Daniel Carrasco
2017-Oct-30 11:19 UTC
[Samba] Unable to authenticate with Samba 4.5 from XP box
Thanks L.P.H and Rowland, I've just tested the L.P.H solution and after reboot I'm able to authenticate with the member server without problem. Is slow listing folders with much objects but works (maybe happened always). Here's my smb.conf: [global] workgroup = DOMAIN security = ADS realm = DOMAIN.COM server role = member server dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 3000-7999 idmap config ACONFI:backend = rid idmap config ACONFI:schema_mode = rfc2307 idmap config ACONFI:range = 10000-999999 winbind nss info = rfc2307 # winbind trusted domains only = no winbind use default domain = yes # winbind enum users = yes # winbind enum groups = yes winbind offline logon = yes # winbind refresh tickets = Yes # winbind expand groups = 4 winbind normalize names = Yes # domain master = no # local master = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes log level = 3 # Configuramos la papelera de reciclaje y el audit vfs objects = recycle full_audit # Papelera de reciclaje recycle:repository = /server/share/Papelera/ recycle:keeptree = yes recycle:versions = yes # No recicla ficheros vacios recycle:minsize = 1 # Excluye ficheros temporales recycle:exclude = *.tmp, *.TMP, *.temp, *.TEMP, *.o, *.obj, ~$*, *.lock, *.lck, *.sqlite-wal, *.bak, thumb.db # No recicla ficheros del escaner #recycle:exclude_dir = /server/share/Escaner/ # Audit full_audit:prefix = %u|%I|%m|%R|%S full_audit:success = chmod chmod_acl chown connect disconnect link mkdir pread pwrite read removexattr rename rmdir setxattr unlink write full_audit:failure = none full_audit:facility = LOCAL7 full_audit:priority = NOTICE [Folder] path = /server_ssd/share/folder read only = no browsable = yes valid users = @allowed_group .... And more shares with similar configuration (only changes valid users). Greetings!! 2017-10-30 11:30 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 30 Oct 2017 11:05:52 +0100 > Daniel Carrasco via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I've a computer that has XP for compatibility purposes and is outside > > the domain. > > I'm trying to mount some shares that are on a Member Server with > > Samba 4.5 but always get an error saying that password is wrong. All > > other computers can enter to shares without problem and I'm sure that > > the password is OK because I can login on Windows 7 computer and even > > I've mounted a share from another Windows 7 computer that is also > > outside the domain, so looks like is a problem with that XP Computer. > > > > Is there any way to allow to an XP user to login into Samba 4.5 share? > > > > I've already tried this three options: > > ntlm auth = yes > > raw NTLMv2 auth = yes > > lanman auth = yes > > > > And using IP limitation instead user login works fine. > > > > Thanks!! > > > > It should be able to connect from the XP machine, but it depends on > both being setup correctly, so can you post the smb.conf from the 4.5 > computer. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________
Rowland Penny
2017-Oct-30 11:44 UTC
[Samba] Unable to authenticate with Samba 4.5 from XP box
On Mon, 30 Oct 2017 12:19:06 +0100 Daniel Carrasco via samba <samba at lists.samba.org> wrote:> Thanks L.P.H and Rowland, > > I've just tested the L.P.H solution and after reboot I'm able to > authenticate with the member server without problem. Is slow listing > folders with much objects but works (maybe happened always). > > Here's my smb.conf: > > [global] > workgroup = DOMAIN > security = ADS > realm = DOMAIN.COM > server role = member server > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 3000-7999 > idmap config ACONFI:backend = rid > idmap config ACONFI:schema_mode = rfc2307 > idmap config ACONFI:range = 10000-999999I hope that 'workgroup = DOMAIN' is really 'workgroup = ACONFI' As you are using 'rid', you do not need the 'schema_mode' line.> > winbind nss info = rfc2307You also do not need the line above.> # winbind trusted domains only = no > winbind use default domain = yes > # winbind enum users = yes > # winbind enum groups = yes > winbind offline logon = yes > # winbind refresh tickets = YesYou really should uncomment the line above.> # winbind expand groups = 4 > winbind normalize names = Yes > # domain master = no > # local master = no > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > log level = 3 > > # Configuramos la papelera de reciclaje y el audit > vfs objects = recycle full_auditI would combine the two 'vfs objects' lines, the second one turns off the first one.>> [Folder] > path = /server_ssd/share/folder > read only = no > browsable = yes > valid users = @allowed_groupAs you seem to want to use 'acl_xattr' you should set the valid users from windows and remove the 'valid users' line. Rowland
Daniel Carrasco
2017-Oct-30 12:07 UTC
[Samba] Unable to authenticate with Samba 4.5 from XP box
Thanks Rowland. Yes, I use ACONFI as Workgroup but I always try to hide my domain name on lists (today i've failed :P) Thanks for your recomendations. I'll change it, and I'll disable the acl_xattr because I use the linux tools to manage the permissions (setfacl). Greetings!! 2017-10-30 12:44 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 30 Oct 2017 12:19:06 +0100 > Daniel Carrasco via samba <samba at lists.samba.org> wrote: > > > Thanks L.P.H and Rowland, > > > > I've just tested the L.P.H solution and after reboot I'm able to > > authenticate with the member server without problem. Is slow listing > > folders with much objects but works (maybe happened always). > > > > Here's my smb.conf: > > > > [global] > > workgroup = DOMAIN > > security = ADS > > realm = DOMAIN.COM > > server role = member server > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > idmap config *:backend = tdb > > idmap config *:range = 3000-7999 > > idmap config ACONFI:backend = rid > > idmap config ACONFI:schema_mode = rfc2307 > > idmap config ACONFI:range = 10000-999999 > > I hope that 'workgroup = DOMAIN' is really 'workgroup = ACONFI' > > As you are using 'rid', you do not need the 'schema_mode' line. > > > > > winbind nss info = rfc2307 > > You also do not need the line above. > > > # winbind trusted domains only = no > > winbind use default domain = yes > > # winbind enum users = yes > > # winbind enum groups = yes > > winbind offline logon = yes > > # winbind refresh tickets = Yes > > You really should uncomment the line above. > > > # winbind expand groups = 4 > > winbind normalize names = Yes > > # domain master = no > > # local master = no > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > log level = 3 > > > > # Configuramos la papelera de reciclaje y el audit > > vfs objects = recycle full_audit > > I would combine the two 'vfs objects' lines, the second one turns off > the first one. > > > > > > [Folder] > > path = /server_ssd/share/folder > > read only = no > > browsable = yes > > valid users = @allowed_group > > As you seem to want to use 'acl_xattr' you should set the valid users > from windows and remove the 'valid users' line. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________