samba - Jan 2018 - Access to Windows 2016 server works with IP but not with netbios name

Hi,

When I initially tested the "getent passwd testuser01" I got nothing
back. I then did: "getent passwd "wg\testuser01"" and got
the entry. A
"troubleshooting" wiki I was reading suggested adding: "winbind
use
default domain = yes" to fix that. I added that and was then able to
lookup the user without needing the "wg\".

In looking at the sources for libcli/security/dom_sid.c, which is
where the "invalid format" messages are displayed, I'm a bit
confused.
That function seems to be assuming it's received an actual SID and not
the group designation. Does anyone know why it would be checking the
@WG\dl_fred1_testshare_r?

Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED
when using the NETBIOS name to try and access the share. When using
the IP address it doesn't seem to be checking much of anything, but
allows access (at least read access) to the share. For example when
using the NETBIOS name I see it checking the kerberos ticket, which is
NOT happening when using the IP address.

Again, does the assumption make any sense that when using the IP
address the user is being granted some sort of "guest" access but when
using the NETBIOS (or FQDN) name the authentication is actually being
checked and failing for some reason?

Thanks,

Rob

On Sat, Jan 13, 2018 at 10:26 AM, Gaeseric Vandal via samba
<samba at lists.samba.org> wrote:
> Do the   "getent passwd" and "getent group" commands
show the domain users?
>
> I would - at least for testing - skip the "valid users" and
"write list" options .   I believe that file system level security is
sufficient.
>
> I think the "wins support" line means this machine is a WINS
server.  (the "wins server" option would tell the machine which WINS
server to us, not to be a WINS server, so that can be a little confusing.)    My
general experience with WINS servers is that it is simpler to have a domain
controller/directory server be the WINS server.
>
>
>
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rob
Marshall via samba
> Sent: Friday, January 12, 2018 6:35 PM
> To: Luke Barone <lukebarone at gmail.com>
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Access to Windows 2016 server works with IP but not
with netbios name
>
> Hi,
>
> Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:
>
> [global]
>         log level = 3
>         os level = 1
>         security = ADS
>         server string = TEST CIFS Server
>         workgroup = WG
>         netbios name = FRED1
>         realm = WB.DOM-NAME.COM
>         idmap config * : range = 10000-20000
>         log file = /var/log/samba/%m.log
>         encrypt passwords = yes
>         syslog = 1
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         wins support = yes
>         printcap name = /dev/null
>         socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
>         strict sync = yes
>         oplocks = yes
>         kernel oplocks = no
>         wide links = yes
>         deadtime = 1
>         case sensitive = no
>         map to guest = bad user
>         guest account = nobody
>         unix extensions = no
>
> [TestShare]
>         comment = Test Share for further testing
>         path = /cifs/TestShare_test
>         hosts allow =ALL
>         hosts deny = ALL
>         browseable = yes
>         writeable = no
>         directory mask = 0777
>         force user = cifs_user
>         guest ok = No
>         valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
>         write list = @WG\dl_fred1_testshare_m
>
> My questions are:
>
> 1) What does the error:
>
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
>
> mean?
>
> 2) For the connections using the NETBIOS name, I see lots of messages
similar to:
>
> [2018/01/12 23:10:38.716169,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access
this share (TestShare)
> [2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
>   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
>
> Given the above smb.conf is it possible that the attempts using the IP
address, rather than the NETBIOS name, are being allowed access (in this case
read only) because Samba can't determine who the user is and is, therefore,
allowing some sort of guest access? I don't really have any other way to
explain why the access via the NETBIOS name, which appears to correctly see that
the user doesn't have access to the share, fails and the access via the IP
address works. Does that even make sense?
>
> Thanks,
>
> Rob
>
> On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba <samba at
lists.samba.org> wrote:
>> In a perfect world, SysVol would be on an AD Domain Controller, but
>> there are people on here who do things out of the perfect world ;-)
>>
>> If the answer was yes though, then I would be able to post the Reg
>> Setting to enable access from Windows 10 and above to those shares. I
>> needed to apply it as we are still running PDCs in almost every site.
>> Trust me, I can't wait to roll out AD
>>
>> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Fri, 12 Jan 2018 09:21:42 -0800
>>> Luke Barone <lukebarone at gmail.com> wrote:
>>>
>>> > As well as what share... Are you trying to access the
\\*\netlogon
>>> > or \\*\sysvol shares of a PDC?
>>> >
>>>
>>> There wouldn't be a sysvol share on a PDC, or do you mean a DC
?
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sat, 13 Jan 2018 19:12:14 -0500
Rob Marshall via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> When I initially tested the "getent passwd testuser01" I got
nothing
> back. I then did: "getent passwd "wg\testuser01"" and
got the entry. A
> "troubleshooting" wiki I was reading suggested adding:
"winbind use
> default domain = yes" to fix that. I added that and was then able to
> lookup the user without needing the "wg\".
> 
> In looking at the sources for libcli/security/dom_sid.c, which is
> where the "invalid format" messages are displayed, I'm a bit
confused.
> That function seems to be assuming it's received an actual SID and not
> the group designation. Does anyone know why it would be checking the
> @WG\dl_fred1_testshare_r?
> 
> Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED
> when using the NETBIOS name to try and access the share. When using
> the IP address it doesn't seem to be checking much of anything, but
> allows access (at least read access) to the share. For example when
> using the NETBIOS name I see it checking the kerberos ticket, which is
> NOT happening when using the IP address.
> 
> Again, does the assumption make any sense that when using the IP
> address the user is being granted some sort of "guest" access but
when
> using the NETBIOS (or FQDN) name the authentication is actually being
> checked and failing for some reason?
> 
> Thanks,
> 
> Rob
> 
I will say it again, your smb.conf is incorrect, you are putting
EVERYTHING into the '*' domain, please read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and this:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

Just for reference,  on a working  Samba 4.x server in an AD domain I have the
following  entries

	Idmap config *:backend = tdb
	Idmap config *:range = 2000-2999

	Idmap config MYDOMAIN:backend = ad
	Idmap config MYDOMAIN:schema_mode = rfc2307
	Idmap config *:range = 1000-1999



I use active directory users and groups to explicitly set the uid and gid
numbers (this was to keep everything happy when migrating from a classic
domain.)    The "*" range in idmap will handle accounts that are not
in the domain (which there really shouldn't be any.)

The "getent passwd'  command verifies that the winbind entry in
nsswitch is working.      You should also fine that "wbinfo -n
someuser" and "wbinfo -n YOURDOMAIN\someuser" should return the
same SID.  And "wbinfo -s someid" should return the correct
"YOURDOMAIN\someuser" value.

I really don't understand why the this should behave differently when
connecting to server IP vs server name.     The various logs on the samba server
should show if you are seeing connection attempts from
"YOURDOMAIN\someuser" or use "someuser" and is maybe mapping
the users differently.  You might need to bump up the logging level.



-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Sunday, January 14, 2018 3:38 AM
To: samba at lists.samba.org
Cc: Rob Marshall <rob.marshall17 at gmail.com>
Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with
netbios name

On Sat, 13 Jan 2018 19:12:14 -0500
Rob Marshall via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> When I initially tested the "getent passwd testuser01" I got
nothing
> back. I then did: "getent passwd "wg\testuser01"" and
got the entry. A
> "troubleshooting" wiki I was reading suggested adding:
"winbind use
> default domain = yes" to fix that. I added that and was then able to 
> lookup the user without needing the "wg\".
> 
> In looking at the sources for libcli/security/dom_sid.c, which is 
> where the "invalid format" messages are displayed, I'm a bit
confused.
> That function seems to be assuming it's received an actual SID and not 
> the group designation. Does anyone know why it would be checking the 
> @WG\dl_fred1_testshare_r?
> 
> Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED 
> when using the NETBIOS name to try and access the share. When using 
> the IP address it doesn't seem to be checking much of anything, but 
> allows access (at least read access) to the share. For example when 
> using the NETBIOS name I see it checking the kerberos ticket, which is 
> NOT happening when using the IP address.
> 
> Again, does the assumption make any sense that when using the IP 
> address the user is being granted some sort of "guest" access but
when
> using the NETBIOS (or FQDN) name the authentication is actually being 
> checked and failing for some reason?
> 
> Thanks,
> 
> Rob
> 
I will say it again, your smb.conf is incorrect, you are putting EVERYTHING into
the '*' domain, please read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and this:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba