Hi, is time to get help.
I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
I have even 2 Linux Centos 5.x in my domain x64
Now, I have add 1 Centos 6.x x64 updated.
Samba 3.6.23-35.el6_8
I had setup LDAP client on this server to get users/groups and add to my
domain with net rpc join, no issue.
I can see the server on my domain no issue, the problem start went I setup
my shares folders and some users.
Public folders no problem, the problem are went I use usernames where have
'Uppercase' the firs letter.
For some strange reason cannot talk very well with my ldap server.
Case 1: upper and lower case.
SERVER GOOD:
[root at servera ~]# id Test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
[root at aervera ~]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root at servera ~]#
Test or test return info.
Now let test the SERVER-BAD
[root at mbx-server2 opt]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root at mbx-server2 opt]# id Test
id: Test: No such user
[root at mbx-server2 opt]#
test is diff than Test.
Now, what happen on my domain?
I have some users that appear like this on windows:
Notadmin.
I setup my share:
[nasa]
path = /opt/it
writeable = Yes
public = No
guest ok = No
valid users = test, Notadmin, dflores
create mode = 0770
directory mode = 0770
force group = itmbx
force create mode = 0770
force directory mode = 0770
admin users = root Notadmin
The user Notadmin cannot access this share.
I had check settings but I use the same us the other servers, some new
flags but nothing that took my attention:
[global]
workgroup = MYDOMAIN
netbios name = mbx-server2
hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.
hosts deny = 0.0.0.0
smb ports = 139 445
lanman auth = Yes
client lanman auth = Yes
security = DOMAIN
encrypt passwords = yes
syslog = 1
log level = 1
log file = /var/log/samba/%m.%U.log
max log size = 2048
socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
name resolve order = wins bcast hosts lmhost
username map = /etc/samba/usermap
domain logons = No
domain master = No
local master = No
preferred master = No
wins server = 192.168.2.24
idmap config * : backend = ldap
idmap config * : range = 10000-20000
logon path logon home display charset = LOCALE
unix charset = UTF-8
dos charset = CP850
client ipc signing = auto
map to guest = Bad User
load printers = No
show add printer wizard = No
use sendfile = Yes
map readonly = no
case sensitive = No
dns proxy = No
winbind separator = +
What SAMBA-BAD say on logs:
[2016/05/31 09:24:48.856147, 3]
../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
len2=288
[2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
[2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
[2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
denying access.
[2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
Any recomendation about I will appreciated, thanks!!!
--
LIving the dream...
mathias dufresne
2016-Jun-06 12:31 UTC
[Samba] Cannot share folders access denid PDC+LDAP.
Hi Alberto,
No idea about your issue as I'm playing with Samba to build AD only, I can
only tell you that I did tested on my Samba AD DC and I can use upper,
lower or mixed case in user names:
dc108:/opt/initial_setup# id mtest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id mTest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id MTEST
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup#
I'm using recent version of Samba, the latest in fact. Perhaps you could
try with more recent version of the product to see if you still get this
error.
There is also that option in smb.conf manpage:
username level (G)
This option helps Samba to try and 'guess' at the real UNIX
username, as many DOS clients send an all-uppercase username.
By default Samba tries all lowercase, followed by the username
with the first letter capitalized, and fails if the username is not found
on the UNIX machine.
If this parameter is set to non-zero the behavior changes. This
parameter is a number that specifies the number of uppercase combinations
to try while trying to determine the UNIX user name. The higher the number
the more combinations will be tried, but the slower the discovery of
usernames will be. Use this parameter when you have strange usernames on
your UNIX machine, such as AstrangeUser .
This parameter is needed only on UNIX systems that have case
sensitive usernames.
Default: username level = 0
Example: username level = 5
Some others tests I did after reading "This parameter is needed only on
UNIX systems that have case sensitive usernames."
dc108:/opt/initial_setup# id ROOT
id: ROOT : utilisateur inexistant
dc108:/opt/initial_setup# id rOOt
id: rOOt : utilisateur inexistant
dc108:/opt/initial_setup# id root
uid=0(root) gid=0(root) groupes=0(root)
dc108:/opt/initial_setup#
So my UNIX system is case sensitive regarding user names but not when it
comes to AD users.
Using testparm -v and grep:
testparm -v | grep "username level"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
username level = 0
dc108:/opt/initial_setup#
So "username level" is the default: 0 on the system which case
sensitive
for non-AD usernames and non-case-sensitive ofr AD users.
Hoping this helps...
mathias
2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
> Hi, is time to get help.
>
> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
> I have even 2 Linux Centos 5.x in my domain x64
>
> Now, I have add 1 Centos 6.x x64 updated.
>
> Samba 3.6.23-35.el6_8
>
> I had setup LDAP client on this server to get users/groups and add to my
> domain with net rpc join, no issue.
>
> I can see the server on my domain no issue, the problem start went I setup
> my shares folders and some users.
>
> Public folders no problem, the problem are went I use usernames where have
> 'Uppercase' the firs letter.
>
> For some strange reason cannot talk very well with my ldap server.
>
> Case 1: upper and lower case.
>
> SERVER GOOD:
>
> [root at servera ~]# id Test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
> [root at aervera ~]# id test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
> [root at servera ~]#
>
> Test or test return info.
>
> Now let test the SERVER-BAD
> [root at mbx-server2 opt]# id test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
> [root at mbx-server2 opt]# id Test
> id: Test: No such user
> [root at mbx-server2 opt]#
>
> test is diff than Test.
>
> Now, what happen on my domain?
>
> I have some users that appear like this on windows:
>
> Notadmin.
>
> I setup my share:
>
> [nasa]
> path = /opt/it
> writeable = Yes
> public = No
> guest ok = No
> valid users = test, Notadmin, dflores
> create mode = 0770
> directory mode = 0770
> force group = itmbx
> force create mode = 0770
> force directory mode = 0770
> admin users = root Notadmin
>
> The user Notadmin cannot access this share.
>
> I had check settings but I use the same us the other servers, some new
> flags but nothing that took my attention:
>
> [global]
> workgroup = MYDOMAIN
> netbios name = mbx-server2
> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> 192.168.30., 192.168.40., 192.168.50.
> hosts deny = 0.0.0.0
> smb ports = 139 445
> lanman auth = Yes
> client lanman auth = Yes
> security = DOMAIN
> encrypt passwords = yes
> syslog = 1
> log level = 1
> log file = /var/log/samba/%m.%U.log
> max log size = 2048
> socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
> name resolve order = wins bcast hosts lmhost
> username map = /etc/samba/usermap
> domain logons = No
> domain master = No
> local master = No
> preferred master = No
> wins server = 192.168.2.24
> idmap config * : backend = ldap
> idmap config * : range = 10000-20000
> logon path > logon home > display charset =
LOCALE
> unix charset = UTF-8
> dos charset = CP850
> client ipc signing = auto
> map to guest = Bad User
> load printers = No
> show add printer wizard = No
> use sendfile = Yes
> map readonly = no
> case sensitive = No
> dns proxy = No
> winbind separator = +
>
>
> What SAMBA-BAD say on logs:
>
> [2016/05/31 09:24:48.856147, 3]
> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
> Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
> len2=288
> [2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
> [2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: mapped user is:
> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
> [2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
> Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
> denying access.
> [2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
> check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
>
> Any recomendation about I will appreciated, thanks!!!
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Hi mathias, thanks for taking time to see this issue. In my case is not a AD, is still a NT4 style. I will try the option, thanks. On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com> wrote:> Hi Alberto, > > No idea about your issue as I'm playing with Samba to build AD only, I can > only tell you that I did tested on my Samba AD DC and I can use upper, > lower or mixed case in user names: > > dc108:/opt/initial_setup# id mtest > uid=3000017(AD\mtest) gid=3000018(AD\not_system_users) > groupes=3000018(AD\not_system_users),3000017(AD\mtest) > dc108:/opt/initial_setup# id mTest > uid=3000017(AD\mtest) gid=3000018(AD\not_system_users) > groupes=3000018(AD\not_system_users),3000017(AD\mtest) > dc108:/opt/initial_setup# id MTEST > uid=3000017(AD\mtest) gid=3000018(AD\not_system_users) > groupes=3000018(AD\not_system_users),3000017(AD\mtest) > dc108:/opt/initial_setup# > > I'm using recent version of Samba, the latest in fact. Perhaps you could > try with more recent version of the product to see if you still get this > error. > > There is also that option in smb.conf manpage: > username level (G) > > This option helps Samba to try and 'guess' at the real UNIX > username, as many DOS clients send an all-uppercase username. > By default Samba tries all lowercase, followed by the username > with the first letter capitalized, and fails if the username is not found > on the UNIX machine. > > If this parameter is set to non-zero the behavior changes. This > parameter is a number that specifies the number of uppercase combinations > to try while trying to determine the UNIX user name. The higher the number > the more combinations will be tried, but the slower the discovery of > usernames will be. Use this parameter when you have strange usernames on > your UNIX machine, such as AstrangeUser . > > This parameter is needed only on UNIX systems that have case > sensitive usernames. > > Default: username level = 0 > > Example: username level = 5 > > Some others tests I did after reading "This parameter is needed only on > UNIX systems that have case sensitive usernames." > dc108:/opt/initial_setup# id ROOT > id: ROOT : utilisateur inexistant > dc108:/opt/initial_setup# id rOOt > id: rOOt : utilisateur inexistant > dc108:/opt/initial_setup# id root > uid=0(root) gid=0(root) groupes=0(root) > dc108:/opt/initial_setup# > > So my UNIX system is case sensitive regarding user names but not when it > comes to AD users. > > Using testparm -v and grep: > testparm -v | grep "username level" > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > username level = 0 > dc108:/opt/initial_setup# > > So "username level" is the default: 0 on the system which case sensitive > for non-AD usernames and non-case-sensitive ofr AD users. > > Hoping this helps... > > mathias > > > 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>: > >> Hi, is time to get help. >> >> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64 >> Windows XP/Win7/Win8.1 domain no issues.(x32/x64) >> I have even 2 Linux Centos 5.x in my domain x64 >> >> Now, I have add 1 Centos 6.x x64 updated. >> >> Samba 3.6.23-35.el6_8 >> >> I had setup LDAP client on this server to get users/groups and add to my >> domain with net rpc join, no issue. >> >> I can see the server on my domain no issue, the problem start went I setup >> my shares folders and some users. >> >> Public folders no problem, the problem are went I use usernames where >> have >> 'Uppercase' the firs letter. >> >> For some strange reason cannot talk very well with my ldap server. >> >> Case 1: upper and lower case. >> >> SERVER GOOD: >> >> [root at servera ~]# id Test >> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users) >> [root at aervera ~]# id test >> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw) >> [root at servera ~]# >> >> Test or test return info. >> >> Now let test the SERVER-BAD >> [root at mbx-server2 opt]# id test >> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw) >> [root at mbx-server2 opt]# id Test >> id: Test: No such user >> [root at mbx-server2 opt]# >> >> test is diff than Test. >> >> Now, what happen on my domain? >> >> I have some users that appear like this on windows: >> >> Notadmin. >> >> I setup my share: >> >> [nasa] >> path = /opt/it >> writeable = Yes >> public = No >> guest ok = No >> valid users = test, Notadmin, dflores >> create mode = 0770 >> directory mode = 0770 >> force group = itmbx >> force create mode = 0770 >> force directory mode = 0770 >> admin users = root Notadmin >> >> The user Notadmin cannot access this share. >> >> I had check settings but I use the same us the other servers, some new >> flags but nothing that took my attention: >> >> [global] >> workgroup = MYDOMAIN >> netbios name = mbx-server2 >> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20., >> 192.168.30., 192.168.40., 192.168.50. >> hosts deny = 0.0.0.0 >> smb ports = 139 445 >> lanman auth = Yes >> client lanman auth = Yes >> security = DOMAIN >> encrypt passwords = yes >> syslog = 1 >> log level = 1 >> log file = /var/log/samba/%m.%U.log >> max log size = 2048 >> socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384 >> name resolve order = wins bcast hosts lmhost >> username map = /etc/samba/usermap >> domain logons = No >> domain master = No >> local master = No >> preferred master = No >> wins server = 192.168.2.24 >> idmap config * : backend = ldap >> idmap config * : range = 10000-20000 >> logon path >> logon home >> display charset = LOCALE >> unix charset = UTF-8 >> dos charset = CP850 >> client ipc signing = auto >> map to guest = Bad User >> load printers = No >> show add printer wizard = No >> use sendfile = Yes >> map readonly = no >> case sensitive = No >> dns proxy = No >> winbind separator = + >> >> >> What SAMBA-BAD say on logs: >> >> [2016/05/31 09:24:48.856147, 3] >> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth) >> Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24 >> len2=288 >> [2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password) >> check_ntlm_password: Checking password for unmapped user >> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface >> [2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password) >> check_ntlm_password: mapped user is: >> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM] >> [2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account) >> Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(), >> denying access. >> [2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password) >> check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin] >> FAILED with error NT_STATUS_NO_SUCH_USER >> [2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest) >> >> Any recomendation about I will appreciated, thanks!!! >> -- >> LIving the dream... >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- LIving the dream...
Maybe Matching Threads
- Cannot share folders access denid PDC+LDAP.
- Cannot share folders access denid PDC+LDAP.
- Cannot share folders access denid PDC+LDAP.
- [PATCH 1/2] Modify autoconf tests for intrinsics to stop clang from optimizing them away.
- DsGetNCChanges 2nd replication on different