samba - Aug 2019 - Authenticating Samba Share with Domain Administrator

On Thu, 22 Aug 2019 08:04:10 +0100 Rowland penny <rpenny at samba.org>
wrote:
>
> On 21/08/2019 22:47, Mark Foley via samba wrote:
> > I have a NAS (Linux/Slackware 14.2) that is a domain member.
"Normal" AD Windows users can map
> > shared directories just fine without having to enter Credentials. If I
try doing that with the
> > domain Administrator it prompts me for the credentials, then fails. On
the NAS I can get an
> > "OK" status with ntlm_auth using the administrator
credentials. I cannot 'su -' to the
> > administrator account on the NAS, nor can I do so on the AD/DC. On the
latter I get
> > "Authentication Failure".
> >
> > On the NAS, a getent for a normal user gives:
> >
> > # getent passwd mark
> > mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
> >
> > I cannot getent for the administrator on the NAS (comes back blank),
but I can do so on the AD/DC:
> >
> > getent passwd Administrator
> >
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
> >
> > Is there some setting in the NAS smb.conf that will fix this?
> >
> > Here is my smb.conf on the NAS:
> >
> > # Global parameters
> > [global]
> > netbios name = OHPRSSTORAGE
> >
> >     server string = HPRS NAS server
> >
> > domain master = no
> > prefered master = no
> >
> > realm = HPRS.LOCAL
> > workgroup = HPRS
> > usershare allow guests = Yes
> > usershare max shares = 10
> > security = ADS
> > template shell = /bin/bash
> >
> > max log size = 10000
> >
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >                  
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config HPRS:backend = ad
> > idmap config HPRS:schema_mode = rfc2307
> > idmap config HPRS:range = 10000-10099
> >
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind nss info = rfc2307
> > winbind offline logon = Yes
> > winbind refresh tickets = Yes
> > winbind use default domain = Yes
> >
> > [Backups]
> > comment = HPRS domain current backup respository
> > path = /mnt/RAID/Backups
> > public = yes
> > guest ok = yes
> > guest only = yes
> > writeable = yes
> > browseable= yes
> > printable = no
> > force user = ohprso
> > force group = ohprs
> > create mask = 0660
> > directory mask = 2771
> >
> Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at maximum, 
> this is EOL as far as Samba is concerned.
>
> There is nothing you can do to get Administrator to log into a Unix 
> domain member, but you can map Administrator to the root user. Add this 
> line to your smb.conf:
>
>  ???? username map = /etc/samba/user.map
>
> Create /etc/samba/user.map containing just this:
>
> !root = HPRS\Administrator
>
> Coming back to your smb.conf and the [Backups] share in particular, you 
> should remove 'public = yes', it means the same as 'guest ok =
yes'.
> However, you might as well also remove 'guest ok = yes' and
'guest only
> = yes' because you do not have 'map to guest = bad user' set in
> [global], so you will not get any guest access ;-)
>
> Rowland
>
Thanks for the feedback. I am removed 'public = yes', 'guest ok =
yes' and 'guest only = yes'
from my [Backups] section, but problem ...

While Windows users could still map the [Backups] mount, the Acronis Backup on
ALL office
workstations failed. Acronis has the destination as a sub-folder of [Backups].
When I put those
directives back, the backups succeeded.

I'm no expert at smb.conf by any stretch. I adapted these settings from
kjhambrick's smb.conf
at LinuxQuestions.org. These public/guest setting must be needed for some
reason.

Before I go to the trouble of adding that 'user map' directive, how will
that work? Will the
remote samba client have to use 'root' as the login credential or
'Administrator'? If, when
mapping the drive, the (WIN7) client can use Administrator's credentials,
that will work for
what I want. If the client has to use root, that's probably not going to
work.

Please advise.

Also, this Slackware 14.2 NAS system is running Samba 4.6.16. The Slackware 14.2
AD/DC is running 4.8.2.
For my purposes, does that matter? Should I upgrade the NAS to 4.8.2?

On 28/08/2019 04:34, Mark Foley via samba wrote:
> On Thu, 22 Aug 2019 08:04:10 +0100 Rowland penny <rpenny at
samba.org> wrote:
>> On 21/08/2019 22:47, Mark Foley via samba wrote:
>>> I have a NAS (Linux/Slackware 14.2) that is a domain member.
"Normal" AD Windows users can map
>>> shared directories just fine without having to enter Credentials.
If I try doing that with the
>>> domain Administrator it prompts me for the credentials, then fails.
On the NAS I can get an
>>> "OK" status with ntlm_auth using the administrator
credentials. I cannot 'su -' to the
>>> administrator account on the NAS, nor can I do so on the AD/DC. On
the latter I get
>>> "Authentication Failure".
>>>
>>> On the NAS, a getent for a normal user gives:
>>>
>>> # getent passwd mark
>>> mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>>>
>>> I cannot getent for the administrator on the NAS (comes back
blank), but I can do so on the AD/DC:
>>>
>>> getent passwd Administrator
>>>
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
>>>
>>> Is there some setting in the NAS smb.conf that will fix this?
>>>
>>> Here is my smb.conf on the NAS:
>>>
>>> # Global parameters
>>> [global]
>>> netbios name = OHPRSSTORAGE
>>>
>>>      server string = HPRS NAS server
>>>
>>> domain master = no
>>> prefered master = no
>>>
>>> realm = HPRS.LOCAL
>>> workgroup = HPRS
>>> usershare allow guests = Yes
>>> usershare max shares = 10
>>> security = ADS
>>> template shell = /bin/bash
>>>
>>> max log size = 10000
>>>
>>> load printers = no
>>> printing = bsd
>>> printcap name = /dev/null
>>> disable spoolss = yes
>>>                   
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config HPRS:backend = ad
>>> idmap config HPRS:schema_mode = rfc2307
>>> idmap config HPRS:range = 10000-10099
>>>
>>> winbind enum groups = Yes
>>> winbind enum users = Yes
>>> winbind nss info = rfc2307
>>> winbind offline logon = Yes
>>> winbind refresh tickets = Yes
>>> winbind use default domain = Yes
>>>
>>> [Backups]
>>> comment = HPRS domain current backup respository
>>> path = /mnt/RAID/Backups
>>> public = yes
>>> guest ok = yes
>>> guest only = yes
>>> writeable = yes
>>> browseable= yes
>>> printable = no
>>> force user = ohprso
>>> force group = ohprs
>>> create mask = 0660
>>> directory mask = 2771
>>>
>> Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at maximum,
>> this is EOL as far as Samba is concerned.
>>
>> There is nothing you can do to get Administrator to log into a Unix
>> domain member, but you can map Administrator to the root user. Add this
>> line to your smb.conf:
>>
>>   ???? username map = /etc/samba/user.map
>>
>> Create /etc/samba/user.map containing just this:
>>
>> !root = HPRS\Administrator
>>
>> Coming back to your smb.conf and the [Backups] share in particular, you
>> should remove 'public = yes', it means the same as 'guest
ok = yes'.
>> However, you might as well also remove 'guest ok = yes' and
'guest only
>> = yes' because you do not have 'map to guest = bad user'
set in
>> [global], so you will not get any guest access ;-)
>>
>> Rowland
>>
> Thanks for the feedback. I am removed 'public = yes', 'guest ok
= yes' and 'guest only = yes'
> from my [Backups] section, but problem ...
>
> While Windows users could still map the [Backups] mount, the Acronis Backup
on ALL office
> workstations failed. Acronis has the destination as a sub-folder of
[Backups]. When I put those
> directives back, the backups succeeded.
>
> I'm no expert at smb.conf by any stretch. I adapted these settings from
kjhambrick's smb.conf
> at LinuxQuestions.org. These public/guest setting must be needed for some
reason.
Can you provide a link please ;-)
>
> Before I go to the trouble of adding that 'user map' directive, how
will that work? Will the
> remote samba client have to use 'root' as the login credential or
'Administrator'? If, when
> mapping the drive, the (WIN7) client can use Administrator's
credentials, that will work for
> what I want. If the client has to use root, that's probably not going
to work.
Using Administrator on a Windows machine is not a problem, Using Windows 
on a Unix domain member is, unless it is coming from Windows to a Unix 
domain member that has a user.map that maps 'Administrator' to
'root'.

Having the 'guest' lines in your share means that whoever is running the
backups is unknown to Samba
>
> Please advise.
>
> Also, this Slackware 14.2 NAS system is running Samba 4.6.16. The Slackware
14.2 AD/DC is running 4.8.2.
> For my purposes, does that matter? Should I upgrade the NAS to 4.8.2?
>
This is entirely your decision, all I can do is to advise you that 4.6.x 
is EOL from the Samba point of view and that in a matter of weeks, 4.8.x 
will be as well.

Samba is a rapidly evolving system and problems (aka bugs) get fixed and 
any problems you may have, are likely to have been fixed in later 
versions (some get backported, but only by Samba to non EOL versions). 
That is why we always advise upgrading

Rowland

On 28/08/2019 09:26, Rowland penny via samba wrote:
> On 28/08/2019 04:34, Mark Foley via samba wrote:
>> On Thu, 22 Aug 2019 08:04:10 +0100 Rowland penny <rpenny at
samba.org>
>> wrote:
>>> On 21/08/2019 22:47, Mark Foley via samba wrote:
>>>> I have a NAS (Linux/Slackware 14.2) that is a domain member. 
>>>> "Normal" AD Windows users can map
>>>> shared directories just fine without having to enter
Credentials.
>>>> If I try doing that with the
>>>> domain Administrator it prompts me for the credentials, then
fails.
>>>> On the NAS I can get an
>>>> "OK" status with ntlm_auth using the administrator
credentials. I
>>>> cannot 'su -' to the
>>>> administrator account on the NAS, nor can I do so on the AD/DC.
On
>>>> the latter I get
>>>> "Authentication Failure".
>>>>
>>>> On the NAS, a getent for a normal user gives:
>>>>
>>>> # getent passwd mark
>>>> mark:*:10001:10000:Mark Foley:/home/HPRS/mark:/bin/bash
>>>>
>>>> I cannot getent for the administrator on the NAS (comes back 
>>>> blank), but I can do so on the AD/DC:
>>>>
>>>> getent passwd Administrator
>>>>
HPRS\administrator:*:0:10000:Administrator:/home/HPRS/administrator:/bin/bash
>>>>
>>>>
>>>> Is there some setting in the NAS smb.conf that will fix this?
>>>>
>>>> Here is my smb.conf on the NAS:
>>>>
>>>> # Global parameters
>>>> [global]
>>>> netbios name = OHPRSSTORAGE
>>>>
>>>> ???? server string = HPRS NAS server
>>>>
>>>> domain master = no
>>>> prefered master = no
>>>>
>>>> realm = HPRS.LOCAL
>>>> workgroup = HPRS
>>>> usershare allow guests = Yes
>>>> usershare max shares = 10
>>>> security = ADS
>>>> template shell = /bin/bash
>>>>
>>>> max log size = 10000
>>>>
>>>> load printers = no
>>>> printing = bsd
>>>> printcap name = /dev/null
>>>> disable spoolss = yes
>>>> ????????????????? idmap config *:backend = tdb
>>>> idmap config *:range = 2000-9999
>>>> idmap config HPRS:backend = ad
>>>> idmap config HPRS:schema_mode = rfc2307
>>>> idmap config HPRS:range = 10000-10099
>>>>
>>>> winbind enum groups = Yes
>>>> winbind enum users = Yes
>>>> winbind nss info = rfc2307
>>>> winbind offline logon = Yes
>>>> winbind refresh tickets = Yes
>>>> winbind use default domain = Yes
>>>>
>>>> [Backups]
>>>> comment = HPRS domain current backup respository
>>>> path = /mnt/RAID/Backups
>>>> public = yes
>>>> guest ok = yes
>>>> guest only = yes
>>>> writeable = yes
>>>> browseable= yes
>>>> printable = no
>>>> force user = ohprso
>>>> force group = ohprs
>>>> create mask = 0660
>>>> directory mask = 2771
>>>>
>>> Mark, from a quick search, slackware 14.2 uses Samba 4.6.16 at
maximum,
>>> this is EOL as far as Samba is concerned.
>>>
>>> There is nothing you can do to get Administrator to log into a Unix
>>> domain member, but you can map Administrator to the root user. Add
this
>>> line to your smb.conf:
>>>
>>> ? ???? username map = /etc/samba/user.map
>>>
>>> Create /etc/samba/user.map containing just this:
>>>
>>> !root = HPRS\Administrator
>>>
>>> Coming back to your smb.conf and the [Backups] share in particular,
you
>>> should remove 'public = yes', it means the same as
'guest ok = yes'.
>>> However, you might as well also remove 'guest ok = yes' and
'guest only
>>> = yes' because you do not have 'map to guest = bad
user' set in
>>> [global], so you will not get any guest access ;-)
>>>
>>> Rowland
>>>
>> Thanks for the feedback. I am removed 'public = yes',
'guest ok =
>> yes' and 'guest only = yes'
>> from my [Backups] section, but problem ...
>>
>> While Windows users could still map the [Backups] mount, the Acronis 
>> Backup on ALL office
>> workstations failed. Acronis has the destination as a sub-folder of 
>> [Backups]. When I put those
>> directives back, the backups succeeded.
>>
>> I'm no expert at smb.conf by any stretch. I adapted these settings 
>> from kjhambrick's smb.conf
>> at LinuxQuestions.org. These public/guest setting must be needed for 
>> some reason.
> Can you provide a link please ;-)
Don't bother, I have found it ;-)

This is the last smb.conf on that page (with default settings removed):

[global]
 ??? workgroup = HPRS
 ??? security = ADS
 ??? realm = HPRS.LOCAL
 ??? server string = HPRS NAS server

 ??? domain master = no
 ??? prefered master = no

 ??? usershare allow guests = Yes
 ??? usershare max shares = 10
 ??? template shell = /bin/bash

 ??? idmap config *:backend = tdb
 ??? idmap config *:range = 2000-9999
 ??? idmap config HPRS:backend = ad
 ??? idmap config HPRS:schema_mode = rfc2307
 ??? idmap config HPRS:range = 10000-10099

 ??? winbind nss info = rfc2307
 ??? winbind offline logon = Yes
 ??? winbind refresh tickets = Yes
 ??? winbind use default domain = Yes

[public]
 ??? comment = OHPRS main file and document repository
 ??? path = /mnt/RAID/public
 ??? hide files = /Outlook/outlook/~*/
 ??? veto oplock files = /OfficeCalendar.pst/
 ??? inherit acls = yes
 ??? valid users = @"domain users"
 ??? public = yes
 ??? read only = no
 ??? create mask = 0660
 ??? force create mode = 0660
 ??? directory mask = 0771

There is nothing wrong with the [global] portion (as far as it goes), 
but there is a big problem with the [public] share. You have a 'valid 
users' line and a 'public = yes' line, the two are mutually
exclusive.
An unknown user is mapped to the guest user (if 'map to guest = bad 
user' is set in [global]) before it gets anywhere near a share, however, 
because you have a 'valid users' line, the guest user would be denied 
access unless the user was also a member of Domain Users, but it 
wouldn't be because it is an unknown user!

 From memory, you have Windows workstations, so you need to use the Unix 
domain member as if it is a Windows machine, so add these lines to smb.conf:

 ??? vfs objects = acl_xattr
 ??? map acl inherit = Yes
 ??? store dos attributes = Yes

 ??? username map = /etc/samba/user.map

Create the user.map containing this:

!root = HPRS\Administrator

Change the share to this:

[public]
 ??? comment = OHPRS main file and document repository
 ??? path = /mnt/RAID/public
 ??? hide files = /Outlook/outlook/~*/
 ??? veto oplock files = /OfficeCalendar.pst/
 ??? read only = no

Then go and read this:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Just one last though, you have added uidNumber & gidNumber attributes to 
your users & groups in AD, haven't you ?

Rowland