Andrew Martin
2018-Jul-16 21:47 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
Hello,
I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this fileserver is
joined to a Samba4 AD Domain. I have configured the following options to allow
guest access to a share:
[global]
guest account = nobody
map to guest = Bad User
[Share]
guest ok = yes
When attempting to connect from a local account on a Windows 7 client (the
client is joined to the domain but the local account is local to the machine), I
can no longer connect as a guest to this share, receiving STATUS_LOGON_FAILURE.
Looking into it further, I can successfully authenticate as a guest if I specify
the AD domain name (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER)
but NOT if I use the hostname of the Windows 7 client (WINDOWS7CLIENT):
$ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
# this works
$ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
# this works
$ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser%
session setup failed: NT_STATUS_LOGON_FAILURE
I think setting "map untrusted to domain = no" will resolve this
problem since
the user will get mapped to FILESERVER\LocalWindowsUser instead of
WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto",
however this is
not a long-term solution since it looks like this option is being removed in
Samba 4.8. How can I allow a local Windows user to authenticate as a guest to
this share?
Thanks,
Andrew
Rowland Penny
2018-Jul-17 07:54 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
On Mon, 16 Jul 2018 16:47:57 -0500 (CDT) Andrew Martin via samba <samba at lists.samba.org> wrote:> Hello, > > I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this > fileserver is joined to a Samba4 AD Domain. I have configured the > following options to allow guest access to a share: > > [global] > guest account = nobody > map to guest = Bad User > > [Share] > guest ok = yes > > When attempting to connect from a local account on a Windows 7 client > (the client is joined to the domain but the local account is local to > the machine), I can no longer connect as a guest to this share, > receiving STATUS_LOGON_FAILURE. Looking into it further, I can > successfully authenticate as a guest if I specify the AD domain name > (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER) but NOT > if I use the hostname of the Windows 7 client (WINDOWS7CLIENT): > > $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser% > # this works > > $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser% > # this works > > $ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser% > session setup failed: NT_STATUS_LOGON_FAILURE > > I think setting "map untrusted to domain = no" will resolve this > problem since the user will get mapped to FILESERVER\LocalWindowsUser > instead of WINDOWS7CLIENT\LocalWindowsUser as it is now when set to > "auto", however this is not a long-term solution since it looks like > this option is being removed in Samba 4.8. How can I allow a local > Windows user to authenticate as a guest to this share? > > > Thanks, > > Andrew >Have you tried not using '-W' ? You talk about 'authenticating' as guest, but this is the last thing that will happen, if a user connects to a share with an invalid password it will be rejected, unless the user is also invalid (i.e. unknown), if so the user is silently mapped to guest. There is no authentication involved, exactly the opposite ;-) Rowland
Andrew Martin
2018-Jul-17 18:53 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Tuesday, July 17, 2018 2:54:17 AM > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain > auto> On Mon, 16 Jul 2018 16:47:57 -0500 (CDT) > Andrew Martin via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this >> fileserver is joined to a Samba4 AD Domain. I have configured the >> following options to allow guest access to a share: >> >> [global] >> guest account = nobody >> map to guest = Bad User >> >> [Share] >> guest ok = yes >> >> When attempting to connect from a local account on a Windows 7 client >> (the client is joined to the domain but the local account is local to >> the machine), I can no longer connect as a guest to this share, >> receiving STATUS_LOGON_FAILURE. Looking into it further, I can >> successfully authenticate as a guest if I specify the AD domain name >> (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER) but NOT >> if I use the hostname of the Windows 7 client (WINDOWS7CLIENT): >> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser% >> # this works >> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser% >> # this works >> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser% >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> I think setting "map untrusted to domain = no" will resolve this >> problem since the user will get mapped to FILESERVER\LocalWindowsUser >> instead of WINDOWS7CLIENT\LocalWindowsUser as it is now when set to >> "auto", however this is not a long-term solution since it looks like >> this option is being removed in Samba 4.8. How can I allow a local >> Windows user to authenticate as a guest to this share? >> >> >> Thanks, >> >> Andrew >> > > Have you tried not using '-W' ? > > You talk about 'authenticating' as guest, but this is the last thing > that will happen, if a user connects to a share with an invalid > password it will be rejected, unless the user is also invalid (i.e. > unknown), if so the user is silently mapped to guest. There is no > authentication involved, exactly the opposite ;-) > > Rowland >Rowland, Yes, if I do not use '-W' then it works as expected, mapping to the guest account. However, the use case I am trying to make work is having a local account on a Windows 7 client access the share as guest. Windows will always pass along the workgroup of the local account so there's no way for me to omit it. How can I allow successful guest mapping in this case? Thanks, Andrew
Reasonably Related Threads
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Domain Join fails w/ Samba4 to AD