L.P.H. van Belle
2018-Sep-24 14:50 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
You know what windows did with the "default" local, Administrator on the PC.. They disabled them... If you joined a domain, then still, the PC administrator is disabled. And the users is called PCNAME\Administrator and not Administrator You have "BUILTIN\Administrator" on the servers. ( or SERVERNAME\Administrator ) I hope this helps you understanding your problem a bit more. See also: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 24 september 2018 16:43 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] DM: samba 4.5 -> 4.8, guest access and > machine account access troubles. > > Mandi! Rowland Penny via samba > In chel di` si favelave... > > > There is no 'local Administrator', the domain user Administrator is > > mapped to the local user 'root'. So if the domain user > 'Administrator' > > has the password 'thispass' and maps to 'root', who has the password > > 'diffpass', then the user will be rejected because the user is known > > (root) and the password is wrong (thispass). > > OK, interesting. With this hint, gone back to the logs i've got: > > [2018/09/24 11:31:02.652917, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at > [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status > [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote > host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. > local host [ipv4:10.5.1.26:445] > > so seems that effectively locan Administrator user (eg, > UNCI-UNCI\Administrator) get mapped to 'root', where indeed password > does not match (and UNCI-UNCI\root does not exist ;). > > > What really does not understand is: > > a) why evidently in samba 4.5 this mapping get NOT done. > > b) i've tried to modify 'user.map' from: > > !root = LNFFVG\Administrator LNFFVG\administrator > Administrator administrator > > to > !root = LNFFVG\Administrator LNFFVG\administrator > > hoping in strict matching, but seems that match still get done (but > i've only reload smbd, not restarted it). > > > And, sorry rowland, there IS A 'local Administrator' for every windows > PC, and is a different user from DOMAIN\Administrator... > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà , 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Gaiarin
2018-Sep-24 15:33 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> I hope this helps you understanding your problem a bit more. > See also: > https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accountsNo, wait. I'm probably mixed up too many things, and maked a lot of confusion. Restart. Say may domain is 'LNFFVG', and my windows 7 box is 'DOMINIQUE'. Before upgrading my domain members to samba 4.8 (from 4.5) i can access a 'guest' share using DOMINIQUE\Administrator user without trouble. Probably (and correctly, for my point of view) domain member does not find 'DOMINIQUE\Administrator' user, and so map it to guest. Bingo. After upgrading to 4.8, i've found that i cannot anymore 'guest access' the share, seems because the domain member server maps 'DOMINIQUE\Administrator' to 'root' (as i'm expecting it will do, but for 'LNFFVG\Administrator', a very different user ;) and, clearly, credentials does not match). NOTE that, for other non-guest-access user shares i try an access with 'DOMINIQUE\Administrator', windows explorer ask me credentials, as expected. I don't want to alter the default 'Administrator' and 'guest' user on my workstation, nor do something strange client side... i simply need to restore old behaviour (or, speaking better: understand why mapping changed from 4.5 ot 4.8...) to have 'DOMINIQUE\Administrator' be mapped to guest. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Sep-24 15:54 UTC
[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
On Mon, 24 Sep 2018 17:33:47 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > I hope this helps you understanding your problem a bit more. > > See also: > > https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts > > No, wait. I'm probably mixed up too many things, and maked a lot of > confusion. Restart. > > Say may domain is 'LNFFVG', and my windows 7 box is 'DOMINIQUE'. > > > Before upgrading my domain members to samba 4.8 (from 4.5) i can > access a 'guest' share using DOMINIQUE\Administrator user without > trouble. Probably (and correctly, for my point of view) domain member > does not find 'DOMINIQUE\Administrator' user, and so map it to guest. > Bingo.The above would be true except for this line you have in smb.conf: winbind use default domain = Yes> > After upgrading to 4.8, i've found that i cannot anymore 'guest > access' the share, seems because the domain member server maps > 'DOMINIQUE\Administrator' to 'root' (as i'm expecting it will do, but > for 'LNFFVG\Administrator', a very different user ;) and, clearly, > credentials does not match). > > NOTE that, for other non-guest-access user shares i try an access with > 'DOMINIQUE\Administrator', windows explorer ask me credentials, as > expected. >So when either 'DOMINIQUE\Administrator' or 'LNFFVG\Administrator' connects, they both become 'Administrator', who then gets mapped to 'root'> > I don't want to alter the default 'Administrator' and 'guest' user on > my workstation, nor do something strange client side... i simply need > to restore old behaviour (or, speaking better: understand why mapping > changed from 4.5 ot 4.8...) to have 'DOMINIQUE\Administrator' be > mapped to guest. >I don't understand why you are trying to use a local user on a domain joined machine. Rowland
Possibly Parallel Threads
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- winbindd authentication fails with NT_STATUS_RPC_SEC_PKG_ERROR intermittently
- Can't authenticate to AD using Samba with SSSD
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.
- DM: samba 4.5 -> 4.8, guest access and machine account access troubles.