Andrew Martin
2018-Jul-17 18:53 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Tuesday, July 17, 2018 2:54:17 AM > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain > auto> On Mon, 16 Jul 2018 16:47:57 -0500 (CDT) > Andrew Martin via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this >> fileserver is joined to a Samba4 AD Domain. I have configured the >> following options to allow guest access to a share: >> >> [global] >> guest account = nobody >> map to guest = Bad User >> >> [Share] >> guest ok = yes >> >> When attempting to connect from a local account on a Windows 7 client >> (the client is joined to the domain but the local account is local to >> the machine), I can no longer connect as a guest to this share, >> receiving STATUS_LOGON_FAILURE. Looking into it further, I can >> successfully authenticate as a guest if I specify the AD domain name >> (EXAMPLE.COM) or the hostname of the fileserver (FILESERVER) but NOT >> if I use the hostname of the Windows 7 client (WINDOWS7CLIENT): >> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser% >> # this works >> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser% >> # this works >> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share -ULocalWindowsUser% >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> I think setting "map untrusted to domain = no" will resolve this >> problem since the user will get mapped to FILESERVER\LocalWindowsUser >> instead of WINDOWS7CLIENT\LocalWindowsUser as it is now when set to >> "auto", however this is not a long-term solution since it looks like >> this option is being removed in Samba 4.8. How can I allow a local >> Windows user to authenticate as a guest to this share? >> >> >> Thanks, >> >> Andrew >> > > Have you tried not using '-W' ? > > You talk about 'authenticating' as guest, but this is the last thing > that will happen, if a user connects to a share with an invalid > password it will be rejected, unless the user is also invalid (i.e. > unknown), if so the user is silently mapped to guest. There is no > authentication involved, exactly the opposite ;-) > > Rowland >Rowland, Yes, if I do not use '-W' then it works as expected, mapping to the guest account. However, the use case I am trying to make work is having a local account on a Windows 7 client access the share as guest. Windows will always pass along the workgroup of the local account so there's no way for me to omit it. How can I allow successful guest mapping in this case? Thanks, Andrew
Rowland Penny
2018-Jul-17 19:29 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
On Tue, 17 Jul 2018 13:53:41 -0500 (CDT) Andrew Martin <amartin at xes-inc.com> wrote:> ----- Original Message ----- > > From: "samba" <samba at lists.samba.org> > > To: "samba" <samba at lists.samba.org> > > Sent: Tuesday, July 17, 2018 2:54:17 AM > > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined > > Samba 4.7.0 fileserver when map untrusted to domain = auto > > > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT) > > Andrew Martin via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this > >> fileserver is joined to a Samba4 AD Domain. I have configured the > >> following options to allow guest access to a share: > >> > >> [global] > >> guest account = nobody > >> map to guest = Bad User > >> > >> [Share] > >> guest ok = yes > >> > >> When attempting to connect from a local account on a Windows 7 > >> client (the client is joined to the domain but the local account > >> is local to the machine), I can no longer connect as a guest to > >> this share, receiving STATUS_LOGON_FAILURE. Looking into it > >> further, I can successfully authenticate as a guest if I specify > >> the AD domain name (EXAMPLE.COM) or the hostname of the fileserver > >> (FILESERVER) but NOT if I use the hostname of the Windows 7 client > >> (WINDOWS7CLIENT): > >> > >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser% > >> # this works > >> > >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser% > >> # this works > >> > >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share > >> -ULocalWindowsUser% session setup failed: NT_STATUS_LOGON_FAILURE > >> > >> I think setting "map untrusted to domain = no" will resolve this > >> problem since the user will get mapped to > >> FILESERVER\LocalWindowsUser instead of > >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto", > >> however this is not a long-term solution since it looks like this > >> option is being removed in Samba 4.8. How can I allow a local > >> Windows user to authenticate as a guest to this share? > >> > >> > >> Thanks, > >> > >> Andrew > >> > > > > Have you tried not using '-W' ? > > > > You talk about 'authenticating' as guest, but this is the last thing > > that will happen, if a user connects to a share with an invalid > > password it will be rejected, unless the user is also invalid (i.e. > > unknown), if so the user is silently mapped to guest. There is no > > authentication involved, exactly the opposite ;-) > > > > Rowland > > > > Rowland, > > Yes, if I do not use '-W' then it works as expected, mapping to the > guest account. However, the use case I am trying to make work is > having a local account on a Windows 7 client access the share as > guest. Windows will always pass along the workgroup of the local > account so there's no way for me to omit it. How can I allow > successful guest mapping in this case? > > Thanks, > > AndrewI see what you are getting at, the Windows PC is sending ANOTHERWORKGROUP\username to a Samba machine that expects WORKGROUP\username and is being rejected. man smb.conf says this about 'map to guest = Bad User': Means user logins with an invalid password are rejected, unless the username does not exist, in which case it is treated as a guest login and mapped into the guest account. So from my reading, never mind an invalid password, the user 'ANOTHERWORKROUP\username' will not exist on the Samba machine with the 'WORKGROUP' workgroup, so it should get mapped to guest. If it doesn't then it sounds like a bug, so can you please open a bug report. Rowland
Andrew Martin
2018-Aug-06 14:05 UTC
[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Tuesday, July 17, 2018 2:29:59 PM > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain > auto> On Tue, 17 Jul 2018 13:53:41 -0500 (CDT) > Andrew Martin <amartin at xes-inc.com> wrote: > >> ----- Original Message ----- >> > From: "samba" <samba at lists.samba.org> >> > To: "samba" <samba at lists.samba.org> >> > Sent: Tuesday, July 17, 2018 2:54:17 AM >> > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined >> > Samba 4.7.0 fileserver when map untrusted to domain = auto >> >> > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT) >> > Andrew Martin via samba <samba at lists.samba.org> wrote: >> > >> >> Hello, >> >> >> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this >> >> fileserver is joined to a Samba4 AD Domain. I have configured the >> >> following options to allow guest access to a share: >> >> >> >> [global] >> >> guest account = nobody >> >> map to guest = Bad User >> >> >> >> [Share] >> >> guest ok = yes >> >> >> >> When attempting to connect from a local account on a Windows 7 >> >> client (the client is joined to the domain but the local account >> >> is local to the machine), I can no longer connect as a guest to >> >> this share, receiving STATUS_LOGON_FAILURE. Looking into it >> >> further, I can successfully authenticate as a guest if I specify >> >> the AD domain name (EXAMPLE.COM) or the hostname of the fileserver >> >> (FILESERVER) but NOT if I use the hostname of the Windows 7 client >> >> (WINDOWS7CLIENT): >> >> >> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser% >> >> # this works >> >> >> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser% >> >> # this works >> >> >> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share >> >> -ULocalWindowsUser% session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> >> I think setting "map untrusted to domain = no" will resolve this >> >> problem since the user will get mapped to >> >> FILESERVER\LocalWindowsUser instead of >> >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto", >> >> however this is not a long-term solution since it looks like this >> >> option is being removed in Samba 4.8. How can I allow a local >> >> Windows user to authenticate as a guest to this share? >> >> >> >> >> >> Thanks, >> >> >> >> Andrew >> >> >> > >> > Have you tried not using '-W' ? >> > >> > You talk about 'authenticating' as guest, but this is the last thing >> > that will happen, if a user connects to a share with an invalid >> > password it will be rejected, unless the user is also invalid (i.e. >> > unknown), if so the user is silently mapped to guest. There is no >> > authentication involved, exactly the opposite ;-) >> > >> > Rowland >> > >> >> Rowland, >> >> Yes, if I do not use '-W' then it works as expected, mapping to the >> guest account. However, the use case I am trying to make work is >> having a local account on a Windows 7 client access the share as >> guest. Windows will always pass along the workgroup of the local >> account so there's no way for me to omit it. How can I allow >> successful guest mapping in this case? >> >> Thanks, >> >> Andrew > > I see what you are getting at, the Windows PC is sending > ANOTHERWORKGROUP\username to a Samba machine that expects > WORKGROUP\username and is being rejected. > > man smb.conf says this about 'map to guest = Bad User': > > Means user logins with an invalid password > are rejected, unless the username does not exist, in > which case it is treated as a guest login and mapped > into the guest account. > > So from my reading, never mind an invalid password, the user > 'ANOTHERWORKROUP\username' will not exist on the Samba machine with the > 'WORKGROUP' workgroup, so it should get mapped to guest. If it doesn't > then it sounds like a bug, so can you please open a bug report. > > Rowland >Rowland, I submitted a request to the samba bugzilla maintenance for this bug but have not heard back on the status of my bug report. Is there a way to check on the status of a bug report sent to this list? Thanks, Andrew
Maybe Matching Threads
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
- is "map untrusted to domain" possible?