samba - Jan 2019 - In Mac SMB guest access is not working

Hi,

Previously using samba 4.7.7. Have upgraded the samba to 4.9.3. Other than
samba nothing changed in the server. After upgrade am unable to connect the
server through smb from MAC. I didnt change any smb.conf from 4.7 . Is
there any changes to be made for make it work.

Thanks

On Thu, Jan 3, 2019 at 7:55 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 3 Jan 2019 19:15:48 +0530
> VigneshDhanraj G via samba <samba at lists.samba.org> wrote:
>
> > Hi team,
> >
> > Upgraded samba from 4.7.x to 4.9.3, when i tried to connect my public
> > share using smb://ip/ through guest login in MAC my shares are not
> > listed if i am connected to AD.
> >
> > 2019/01/03 18:56:31.351985,  3, pid=1114, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> >   check_ntlm_password:  mapped user is: []\[GUEST]@[HS-MBP-3]
> > [2019/01/03 18:56:31.352027, 10, pid=1114, effective(0, 0), real(0,
> > 0), class=auth] ../source3/auth/auth.c:202(auth_check_ntlm_password)
> >   check_ntlm_password: auth_context challenge created by random
> > [2019/01/03 18:56:31.352069, 10, pid=1114, effective(0, 0), real(0,
> > 0), class=auth] ../source3/auth/auth.c:204(auth_check_ntlm_password)
> >   challenge is:
> > [2019/01/03 18:56:31.352109,  5, pid=1114, effective(0, 0), real(0,
> > 0)] ../lib/util/util.c:514(dump_data)
> >   [0000] C2 91 43 77 80 4A 47 1B                             ..Cw.JG.
> > [2019/01/03 18:56:31.352182, 10, pid=1114, effective(0, 0), real(0,
> > 0),
> > class=auth]
../source3/auth/auth_builtin.c:41(check_anonymous_security)
> > Check auth for: [GUEST] [2019/01/03 18:56:31.352223, 10, pid=1114,
> > effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
> > auth_check_ntlm_password: anonymous had nothing to say [2019/01/03
> > 18:56:31.352265, 10, pid=1114, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) Check
> > auth for: [GUEST] [2019/01/03 18:56:31.352311,  8, pid=1114,
> > effective(0, 0), real(0, 0)] ../source3/lib/util.c:1125(is_myname)
> >   is_myname("") returns 0
> > [2019/01/03 18:56:31.352353,  6, pid=1114, effective(0, 0), real(0,
> > 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
> >   check_samstrict_security:  is not one of my local names
> > (ROLE_DOMAIN_MEMBER)
> > [2019/01/03 18:56:31.352396, 10, pid=1114, effective(0, 0), real(0,
> > 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password)
> >   auth_check_ntlm_password: sam had nothing to say
> > [2019/01/03 18:56:31.352439, 10, pid=1114, effective(0, 0), real(0,
> > 0),
> > class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
> > Check auth for: [GUEST] [2019/01/03 18:56:31.352485,  4, pid=1114,
> > effective(0, 0), real(0,
> > 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) :
> > sec_ctx_stack_ndx = 2 [2019/01/03 18:56:31.352530,  4, pid=1114,
> > effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:527(push_conn_ctx)
> >   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> > [2019/01/03 18:56:31.352572,  4, pid=1114, effective(0, 0), real(0,
> > 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> > [2019/01/03 18:56:31.352614,  5, pid=1114, effective(0, 0), real(0,
> > 0)] ../libcli/security/security_token.c:53(security_token_debug)
> >   Security token: (NULL)
> > [2019/01/03 18:56:31.352655,  5, pid=1114, effective(0, 0), real(0,
> > 0)] ../source3/auth/token_util.c:850(debug_unix_user_token)
> >   UNIX token of user 0
> >   Primary group is 0 and contains 0 supplementary groups
> > [2019/01/03 18:56:31.583661,  4, pid=1114, effective(0, 0), real(0,
> > 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2019/01/03 18:56:31.583734, 10, pid=1114, effective(0, 0), real(0,
> > 0),
> > class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
> > check_winbind_security: wbcAuthenticateUserEx failed:
> > WBC_ERR_AUTH_ERROR [2019/01/03 18:56:31.583805,  5, pid=1114,
> > effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password)
> > auth_check_ntlm_password: winbind authentication for user [GUEST]
> > FAILED with error NT_STATUS_ACCOUNT_DISABLED, authoritative=1
> > [2019/01/03 18:56:31.583868,  2, pid=1114, effective(0, 0), real(0,
> > 0), class=auth] ../source3/auth/auth.c:334(auth_check_ntlm_password)
> > check_ntlm_password:  Authentication for user [GUEST] -> [GUEST]
> > FAILED with error NT_STATUS_ACCOUNT_DISABLED, authoritative=1
> >
> > Regards,
> > VigneshDhanraj G
>
> The 'GUEST' user isn't a Samba user, it is a Windows user and
is
> disabled by default and it should stay that way. It is insecure to
> enable it.
>
> You should also stop posting the same questions here and to the
> samba-technical mailing list, this is the place to post your type of
> questions. The samba-technical list is meant for development questions.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 4 Jan 2019 12:59:47 +0530
VigneshDhanraj G <vigneshdhanraj.g at gmail.com> wrote:
> Hi,
> 
> Previously using samba 4.7.7. Have upgraded the samba to 4.9.3. Other
> than samba nothing changed in the server. After upgrade am unable to
> connect the server through smb from MAC. I didnt change any smb.conf
> from 4.7 . Is there any changes to be made for make it work.
> 
This isn't really a Samba problem, using the AD Guest account is a BAD
idea, which is why it is disabled by default.

If you want to enable the guest user (did I say this a BAD idea ?),
then search the internet, I will not tell you how.

Rowland

Hi Rowland,

Below are the smb.conf which used in both 4.7 and 4.9

Global] available= yes restrict anonymous= 0 Workgroup= SAM netbios namex2
realm= SAM.COM <http://sam.com/> password server= 192.168.1.14, * idmap
backend= tdb idmap uid= 5000-9999999 idmap gid= 5000-9999999 idmap config
SAM  : backend= rid idmap config  SAM  : range= 10000000-19999999 securityADS
name resolve order= wins host bcast lmhosts client use spnego= yes dns
proxy= no winbind use default domain= no winbind nested groups= yes inherit
acls= yes winbind enum users= yes winbind enum groups= yes winbind
separator= \\ winbind cache time= 300 winbind offline logon= true template
shell= /bin/sh kerberos method= secrets and keytab map to guest= Bad User
host msdfs= yes strict allocate= no encrypt passwords= yes printcap namelpstat
printable= no load printers= yes max smbd processes= 500 getwd
cache= yes use sendfile= yes winbind sequence directory= /tmp/samba log
level= 0 max log size= 50 unix extensions= no dos charset= ascii state
directory= /mnt/system/samba/system cache directory= /tmp/samba/ ntlm authYes
winbind expand groups= 1 idmap config * : backend= tdb idmap config * :
range= 3000-7999

here used map to guest = Bad User. So previously able to connect smd as
guest. After upgrade to 4.9 unable to guest as only in mac. Able to connect
the share from linux machine using smbclient.

i had no clue for the behavioral change. I need to retain the previous
behavior as such in 4.7.

Thanks

On Fri, Jan 4, 2019 at 3:45 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 4 Jan 2019 12:59:47 +0530
> VigneshDhanraj G <vigneshdhanraj.g at gmail.com> wrote:
>
> > Hi,
> >
> > Previously using samba 4.7.7. Have upgraded the samba to 4.9.3. Other
> > than samba nothing changed in the server. After upgrade am unable to
> > connect the server through smb from MAC. I didnt change any smb.conf
> > from 4.7 . Is there any changes to be made for make it work.
> >
>
> This isn't really a Samba problem, using the AD Guest account is a BAD
> idea, which is why it is disabled by default.
>
> If you want to enable the guest user (did I say this a BAD idea ?),
> then search the internet, I will not tell you how.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba