Marco Gaiarin
2018-Sep-24 12:48 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba In chel di` si favelave...> > clearly, i've on [globals] 'map to guest = Bad User'. > That is how it is supposed to work, if a known user tries to use a > wrong password, the user is rejected. If the user is unknown, it is > mapped to the guest user (usually 'nobody') and allowed access to > shares where 'guest ok = yes' is set.Exactly. I restate, roughly the same config file on samba 4.5 permit correctly guest access from local Administrator user...> Not sure about this, perhaps it is the same reason as above, but we > need more info, what is in the [global] section of the smb.conf ?Domain member: # Global parameters [global] load printers = Yes log file = /var/log/samba/log.%M log level = 0 map to guest = Bad User max log size = 5000 netbios aliases = CUPSSV FILESV HOMESV panic action = /usr/share/samba/panic-action %d printcap name = cups realm = AD.FVG.LNF.IT security = ADS username map = /etc/samba/user.map winbind offline logon = Yes winbind use default domain = Yes workgroup = LNFFVG spoolss: architecture = Windows x64 rpc_daemon:spoolssd = fork rpc_server:spoolss = external idmap config lnffvg : unix_nss_info = yes idmap config lnffvg : schema_mode = rfc2307 idmap config lnffvg : range = 10000-49999 idmap config lnffvg : backend = ad idmap config * : range = 5000-9999 idmap config * : backend = tdb printing = cups root at vdmsv1:/etc/samba# cat /etc/samba/user.map !root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator domain controller (still samba 4.5): [global] netbios name = VDCSV1 realm = AD.FVG.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG log level = 0 server role = active directory domain controller template homedir = /home/%U template shell = /bin/bash idmap_ldb:use rfc2307 = yes Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Sep-24 13:08 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Mon, 24 Sep 2018 14:48:15 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > clearly, i've on [globals] 'map to guest = Bad User'. > > That is how it is supposed to work, if a known user tries to use a > > wrong password, the user is rejected. If the user is unknown, it is > > mapped to the guest user (usually 'nobody') and allowed access to > > shares where 'guest ok = yes' is set. > > Exactly. I restate, roughly the same config file on samba 4.5 permit > correctly guest access from local Administrator user...There is no 'local Administrator', the domain user Administrator is mapped to the local user 'root'. So if the domain user 'Administrator' has the password 'thispass' and maps to 'root', who has the password 'diffpass', then the user will be rejected because the user is known (root) and the password is wrong (thispass). Rowland
Marco Gaiarin
2018-Sep-24 14:42 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! Rowland Penny via samba In chel di` si favelave...> There is no 'local Administrator', the domain user Administrator is > mapped to the local user 'root'. So if the domain user 'Administrator' > has the password 'thispass' and maps to 'root', who has the password > 'diffpass', then the user will be rejected because the user is known > (root) and the password is wrong (thispass).OK, interesting. With this hint, gone back to the logs i've got: [2018/09/24 11:31:02.652917, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. local host [ipv4:10.5.1.26:445] so seems that effectively locan Administrator user (eg, UNCI-UNCI\Administrator) get mapped to 'root', where indeed password does not match (and UNCI-UNCI\root does not exist ;). What really does not understand is: a) why evidently in samba 4.5 this mapping get NOT done. b) i've tried to modify 'user.map' from: !root = LNFFVG\Administrator LNFFVG\administrator Administrator administrator to !root = LNFFVG\Administrator LNFFVG\administrator hoping in strict matching, but seems that match still get done (but i've only reload smbd, not restarted it). And, sorry rowland, there IS A 'local Administrator' for every windows PC, and is a different user from DOMAIN\Administrator... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-24 14:50 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
You know what windows did with the "default" local, Administrator on the PC.. They disabled them... If you joined a domain, then still, the PC administrator is disabled. And the users is called PCNAME\Administrator and not Administrator You have "BUILTIN\Administrator" on the servers. ( or SERVERNAME\Administrator ) I hope this helps you understanding your problem a bit more. See also: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 24 september 2018 16:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and > machine account access troubles. > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > There is no 'local Administrator', the domain user Administrator is > > mapped to the local user 'root'. So if the domain user > 'Administrator' > > has the password 'thispass' and maps to 'root', who has the password > > 'diffpass', then the user will be rejected because the user is known > > (root) and the password is wrong (thispass). > > OK, interesting. With this hint, gone back to the logs i've got: > > [2018/09/24 11:31:02.652917, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at > [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status > [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote > host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. > local host [ipv4:10.5.1.26:445] > > so seems that effectively locan Administrator user (eg, > UNCI-UNCI\Administrator) get mapped to 'root', where indeed password > does not match (and UNCI-UNCI\root does not exist ;). > > > What really does not understand is: > > a) why evidently in samba 4.5 this mapping get NOT done. > > b) i've tried to modify 'user.map' from: > > !root = LNFFVG\Administrator LNFFVG\administrator > Administrator administrator > > to > !root = LNFFVG\Administrator LNFFVG\administrator > > hoping in strict matching, but seems that match still get done (but > i've only reload smbd, not restarted it). > > > And, sorry rowland, there IS A 'local Administrator' for every windows > PC, and is a different user from DOMAIN\Administrator... > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM and ''offline'' PAM (and NSS?)...
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.