samba - Jan 2018 - Access to Windows 2016 server works with IP but not with netbios name

On Fri, 12 Jan 2018 09:21:42 -0800
Luke Barone <lukebarone at gmail.com> wrote:
> As well as what share... Are you trying to access the \\*\netlogon or
> \\*\sysvol shares of a PDC?
> 
There wouldn't be a sysvol share on a PDC, or do you mean a DC ?

Rowland

Hi,

I'm working on getting copies of the smb.conf and log files off the site.
It's complicated...I'm just trying to connect to a share that's
defined in
the smb.conf. If I open a Windows Explorer and do: \\10.x.x.x I see the
available shares and can click on them and open them. However if I do
\\fred, i.e. the short (I've also tried the fully qualified) name, I can
see the shares but I get the "Access is denied" and the logon window
when I
try to open them.

Rob

On Fri, Jan 12, 2018 at 12:29 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 12 Jan 2018 09:21:42 -0800
> Luke Barone <lukebarone at gmail.com> wrote:
>
> > As well as what share... Are you trying to access the \\*\netlogon or
> > \\*\sysvol shares of a PDC?
> >
>
> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

In a perfect world, SysVol would be on an AD Domain Controller, but there
are people on here who do things out of the perfect world ;-)

If the answer was yes though, then I would be able to post the Reg Setting
to enable access from Windows 10 and above to those shares. I needed to
apply it as we are still running PDCs in almost every site. Trust me, I
can't wait to roll out AD

On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 12 Jan 2018 09:21:42 -0800
> Luke Barone <lukebarone at gmail.com> wrote:
>
> > As well as what share... Are you trying to access the \\*\netlogon or
> > \\*\sysvol shares of a PDC?
> >
>
> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi,

Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:

[global]
        log level = 3
        os level = 1
        security = ADS
        server string = TEST CIFS Server
        workgroup = WG
        netbios name = FRED1
        realm = WB.DOM-NAME.COM
        idmap config * : range = 10000-20000
        log file = /var/log/samba/%m.log
        encrypt passwords = yes
        syslog = 1
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        wins support = yes
        printcap name = /dev/null
        socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
        strict sync = yes
        oplocks = yes
        kernel oplocks = no
        wide links = yes
        deadtime = 1
        case sensitive = no
        map to guest = bad user
        guest account = nobody
        unix extensions = no

[TestShare]
        comment = Test Share for further testing
        path = /cifs/TestShare_test
        hosts allow =ALL
        hosts deny = ALL
        browseable = yes
        writeable = no
        directory mask = 0777
        force user = cifs_user
        guest ok = No
        valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
        write list = @WG\dl_fred1_testshare_m

My questions are:

1) What does the error:

string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format

mean?

2) For the connections using the NETBIOS name, I see lots of messages
similar to:

[2018/01/12 23:10:38.716169,  2]
smbd/service.c:627(create_connection_session_info)
  user 'WG\testuser01' (from session setup) not permitted to access
this share (TestShare)
[2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Given the above smb.conf is it possible that the attempts using the IP
address, rather than the NETBIOS name, are being allowed access (in
this case read only) because Samba can't determine who the user is and
is, therefore, allowing some sort of guest access? I don't really have
any other way to explain why the access via the NETBIOS name, which
appears to correctly see that the user doesn't have access to the
share, fails and the access via the IP address works. Does that even
make sense?

Thanks,

Rob

On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba
<samba at lists.samba.org> wrote:
> In a perfect world, SysVol would be on an AD Domain Controller, but there
> are people on here who do things out of the perfect world ;-)
>
> If the answer was yes though, then I would be able to post the Reg Setting
> to enable access from Windows 10 and above to those shares. I needed to
> apply it as we are still running PDCs in almost every site. Trust me, I
> can't wait to roll out AD
>
> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 12 Jan 2018 09:21:42 -0800
>> Luke Barone <lukebarone at gmail.com> wrote:
>>
>> > As well as what share... Are you trying to access the \\*\netlogon
or
>> > \\*\sysvol shares of a PDC?
>> >
>>
>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba