thr3ads.net - samba - [Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest) [Jan 2025]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2025-Jan-17 21:39 UTC

[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)

On Fri, 17 Jan 2025 22:32:03 +0100
Carlos Alberto Balseiro Mayi via samba <samba at lists.samba.org> wrote:
> ?
> HI everyone.
> 
> I've been analyzing a problem with an embedded Linux/FPGA device that
> in some cases was failing to run properly when using files from a
> samba share. After some time I've found it is related to Samba bug
> 12783 and setting kernel oplocks on global fix the issue. 
> 
> But while looking at that I have found a strange behavior I can't
> understand. I have guest ok = yes on the share and map to guest = Bad
> User on global.
> 
> If I mount the share with a bad user, everything works OK and I can
> see the device lock on the file with smbstatus.
> 
> But if I mount the samba share with sec=none , the program will throw
> an error, I think because it wasn't able to adquire a lock on the
> file - I don't see a lock in smbstatus.
> 
> In both cases the connection is assigned to nobody, as configured for
> guest connections. I run samba 4.20.5 on Truenas Scale 24.10 . I have
> attached to this mail:
> 
> - the output of testparm -s
> 
> - the audit logs provided by Truenas when I connect with bad user and
> with sec=none
> 
> - the smbstatus when connected with bad user and with sec=none
> 
> Any idea what can be happening?
> 
> Best Regards,
> 
> Carlos A. Balseiro
This list strips attachments, please post again but this time add the
attachments inline or post them somewhere and provide links.

Rowland

Carlos Alberto Balseiro Mayi

2025-Jan-17 21:55 UTC

head link

[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)

testparm -s output:
> Load smb config files from /etc/smb4.conf
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility 
> fallback)
> 
> Server role: ROLE_STANDALONE
> 
> # Global parameters
> [global]
> bind interfaces only = Yes
> disable spoolss = Yes
> dns proxy = No
> load printers = No
> logging = file
> map to guest = Bad User
> max log size = 5120
> passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb
> printcap name = /dev/null
> registry shares = Yes
> server multi channel support = No
> server string = TrueNAS Server
> winbind request timeout = 2
> workgroup = CORUSCANT
> idmap config * : range = 90000001 - 100000000
> fruit:zero_file_id = False
> fruit:nfs_aces = False
> idmap config * : backend = tdb
> create mask = 0664
> directory mask = 0775
> kernel oplocks = Yes
> 
> (REMOVED INFO FROM SHARES NOT INVOLVED IN THIS)
> 
> [descargas]
> ea support = No
> guest ok = Yes
> path = /mnt/NAS/descargas
> read only = No
> smbd max xattr size = 2097152
> vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core io_uring
> tn:vuid > fruit:time machine max size = 0
> fruit:time machine = False
> nfs4:chown = True
> tn:home = False
> tn:path_suffix > tn:purpose = MULTI_PROTOCOL_NFS
Audit bad user:
> Logon ID: '0'
> Logon Type: 3
> Local Address: ipv4:192.168.1.4:445
> Remote Address: ipv4:192.168.1.100:55186
> Service Description: SMB2
> Auth Description: Null
> Client Domain: ''
> Client Account: badusertest
> Workstation: ''
> Became Account: Null
> Became Domain: Null
> Became Sid: Null
> Mapped Account: badusertest
> Mapped Domain: ''
> Netlogon Computer: Null
> Netlogon Trust Account: Null
> Netlogon Negotiate Flags: '0x00000000'
> Netlogon Secure Channel Type: 0
> Netlogon Trust Account Sid: Null
> Password Type: NTLMv2
> Client Policy Access Check: Null
> Server Policy Access Check: Null
> Vers:
> Major: 0
> Minor: 1
> Result:
> Type: NTSTATUS
> Value Raw: 3221225572
> Value Parsed: NT_STATUS_NO_SUCH_USER
smbstatus bad user:
> Samba version 4.20.5-truenas
> PID     Username     Group        Machine                               
>     Protocol Version  Encryption           Signing
>
----------------------------------------------------------------------------------------------------------------------------------------
> 193273  nobody       nogroup      192.168.1.100 
> (ipv4:192.168.1.100:55188)  SMB3_11           -                    -
> 102411  nobody       nogroup      192.168.1.10 
> (ipv4:192.168.1.10:47964)    SMB3_11           -                    -
> 
> Service      pid     Machine       Connected at                     
> Encryption   Signing
>
---------------------------------------------------------------------------------------------
> IPC$         102411  192.168.1.10  Fri Jan 17 18:53:13 2025 CET     -   
>          -
> descargas    193273  192.168.1.100 Fri Jan 17 21:56:27 2025 CET     -   
>          -
> Carpetas Personales 102411  192.168.1.10  Fri Jan 17 18:53:13 2025 CET  
>    -            -
> IPC$         193273  192.168.1.100 Fri Jan 17 21:56:27 2025 CET     -   
>          -
> 
> Locked files:
> Pid          User(ID)   DenyMode   Access      R/W        Oplock        
>    SharePath   Name   Time
>
--------------------------------------------------------------------------------------------------
> 193273       65534      DENY_NONE  0x12019f    RDWR       BATCH         
>    /mnt/NAS/descargas   MiSTer/games/AO486/media/another world/another 
> world.vhd   Fri Jan 17 21:58:04 2025
Audit sec=none :
> Logon ID: '0'
> Logon Type: 3
> Local Address: ipv4:192.168.1.4:445
> Remote Address: ipv4:192.168.1.100:43240
> Service Description: SMB2
> Auth Description: Null
> Client Domain: ''
> Client Account: ''
> Workstation: ''
> Became Account: nobody
> Became Domain: TRUENAS
> Became Sid: S-1-5-21-2028966449-1147323095-3560797536-501
> Mapped Account: ''
> Mapped Domain: ''
> Netlogon Computer: Null
> Netlogon Trust Account: Null
> Netlogon Negotiate Flags: '0x00000000'
> Netlogon Secure Channel Type: 0
> Netlogon Trust Account Sid: Null
> Password Type: No-Password
> Client Policy Access Check: Null
> Server Policy Access Check: Null
> Vers:
> Major: 0
> Minor: 1
> Result:
> Type: NTSTATUS
> Value Raw: 0
> Value Parsed: SUCCESS
smbstatus sec=none:
> Samba version 4.20.5-truenas
> PID     Username     Group        Machine                               
>     Protocol Version  Encryption           Signing
>
----------------------------------------------------------------------------------------------------------------------------------------
> 102411  nobody       nogroup      192.168.1.10 
> (ipv4:192.168.1.10:47964)    SMB3_11           -                    -
> 187450  nobody       nogroup      192.168.1.100 
> (ipv4:192.168.1.100:43240)  SMB3_11           -                    -
> 
> Service      pid     Machine       Connected at                     
> Encryption   Signing
>
---------------------------------------------------------------------------------------------
> IPC$         102411  192.168.1.10  Fri Jan 17 18:53:13 2025 CET     -   
>          -
> IPC$         187450  192.168.1.100 Fri Jan 17 21:44:41 2025 CET     -   
>          -
> Carpetas Personales 102411  192.168.1.10  Fri Jan 17 18:53:13 2025 CET  
>    -            -
> descargas    187450  192.168.1.100 Fri Jan 17 21:44:41 2025 CET     -   
>          -
> 
> No locked files
Best Regards,

Carlos A. Balseiro

samba - Jan 2025 - Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)

[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)

[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)