Rowland Penny
2025-Jan-18 09:49 UTC
[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)
On Fri, 17 Jan 2025 22:55:59 +0100 Carlos Alberto Balseiro Mayi via samba <samba at lists.samba.org> wrote:> > > testparm -s output: > > > Load smb config files from /etc/smb4.conf > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility > > fallback) > > > > Server role: ROLE_STANDALONE > > > > # Global parameters > > [global] > > bind interfaces only = Yes > > disable spoolss = Yes > > dns proxy = No > > load printers = No > > logging = file > > map to guest = Bad User > > max log size = 5120 > > passdb backend = tdbsam:/var/run/samba-cache/private/passdb.tdb > > printcap name = /dev/null > > registry shares = Yes > > server multi channel support = No > > server string = TrueNAS Server > > winbind request timeout = 2 > > workgroup = CORUSCANT > > idmap config * : range = 90000001 - 100000000 > > fruit:zero_file_id = False > > fruit:nfs_aces = False > > idmap config * : backend = tdb > > create mask = 0664 > > directory mask = 0775 > > kernel oplocks = Yes > > > > (REMOVED INFO FROM SHARES NOT INVOLVED IN THIS) > > > > [descargas] > > ea support = No > > guest ok = Yes > > path = /mnt/NAS/descargas > > read only = No > > smbd max xattr size = 2097152 > > vfs objects = streams_xattr shadow_copy_zfs ixnas zfs_core io_uring > > tn:vuid > > fruit:time machine max size = 0 > > fruit:time machine = False > > nfs4:chown = True > > tn:home = False > > tn:path_suffix > > tn:purpose = MULTI_PROTOCOL_NFS > > Audit bad user: > > > Logon ID: '0' > > Logon Type: 3 > > Local Address: ipv4:192.168.1.4:445 > > Remote Address: ipv4:192.168.1.100:55186 > > Service Description: SMB2 > > Auth Description: Null > > Client Domain: '' > > Client Account: badusertest > > Workstation: '' > > Became Account: Null > > Became Domain: Null > > Became Sid: Null > > Mapped Account: badusertest > > Mapped Domain: '' > > Netlogon Computer: Null > > Netlogon Trust Account: Null > > Netlogon Negotiate Flags: '0x00000000' > > Netlogon Secure Channel Type: 0 > > Netlogon Trust Account Sid: Null > > Password Type: NTLMv2 > > Client Policy Access Check: Null > > Server Policy Access Check: Null > > Vers: > > Major: 0 > > Minor: 1 > > Result: > > Type: NTSTATUS > > Value Raw: 3221225572 > > Value Parsed: NT_STATUS_NO_SUCH_USER > > smbstatus bad user: > > > Samba version 4.20.5-truenas > > PID Username Group Machine > > Protocol Version Encryption Signing > > ---------------------------------------------------------------------------------------------------------------------------------------- > > 193273 nobody nogroup 192.168.1.100 > > (ipv4:192.168.1.100:55188) SMB3_11 - - > > 102411 nobody nogroup 192.168.1.10 > > (ipv4:192.168.1.10:47964) SMB3_11 - > > - > > > > Service pid Machine Connected at > > Encryption Signing > > --------------------------------------------------------------------------------------------- > > IPC$ 102411 192.168.1.10 Fri Jan 17 18:53:13 2025 CET > > - - > > descargas 193273 192.168.1.100 Fri Jan 17 21:56:27 2025 CET > > - - > > Carpetas Personales 102411 192.168.1.10 Fri Jan 17 18:53:13 2025 > > CET > > - - > > IPC$ 193273 192.168.1.100 Fri Jan 17 21:56:27 2025 CET > > - - > > > > Locked files: > > Pid User(ID) DenyMode Access R/W Oplock > > SharePath Name Time > > -------------------------------------------------------------------------------------------------- > > 193273 65534 DENY_NONE 0x12019f RDWR BATCH > > /mnt/NAS/descargas MiSTer/games/AO486/media/another world/another > > world.vhd Fri Jan 17 21:58:04 2025 > > Audit sec=none : > > > Logon ID: '0' > > Logon Type: 3 > > Local Address: ipv4:192.168.1.4:445 > > Remote Address: ipv4:192.168.1.100:43240 > > Service Description: SMB2 > > Auth Description: Null > > Client Domain: '' > > Client Account: '' > > Workstation: '' > > Became Account: nobody > > Became Domain: TRUENAS > > Became Sid: S-1-5-21-2028966449-1147323095-3560797536-501 > > Mapped Account: '' > > Mapped Domain: '' > > Netlogon Computer: Null > > Netlogon Trust Account: Null > > Netlogon Negotiate Flags: '0x00000000' > > Netlogon Secure Channel Type: 0 > > Netlogon Trust Account Sid: Null > > Password Type: No-Password > > Client Policy Access Check: Null > > Server Policy Access Check: Null > > Vers: > > Major: 0 > > Minor: 1 > > Result: > > Type: NTSTATUS > > Value Raw: 0 > > Value Parsed: SUCCESS > > smbstatus sec=none: > > > Samba version 4.20.5-truenas > > PID Username Group Machine > > Protocol Version Encryption Signing > > ---------------------------------------------------------------------------------------------------------------------------------------- > > 102411 nobody nogroup 192.168.1.10 > > (ipv4:192.168.1.10:47964) SMB3_11 - > > - 187450 nobody nogroup 192.168.1.100 > > (ipv4:192.168.1.100:43240) SMB3_11 - - > > > > Service pid Machine Connected at > > Encryption Signing > > --------------------------------------------------------------------------------------------- > > IPC$ 102411 192.168.1.10 Fri Jan 17 18:53:13 2025 CET > > - - > > IPC$ 187450 192.168.1.100 Fri Jan 17 21:44:41 2025 CET > > - - > > Carpetas Personales 102411 192.168.1.10 Fri Jan 17 18:53:13 2025 > > CET > > - - > > descargas 187450 192.168.1.100 Fri Jan 17 21:44:41 2025 CET > > - - > > > > No locked files > > Best Regards, > > Carlos A. BalseiroI think I see what is happening here, but I need to see the commands you are using to connect to the share (where you are using 'sec=') to confirm or deny my thinking. Rowland
Carlos Alberto Balseiro Mayi
2025-Jan-18 10:04 UTC
[Samba] Different behavior when client uses "sec=none" and when provides bad user (mapped to guest)
mount -t cifs //192.168.1.4/descargas/MiSTer /media/fat/cifs -o sec=none mount -t cifs //192.168.1.4/descargas/MiSTer /media/fat/cifs -o username=badusertest El 2025-01-18 10:49, Rowland Penny via samba escribi?:> I think I see what is happening here, but I need to see the commands > you are using to connect to the share (where you are using 'sec=') to > confirm or deny my thinking. > > Rowland