,
>>
>> Jakub Veselý
>> Správca siete GJH
>> Novohradská 3, 82109 Bratislava
>> 02/210 28 328
>>
>> 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>>:
>>
>>     On 16/08/15 16:38, Jakub Veselý wrote:
>>
>>         Unfortunately 'map untrusted to domain = yes' did not
help, I
>>         still keep
>>         getting wrong username or password error while accessing the
>>         share. I do
>>         have 'winbind use default domain = yes' in the
configuration,
>>         but seem to
>>         have no effect on windows either. I am trying it from windows
>>         10 PC that is
>>         not joined to domain, could the os be an issue?
>>
>>         Jakub Vesely
>>
>>
>>     possibly, but you are trying to connect as a user that just
>>     doesn't exist (i.e. a user from outside the domain), you may
need
>>     to use 'map to Bad User', but as I said, post your smb.conf
>>
>>
>>     Rowland
>>
>>
>>     --     To unsubscribe from this list go to the following URL and
read
>> the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, I tried to login from a VM that isn't connected to my domain with a
> domain user to a share on a member server and it works, the share is owned
> by root:Domain Users with 0775 permissions
>
> My smb.conf is very similar to yours with the addition of these lines:
>
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind expand groups = 4
>         winbind refresh tickets = Yes
>         winbind normalize names = Yes
>
> I do not have these lines:
>
>   winbind trusted domains only = no
>   map untrusted to domain = yes
>
> The share stanza is just this:
>
> [testshare]
>         path = /home/share
>         read only = no
>
> The command I used on the VM is this:
>
> smbclient \\\\computer.example.com\\testshare -U rowland%password
>
> The member server is running Linux Mint 17 (aka Ubuntu 14.04) with samba
> 4.1.6
>
> My users have a uidNumber and Domain Users has a gidNumber.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Never mind I am an idiot. I have been experimenting with passwords and was
writing the wrong one after edit. It DOES work from smb client.

S pozdravom,

Jakub Veselý
Správca siete GJH
Novohradská 3, 82109 Bratislava
02/210 28 328

2015-08-16 20:51 GMT+02:00 Jakub Veselý <happy at gjh.sk>:
> Edited smb.conf to match yours and restarted both smbd and winbind. Did
> not work. Tried to smbclient from another server: session setup failed:
> NT_STATUS_LOGON_FAILURE. Our member server is also running Ubuntu 14.04 and
> Samba-4.1.6 (I might have mistakenly wirtten it was 4.1.7 in original
> email, dont remember now). Domain Users do have gid and users have uids.
>
>
> S pozdravom,
>
> Jakub Veselý
> Správca siete GJH
> Novohradská 3, 82109 Bratislava
> 02/210 28 328
>
> 2015-08-16 20:35 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>
>> On 16/08/15 16:55, Jakub Veselý wrote:
>>
>>> I am trying to log in with my domain credentials, that are valid,
>>> because when I prefix the login it succeeds.
>>>
>>> S pozdravom,
>>>
>>> Jakub Veselý
>>> Správca siete GJH
>>> Novohradská 3, 82109 Bratislava
>>> 02/210 28 328
>>>
>>> 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com
>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>
>>>     On 16/08/15 16:38, Jakub Veselý wrote:
>>>
>>>         Unfortunately 'map untrusted to domain = yes' did
not help, I
>>>         still keep
>>>         getting wrong username or password error while accessing
the
>>>         share. I do
>>>         have 'winbind use default domain = yes' in the
configuration,
>>>         but seem to
>>>         have no effect on windows either. I am trying it from
windows
>>>         10 PC that is
>>>         not joined to domain, could the os be an issue?
>>>
>>>         Jakub Vesely
>>>
>>>
>>>     possibly, but you are trying to connect as a user that just
>>>     doesn't exist (i.e. a user from outside the domain), you
may need
>>>     to use 'map to Bad User', but as I said, post your
smb.conf
>>>
>>>
>>>     Rowland
>>>
>>>
>>>     --     To unsubscribe from this list go to the following URL
and
>>> read the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> OK, I tried to login from a VM that isn't connected to my domain
with a
>> domain user to a share on a member server and it works, the share is
owned
>> by root:Domain Users with 0775 permissions
>>
>> My smb.conf is very similar to yours with the addition of these lines:
>>
>>         dedicated keytab file = /etc/krb5.keytab
>>         kerberos method = secrets and keytab
>>         winbind expand groups = 4
>>         winbind refresh tickets = Yes
>>         winbind normalize names = Yes
>>
>> I do not have these lines:
>>
>>   winbind trusted domains only = no
>>   map untrusted to domain = yes
>>
>> The share stanza is just this:
>>
>> [testshare]
>>         path = /home/share
>>         read only = no
>>
>> The command I used on the VM is this:
>>
>> smbclient \\\\computer.example.com\\testshare -U rowland%password
>>
>> The member server is running Linux Mint 17 (aka Ubuntu 14.04) with
samba
>> 4.1.6
>>
>> My users have a uidNumber and Domain Users has a gidNumber.
>>
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

Okay so it does work from smbclient, however I still can't get windows 10
to auth without prefix. Will try tommorow (CEST) at work on windows 7 one.

S pozdravom,

Jakub Veselý
Správca siete GJH
Novohradská 3, 82109 Bratislava
02/210 28 328

2015-08-16 20:56 GMT+02:00 Jakub Veselý <happy at gjh.sk>:
> Never mind I am an idiot. I have been experimenting with passwords and was
> writing the wrong one after edit. It DOES work from smb client.
>
> S pozdravom,
>
> Jakub Veselý
> Správca siete GJH
> Novohradská 3, 82109 Bratislava
> 02/210 28 328
>
> 2015-08-16 20:51 GMT+02:00 Jakub Veselý <happy at gjh.sk>:
>
>> Edited smb.conf to match yours and restarted both smbd and winbind. Did
>> not work. Tried to smbclient from another server: session setup failed:
>> NT_STATUS_LOGON_FAILURE. Our member server is also running Ubuntu 14.04
and
>> Samba-4.1.6 (I might have mistakenly wirtten it was 4.1.7 in original
>> email, dont remember now). Domain Users do have gid and users have
uids.
>>
>>
>> S pozdravom,
>>
>> Jakub Veselý
>> Správca siete GJH
>> Novohradská 3, 82109 Bratislava
>> 02/210 28 328
>>
>> 2015-08-16 20:35 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>>
>>> On 16/08/15 16:55, Jakub Veselý wrote:
>>>
>>>> I am trying to log in with my domain credentials, that are
valid,
>>>> because when I prefix the login it succeeds.
>>>>
>>>> S pozdravom,
>>>>
>>>> Jakub Veselý
>>>> Správca siete GJH
>>>> Novohradská 3, 82109 Bratislava
>>>> 02/210 28 328
>>>>
>>>> 2015-08-16 17:46 GMT+02:00 Rowland Penny <rowlandpenny241155
at gmail.com
>>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>>
>>>>     On 16/08/15 16:38, Jakub Veselý wrote:
>>>>
>>>>         Unfortunately 'map untrusted to domain = yes'
did not help, I
>>>>         still keep
>>>>         getting wrong username or password error while
accessing the
>>>>         share. I do
>>>>         have 'winbind use default domain = yes' in the
configuration,
>>>>         but seem to
>>>>         have no effect on windows either. I am trying it from
windows
>>>>         10 PC that is
>>>>         not joined to domain, could the os be an issue?
>>>>
>>>>         Jakub Vesely
>>>>
>>>>
>>>>     possibly, but you are trying to connect as a user that just
>>>>     doesn't exist (i.e. a user from outside the domain),
you may need
>>>>     to use 'map to Bad User', but as I said, post your
smb.conf
>>>>
>>>>
>>>>     Rowland
>>>>
>>>>
>>>>     --     To unsubscribe from this list go to the following
URL and
>>>> read the
>>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>> OK, I tried to login from a VM that isn't connected to my
domain with a
>>> domain user to a share on a member server and it works, the share
is owned
>>> by root:Domain Users with 0775 permissions
>>>
>>> My smb.conf is very similar to yours with the addition of these
lines:
>>>
>>>         dedicated keytab file = /etc/krb5.keytab
>>>         kerberos method = secrets and keytab
>>>         winbind expand groups = 4
>>>         winbind refresh tickets = Yes
>>>         winbind normalize names = Yes
>>>
>>> I do not have these lines:
>>>
>>>   winbind trusted domains only = no
>>>   map untrusted to domain = yes
>>>
>>> The share stanza is just this:
>>>
>>> [testshare]
>>>         path = /home/share
>>>         read only = no
>>>
>>> The command I used on the VM is this:
>>>
>>> smbclient \\\\computer.example.com\\testshare -U rowland%password
>>>
>>> The member server is running Linux Mint 17 (aka Ubuntu 14.04) with
samba
>>> 4.1.6
>>>
>>> My users have a uidNumber and Domain Users has a gidNumber.
>>>
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>

On 16/08/15 19:51, Jakub Veselý wrote:
> Edited smb.conf to match yours and restarted both smbd and winbind. 
> Did not work. Tried to smbclient from another server: session setup 
> failed: NT_STATUS_LOGON_FAILURE. Our member server is also running 
> Ubuntu 14.04 and Samba-4.1.6 (I might have mistakenly wirtten it was 
> 4.1.7 in original email, dont remember now). Domain Users do have gid 
> and users have uids.
>
>
> S pozdravom,
>
> Jakub Veselý
> Správca siete GJH
> Novohradská 3, 82109 Bratislava
> 02/210 28 328
>
> 2015-08-16 20:35 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>:
>
>     On 16/08/15 16:55, Jakub Veselý wrote:
>
>         I am trying to log in with my domain credentials, that are
>         valid, because when I prefix the login it succeeds.
>
>         S pozdravom,
>
>         Jakub Veselý
>         Správca siete GJH
>         Novohradská 3, 82109 Bratislava
>         02/210 28 328 <tel:02%2F210%2028%20328>
>
>         2015-08-16 17:46 GMT+02:00 Rowland Penny
>         <rowlandpenny241155 at gmail.com
>         <mailto:rowlandpenny241155 at gmail.com>
>         <mailto:rowlandpenny241155 at gmail.com
>         <mailto:rowlandpenny241155 at gmail.com>>>:
>
>             On 16/08/15 16:38, Jakub Veselý wrote:
>
>                 Unfortunately 'map untrusted to domain = yes' did
not
>         help, I
>                 still keep
>                 getting wrong username or password error while
>         accessing the
>                 share. I do
>                 have 'winbind use default domain = yes' in the
>         configuration,
>                 but seem to
>                 have no effect on windows either. I am trying it from
>         windows
>                 10 PC that is
>                 not joined to domain, could the os be an issue?
>
>                 Jakub Vesely
>
>
>             possibly, but you are trying to connect as a user that just
>             doesn't exist (i.e. a user from outside the domain), you
>         may need
>             to use 'map to Bad User', but as I said, post your
smb.conf
>
>
>             Rowland
>
>
>             --     To unsubscribe from this list go to the following
>         URL and read the
>             instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>     OK, I tried to login from a VM that isn't connected to my domain
>     with a domain user to a share on a member server and it works, the
>     share is owned by root:Domain Users with 0775 permissions
>
>     My smb.conf is very similar to yours with the addition of these lines:
>
>             dedicated keytab file = /etc/krb5.keytab
>             kerberos method = secrets and keytab
>             winbind expand groups = 4
>             winbind refresh tickets = Yes
>             winbind normalize names = Yes
>
>     I do not have these lines:
>
>       winbind trusted domains only = no
>       map untrusted to domain = yes
>
>     The share stanza is just this:
>
>     [testshare]
>             path = /home/share
>             read only = no
>
>     The command I used on the VM is this:
>
>     smbclient \\\\computer.example.com
>     <http://computer.example.com>\\testshare -U rowland%password
>
>     The member server is running Linux Mint 17 (aka Ubuntu 14.04) with
>     samba 4.1.6
>
>     My users have a uidNumber and Domain Users has a gidNumber.
>
>
>     Rowland
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
Does 'getent passwd domainuser' produce any output when run on the 
member server ?

There must be a difference between your member server and mine, what it 
is I do not know, I can only think it is either a setting or you are 
lacking a package that I have installed.

Rowland