Gaeseric Vandal
2018-Jan-14 16:43 UTC
[Samba] Access to Windows 2016 server works with IP but not with netbios name
Just for reference, on a working Samba 4.x server in an AD domain I have the following entries Idmap config *:backend = tdb Idmap config *:range = 2000-2999 Idmap config MYDOMAIN:backend = ad Idmap config MYDOMAIN:schema_mode = rfc2307 Idmap config *:range = 1000-1999 I use active directory users and groups to explicitly set the uid and gid numbers (this was to keep everything happy when migrating from a classic domain.) The "*" range in idmap will handle accounts that are not in the domain (which there really shouldn't be any.) The "getent passwd' command verifies that the winbind entry in nsswitch is working. You should also fine that "wbinfo -n someuser" and "wbinfo -n YOURDOMAIN\someuser" should return the same SID. And "wbinfo -s someid" should return the correct "YOURDOMAIN\someuser" value. I really don't understand why the this should behave differently when connecting to server IP vs server name. The various logs on the samba server should show if you are seeing connection attempts from "YOURDOMAIN\someuser" or use "someuser" and is maybe mapping the users differently. You might need to bump up the logging level. -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba Sent: Sunday, January 14, 2018 3:38 AM To: samba at lists.samba.org Cc: Rob Marshall <rob.marshall17 at gmail.com> Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name On Sat, 13 Jan 2018 19:12:14 -0500 Rob Marshall via samba <samba at lists.samba.org> wrote:> Hi, > > When I initially tested the "getent passwd testuser01" I got nothing > back. I then did: "getent passwd "wg\testuser01"" and got the entry. A > "troubleshooting" wiki I was reading suggested adding: "winbind use > default domain = yes" to fix that. I added that and was then able to > lookup the user without needing the "wg\". > > In looking at the sources for libcli/security/dom_sid.c, which is > where the "invalid format" messages are displayed, I'm a bit confused. > That function seems to be assuming it's received an actual SID and not > the group designation. Does anyone know why it would be checking the > @WG\dl_fred1_testshare_r? > > Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED > when using the NETBIOS name to try and access the share. When using > the IP address it doesn't seem to be checking much of anything, but > allows access (at least read access) to the share. For example when > using the NETBIOS name I see it checking the kerberos ticket, which is > NOT happening when using the IP address. > > Again, does the assumption make any sense that when using the IP > address the user is being granted some sort of "guest" access but when > using the NETBIOS (or FQDN) name the authentication is actually being > checked and failing for some reason? > > Thanks, > > Rob >I will say it again, your smb.conf is incorrect, you are putting EVERYTHING into the '*' domain, please read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and this: https://wiki.samba.org/index.php/Idmap_config_rid Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2018-Jan-14 17:02 UTC
[Samba] Access to Windows 2016 server works with IP but not with netbios name
On Sun, 14 Jan 2018 11:43:00 -0500 Gaeseric Vandal via samba <samba at lists.samba.org> wrote:> > > Just for reference, on a working Samba 4.x server in an AD domain I > have the following entries > > Idmap config *:backend = tdb > Idmap config *:range = 2000-2999 > > Idmap config MYDOMAIN:backend = ad > Idmap config MYDOMAIN:schema_mode = rfc2307 > Idmap config *:range = 1000-1999Are you sure this works ? The last line should be: idmap config MYDOMAIN : range = 1000-1999 However, using '1000-1999' isn't really a good idea. Also, these lines will not work with Samba version 4.6.0 onwards.> > > > I use active directory users and groups to explicitly set the uid and > gid numbers (this was to keep everything happy when migrating from a > classic domain.) The "*" range in idmap will handle accounts that > are not in the domain (which there really shouldn't be any.)Oh yes there should be, check out all the 'BUILTIN' users and groups.> > The "getent passwd' command verifies that the winbind entry in > nsswitch is working.Only if you have the 'winbind enum' lines in smb conf set to 'yes' and this isn't recommended. 'getent passwd username' will work without the 'wimbind enum' lines> You should also fine that "wbinfo -n > someuser" and "wbinfo -n YOURDOMAIN\someuser" should return the same > SID. And "wbinfo -s someid" should return the correct > "YOURDOMAIN\someuser" value. > > I really don't understand why the this should behave differently when > connecting to server IP vs server name. The various logs on the > samba server should show if you are seeing connection attempts from > "YOURDOMAIN\someuser" or use "someuser" and is maybe mapping the > users differently. You might need to bump up the logging level. >It is probably because he hasn't got smb.conf set up correctly, but raising the log level is a good idea. Rowland
Rowland Penny
2018-Jan-15 19:01 UTC
[Samba] Access to Windows 2016 server works with IP but not with netbios name
On Mon, 15 Jan 2018 13:15:07 -0500 Rob Marshall <rob.marshall17 at gmail.com> wrote:> Hi Rowland, > > I'm sorry if I just didn't understand what you were saying. I know > next to nothing about Samba and I'm looking at a customer environment. > I happen to support a product that includes Samba (which is stuck at a > 3.6.x variant because it's stuck on an old OS), but I have no real > experience with it. The customer is stating that they changed from a > Window 2008 server to a Windows 2016 server in Windows 2008 > compatibility mode. I got involved because, even though we don't > support this configuration, the customer wants it to work. And I > happen to be "where the buck stops" for all things related to the > product I support. > > Based on what I read, it seems like the only thing missing from the > customer's smb.conf was: > > idmap config * : backend = tab > > OR, were you saying that they should NOT be using '*' and should > instead specify the domain explicitly? Since I wasn't sure I tried > (this is output from testparm -v after making various changes): > > Initially just add the above backend parameter: > > rob at robs-xubuntu2: [MTI_Samba]$ grep idmap testparm.out > ldap idmap suffix > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > idmap config * : range = 10000-20000 > idmap config * : backend = tdb > > After restarting Samba and attempting to access the share I received > the same error, i.e.: > > [2018/01/15 18:24:14.986326, 3] > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) > string_to_sid: SID @WG\dl_fred1_testshare_m is not in a valid format > [2018/01/15 18:24:15.010177, 3] > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) > string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format > [2018/01/15 18:24:15.016152, 2] > smbd/service.c:627(create_connection_session_info) > user 'WG\testuser01' (from session setup) not permitted to access > this share (TestShare) > [2018/01/15 18:24:15.016215, 1] > smbd/service.c:805(make_connection_snum) > create_connection_session_info failed: NT_STATUS_ACCESS_DENIED > [2018/01/15 18:24:15.016266, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/reply.c(803) cmd=117 (SMBtconX) > NT_STATUS_ACCESS_DENIED > > I then changed smb.conf to explicitly use the domain name: > > rob at robs-xubuntu2: [MTI_Samba]$ grep idmap > testparm_post_explicit_domain.out ldap idmap suffix > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > idmap config PC.BGU-MURNAU.DE : range = 10000-20000 > idmap config PC.BGU-MURNAU.DE : backend = tdb > idmap config * : backend = tdb > > But the error didn't change. > > I then changed the backend to be "ad": > > rob at robs-xubuntu2: [MTI_Samba]$ grep idmap > testparm_post_backend_ad.out ldap idmap suffix > idmap backend = tdb > idmap cache time = 604800 > idmap negative cache time = 120 > idmap uid > idmap gid > idmap config PC.BGU-MURNAU.DE : range = 10000-20000 > idmap config PC.BGU-MURNAU.DE : backend = ad > idmap config * : backend = tdb > > But, again, same error. > > Sorry to be a bother on this, and I really appreciate your help, but I > don't know what to check next. >I take it you didn't understand the wiki pages I pointed you to ;-) Lets start with the premise that there only standard windows attributes in AD and no rfc2307 attributes. If this is the case, you need some thing like this in smb.conf: idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config PC.BGU-MURNAU.DE : backend = rid idmap config PC.BGU-MURNAU.DE : range = 10000-999999 The '*' domain is where the well known SIDs are mapped. The 'PC.BGU-MURNAU.DE' domain is where your domain users & groups are mapped. With this setup, winbind will automatically calculate the Unix ID from the objects RID and these numbers will be inside the range set in smb.conf (in this case 10000-999999). Provided you use the same smb.conf on all Unix domain members (hint: do not set 'netbios name', Samba will do it for you), you will always get the same IDs. You definitely do not want 'idmap uid' and 'idmap gid', these are deprecated and replaced by 'idmap config'. You also do not need to set any 'idmap' lines other than the ones above. If you still cannot get your head around this, cut and paste the your entire smb.conf into an email (you can sanitise if you want) and then send it to me direct (i.e. not to the list) and I will change it so it should work. Rowland