I'm still fighting a bit with guest access to shares via machine
account.
Little fast rewind: i'm using samba 4.5.8+dfsg-2+deb9u1~bpo8+1 (louis
packages), and i use an SCM system called WPKG to deploy ad manage
windows machine; that system do their works as SYSTEM account on local
windows workstation.
If the machine account (say, MALCOBB$) have a valid UID/GID, machine
account are used to logon to the shares; but i've found now that, if
there's no UID/GID, there's no fallback on guest account, log say:
[2018/02/08 12:21:49.457857, 3, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
Kerberos ticket principal name is [MALCOBB$@AD.FVG.LNF.IT]
[2018/02/08 12:21:49.457896, 10, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
Domain is [LNFFVG] (using PAC)
[2018/02/08 12:21:49.457938, 4, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:362(map_username)
Scanning username map /etc/samba/user.map
[2018/02/08 12:21:49.457980, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:196(user_in_list)
user_in_list: checking user LNFFVG\MALCOBB$ in list
[2018/02/08 12:21:49.458018, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\Administrator|
[2018/02/08 12:21:49.458051, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\administrator|
[2018/02/08 12:21:49.458073, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
user_in_list: checking user |LNFFVG\MALCOBB$| against |Administrator|
[2018/02/08 12:21:49.458095, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:201(user_in_list)
user_in_list: checking user |LNFFVG\MALCOBB$| against |administrator|
[2018/02/08 12:21:49.458124, 8, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/user_util.c:435(map_username)
The user 'LNFFVG\MALCOBB$' has no mapping. Skip it next time.
[2018/02/08 12:21:49.458150, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user LNFFVG\MALCOBB$
[2018/02/08 12:21:49.458173, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is lnffvg\malcobb$
[2018/02/08 12:21:49.458521, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is LNFFVG\MALCOBB$
[2018/02/08 12:21:49.458752, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in lnffvg\malcobb$
[2018/02/08 12:21:49.458796, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [LNFFVG\MALCOBB$]!
[2018/02/08 12:21:49.458827, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user MALCOBB$
[2018/02/08 12:21:49.458850, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is malcobb$
[2018/02/08 12:21:49.459067, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is MALCOBB$
[2018/02/08 12:21:49.459300, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in malcobb$
[2018/02/08 12:21:49.459350, 5, pid=2619, effective(0, 0), real(0, 0)]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [MALCOBB$]!
[2018/02/08 12:21:49.459489, 3, pid=2619, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
get_user_from_kerberos_info: Username LNFFVG\MALCOBB$ is invalid on this
system
[2018/02/08 12:21:49.459520, 3, pid=2619, effective(0, 0), real(0, 0)]
../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
auth3_generate_session_info_pac: Failed to map kerberos principal to system
user (NT_STATUS_LOGON_FAILURE)
[2018/02/08 12:21:49.459588, 3, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/02/08 12:21:49.459627, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8]
dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
[2018/02/08 12:21:49.459663, 10, pid=2619, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:912(smb2_set_operation_credit)
smb2_set_operation_credit: requested 31, charge 1, granted 1, current
possible/max 512/512, total granted/max/low/range 1/8192/2/1
Share is simply defined as:
[wpkg]
comment = WPKG Automated Software Deploying System
path = /srv/samba/wpkg
guest ok = yes
browseable = no
writable = no
force create mode = 0664
force directory mode = 2775
wide links = yes
and the only way i've found to ''solve'' this is to define:
map to guest = Bad Uid
(normally i use 'Bad User'), that confirm me that samba try to map
machine account to an UID/GID and fail.
But... why samba does not fallback to Guest access? Someone can explain
me? Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)