samba - Sep 2018 - Share cannot be accessed when samba is in Domain with security enabled

Hi Rowland,

Sorry, I shall post such questions to mailing list in future.

Here is my smb.conf

#############My smb.conf##########
[global]
workgroup=SAMBADFS
server string=SMB Server
netbios name=Shivatest
realm=SAMBADFS.LOCAL 
log level=1 
log file= 
max log size=2000 
max smbd processes=100 
security=ADS 
password server=10.10.1.1 
wins support=no 
client NTLMv2 auth=Yes 
wins proxy=no 
server max protocol=SMB3 
client max protocol=SMB3 
dns proxy=no 
wins server=0.0.0.0, 0.0.0.0
name resolve order=lmhosts host wins bcast  
map to guest=bad uid
guest only=yes 
guest account=root
local master=no 
encrypt passwords=yes 
ntlm auth=yes 
deadtime=60 
server signing=auto 
client signing=auto 
dos charset=CP932 
#my share
[SHIVA_SHARE] 
path=/etc/test 
browseable=yes 
writeable=no
public=no 
guest ok=yes
available=1
##############END###########

Regards,
Shivappa
> On Sep 18, 2018, at 12:46, Rowland Penny <rpenny at samba.org> wrote:
> 
> On Tue, 18 Sep 2018 07:56:43 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
>> 
>> 
>> Begin forwarded message:
>> 
>> Date: Mon, 17 Sep 2018 22:36:21 -0500 (CDT)
>> From: shivappa Sangapur via samba-technical
>> <samba-technical at lists.samba.org> To: samba-technical at
lists.samba.org
>> Subject: Share cannot be accessed when samba is in Domain with
>> security enabled
>> 
>> 
>> Hi,
>> 
>> I'm using samba-4.7.4.
>> I have put my samba server in Domain. (Not using winbind) using NT
>> domain with user test.
>> /etc/password has 'test' user and pdbedit shows only
'test' user,
>> since I've joined this samba server to Windows domain.
>> domain server is Win2k12 R2.
>> In windows domain server,
>> I have enabled "Microsoft network client: Digitally sign
>> communications (Always)" in domain Policy.
>> 
>> I logged as 'Administrator' to Windows domain server PC and
>> I tried to access share of my samba server(samba-4.7.4) from windows
>> domain, but i get below error.
>> *"The account is not authorized to login from this station"*
>> 
>> Any idea why so ?
>> 
>> If I joined my other Windows 7 PC to domain using domain user
'test2'
>> and access samba-4.7.4 share, 
>> same error occurs.
>> If I joined my other Windows 7 PC to domain using domain user
'test'
>> and access samba-4.7.4 share, 
>> the share access successfully.
>> 
>> test,test2 have full rights as domain users, Administrator and
>> etc.....
>> 
>> Any suggestions ??
>> 
> 
> OK, as I said yesterday it sounds like you are running an NT domain on
> a win2k12R2 server, this isn't possible, so it sounds like a
> misconfiguration somewhere.
> 
> Please post your smb.conf
> 
> Post it here on the 'samba' mailing list, not on the 'samba
technical'
> list, that is not the correct place to post this type of question.
> 
> I think I know what your problem is, but until I see your smb.conf, I
> cannot be sure.
> 
> Rowland Penny
> Samba team member

On Tue, 18 Sep 2018 21:13:08 +0530
Shivappa <ssangapur3 at gmail.com> wrote:
> Hi Rowland,
> 
> Sorry, I shall post such questions to mailing list in future.
> 
> Here is my smb.conf
> 
> #############My smb.conf##########
> [global]
> workgroup=SAMBADFS
> server string=SMB Server
> netbios name=Shivatest
> realm=SAMBADFS.LOCAL 
> log level=1 
> log file= 
> max log size=2000 
> max smbd processes=100 
> security=ADS 
> password server=10.10.1.1 
> wins support=no 
> client NTLMv2 auth=Yes 
> wins proxy=no 
> server max protocol=SMB3 
> client max protocol=SMB3 
> dns proxy=no 
> wins server=0.0.0.0, 0.0.0.0
> name resolve order=lmhosts host wins bcast  
> map to guest=bad uid
> guest only=yes 
> guest account=root
> local master=no 
> encrypt passwords=yes 
> ntlm auth=yes 
> deadtime=60 
> server signing=auto 
> client signing=auto 
> dos charset=CP932 
> #my share
> [SHIVA_SHARE] 
> path=/etc/test 
> browseable=yes 
> writeable=no
> public=no 
> guest
 ok=yes
> available=1
> ##############END###########
> 
WOW, you are trying to run a Unix domain member as a standalone server.

security=ADS 

map to guest=bad uid
guest only=yes 
guest account=root

There are no authentication lines

Can I suggest you install and run winbind and then read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Either that, or run Samba as a standalone server, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server

Rowland

Rowland,

Thanks for ur suggestions.
I have used “map to guest=never” and I no longer getting that original error.

Do you guess any other issues I may face with keeping stand-alone server and
above parameter.

So far it is working fine for me in Domain environment.

> 
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland
Penny via samba
> Sent: 18 September 2018 21:44
> To: samba at lists.samba.org
> Subject: Re: [Samba] Share cannot be accessed when samba is in Domain with
security enabled
> 
> On Tue, 18 Sep 2018 21:13:08 +0530
> Shivappa <ssangapur3 at gmail.com> wrote:
> 
>> Hi Rowland,
>> 
>> Sorry, I shall post such questions to mailing list in future.
>> 
>> Here is my smb.conf
>> 
>> #############My smb.conf##########
>> [global]
>> workgroup=SAMBADFS
>> server string=SMB Server
>> netbios name=Shivatest
>> realm=SAMBADFS.LOCAL
>> log level=1
>> log file>> max log size=2000
>> max smbd processes=100
>> security=ADS
>> password server=10.10.1.1
>> wins support=no
>> client NTLMv2 auth=Yes
>> wins proxy=no
>> server max protocol=SMB3
>> client max protocol=SMB3
>> dns proxy=no
>> wins server=0.0.0.0, 0.0.0.0
>> name resolve order=lmhosts host wins bcast map to guest=bad uid guest 
>> only=yes guest account=root local master=no encrypt passwords=yes ntlm 
>> auth=yes
>> deadtime=60
>> server signing=auto
>> client signing=auto
>> dos charset=CP932
>> #my share
>> [SHIVA_SHARE]
>> path=/etc/test
>> browseable=yes
>> writeable=no
>> public=no
>> guest
> 
> ok=yes
>> available=1
>> ##############END###########
>> 
> 
> WOW, you are trying to run a Unix domain member as a standalone server.
> 
> security=ADS 
> 
> map to guest=bad uid
> guest only=yes
> guest account=root
> 
> There are no authentication lines
> 
> Can I suggest you install and run winbind and then read this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Either that, or run Samba as a standalone server, see here:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 24 Sep 2018 13:44:29 +0530
Shivappa <ssangapur3 at gmail.com> wrote:
> Rowland,
> 
> Thanks for ur suggestions.
> I have used “map to guest=never” and I no longer getting that
> original error.
> 
> Do you guess any other issues I may face with keeping stand-alone
> server and above parameter.
> 
> So far it is working fine for me in Domain environment.
If that is all you have changed, then I am surprised.

If you just want a standalone server without users, then I would expect
your smb.conf to look similar to this:

[global]
    workgroup = NOTSAMBADFS
    security = user
    server string = SMB Standalone Server

    log level = 1
    max log size = 2000 
    max smbd processes = 100 
    dns proxy = no
    guest only = yes
    map to guest = Bad User
    ntlm auth = yes 
    deadtime = 60
    dos charset = CP932 

#my share
[SHIVA_SHARE] 
    path = /etc/test
    guest ok = yes

The computer must not be joined to the domain and you would not create
any users on the standalone server and winbind doesn't need to run.

If however you want Domain users to log into the computer, it will need
to be a domain member and the smb.conf will need to be similar to this:

[global]
    workgroup = SAMBADFS
    security = ADS
    server string = SMB ADS Server
    realm = SAMBADFS.LOCAL

    log level = 1
    max log size = 2000
    max smbd processes = 100
    ntlm auth = yes
    deadtime = 60
    dos charset = CP932

    idmap config *:backend = tdb
    idmap config *:range = 3000-7999
    idmap config SAMBADFS : backend = rid
    idmap config SAMBADFS : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/%U

#my share
[SHIVA_SHARE] 
    path = /etc/test 

The computer will need to be joined to the domain, the users will come
from AD and winbind must be running.

I would also suggest you read 'man smb.conf', most of your smb.conf
lines were defaults (as is 'map to guest = yes')

Rowland