samba - Oct 2017 - Unable to authenticate with Samba 4.5 from XP box

Thanks L.P.H and Rowland,

I've just tested the L.P.H solution and after reboot I'm able to
authenticate with the member server without problem. Is slow listing
folders with much objects but works (maybe happened always).

Here's my smb.conf:

[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
server role = member server
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config ACONFI:backend = rid
idmap config ACONFI:schema_mode = rfc2307
idmap config ACONFI:range = 10000-999999

winbind nss info = rfc2307
# winbind trusted domains only = no
winbind use default domain = yes
# winbind enum users  = yes
# winbind enum groups = yes
winbind offline logon = yes
# winbind refresh tickets = Yes
# winbind expand groups = 4
winbind normalize names = Yes
# domain master = no
# local master = no
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
log level = 3

# Configuramos la papelera de reciclaje y el audit
vfs objects = recycle full_audit

# Papelera de reciclaje
recycle:repository = /server/share/Papelera/
recycle:keeptree = yes
recycle:versions = yes
# No recicla ficheros vacios
recycle:minsize = 1
# Excluye ficheros temporales
recycle:exclude = *.tmp, *.TMP, *.temp, *.TEMP, *.o, *.obj, ~$*, *.lock,
*.lck, *.sqlite-wal, *.bak, thumb.db
# No recicla ficheros del escaner
#recycle:exclude_dir = /server/share/Escaner/

# Audit
full_audit:prefix = %u|%I|%m|%R|%S
full_audit:success = chmod chmod_acl chown connect disconnect link mkdir
pread pwrite read removexattr rename rmdir setxattr unlink write
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = NOTICE

[Folder]
path = /server_ssd/share/folder
read only = no
browsable = yes
valid users = @allowed_group

.... And more shares with similar configuration (only changes valid users).

Greetings!!

2017-10-30 11:30 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 30 Oct 2017 11:05:52 +0100
> Daniel Carrasco via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I've a computer that has XP for compatibility purposes and is
outside
> > the domain.
> > I'm trying to mount some shares that are on a Member Server with
> > Samba 4.5 but always get an error saying that password is wrong. All
> > other computers can enter to shares without problem and I'm sure
that
> > the password is OK because I can login on Windows 7 computer and even
> > I've mounted a share from another Windows 7 computer that is also
> > outside the domain, so looks like is a problem with that XP Computer.
> >
> > Is there any way to allow to an XP user to login into Samba 4.5 share?
> >
> > I've already tried this three options:
> > ntlm auth = yes
> > raw NTLMv2 auth = yes
> > lanman auth = yes
> >
> > And using IP limitation instead user login works fine.
> >
> > Thanks!!
> >
>
> It should be able to connect from the XP machine, but it depends on
> both being setup correctly, so can you post the smb.conf from the 4.5
> computer.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

On Mon, 30 Oct 2017 12:19:06 +0100
Daniel Carrasco via samba <samba at lists.samba.org> wrote:
> Thanks L.P.H and Rowland,
> 
> I've just tested the L.P.H solution and after reboot I'm able to
> authenticate with the member server without problem. Is slow listing
> folders with much objects but works (maybe happened always).
> 
> Here's my smb.conf:
> 
> [global]
> workgroup = DOMAIN
> security = ADS
> realm = DOMAIN.COM
> server role = member server
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> 
> idmap config *:backend = tdb
> idmap config *:range = 3000-7999
> idmap config ACONFI:backend = rid
> idmap config ACONFI:schema_mode = rfc2307
> idmap config ACONFI:range = 10000-999999
I hope that 'workgroup = DOMAIN' is really 'workgroup = ACONFI'

As you are using 'rid', you do not need the 'schema_mode' line. 
> 
> winbind nss info = rfc2307
You also do not need the line above.
> # winbind trusted domains only = no
> winbind use default domain = yes
> # winbind enum users  = yes
> # winbind enum groups = yes
> winbind offline logon = yes
> # winbind refresh tickets = Yes
You really should uncomment the line above.
> # winbind expand groups = 4
> winbind normalize names = Yes
> # domain master = no
> # local master = no
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> log level = 3
> 
> # Configuramos la papelera de reciclaje y el audit
> vfs objects = recycle full_audit
I would combine the two 'vfs objects' lines, the second one turns off
the first one.
> 
> [Folder]
> path = /server_ssd/share/folder
> read only = no
> browsable = yes
> valid users = @allowed_group
As you seem to want to use 'acl_xattr' you should set the valid users
from windows and remove the 'valid users' line.

Rowland

Thanks Rowland.

Yes, I use ACONFI as Workgroup but I always try to hide my domain name on
lists (today i've failed :P)

Thanks for your recomendations. I'll change it, and I'll disable
the acl_xattr because I use the linux tools to manage the permissions
(setfacl).

Greetings!!

2017-10-30 12:44 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 30 Oct 2017 12:19:06 +0100
> Daniel Carrasco via samba <samba at lists.samba.org> wrote:
>
> > Thanks L.P.H and Rowland,
> >
> > I've just tested the L.P.H solution and after reboot I'm able
to
> > authenticate with the member server without problem. Is slow listing
> > folders with much objects but works (maybe happened always).
> >
> > Here's my smb.conf:
> >
> > [global]
> > workgroup = DOMAIN
> > security = ADS
> > realm = DOMAIN.COM
> > server role = member server
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-7999
> > idmap config ACONFI:backend = rid
> > idmap config ACONFI:schema_mode = rfc2307
> > idmap config ACONFI:range = 10000-999999
>
> I hope that 'workgroup = DOMAIN' is really 'workgroup =
ACONFI'
>
> As you are using 'rid', you do not need the 'schema_mode'
line.
>
> >
> > winbind nss info = rfc2307
>
> You also do not need the line above.
>
> > # winbind trusted domains only = no
> > winbind use default domain = yes
> > # winbind enum users  = yes
> > # winbind enum groups = yes
> > winbind offline logon = yes
> > # winbind refresh tickets = Yes
>
> You really should uncomment the line above.
>
> > # winbind expand groups = 4
> > winbind normalize names = Yes
> > # domain master = no
> > # local master = no
> > vfs objects = acl_xattr
> > map acl inherit = Yes
> > store dos attributes = Yes
> > log level = 3
> >
> > # Configuramos la papelera de reciclaje y el audit
> > vfs objects = recycle full_audit
>
> I would combine the two 'vfs objects' lines, the second one turns
off
> the first one.
>
> >
>
> > [Folder]
> > path = /server_ssd/share/folder
> > read only = no
> > browsable = yes
> > valid users = @allowed_group
>
> As you seem to want to use 'acl_xattr' you should set the valid
users
> from windows and remove the 'valid users' line.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________