[Samba] Cannot share folders access denid PDC+LDAP.

Alberto Moreno portsbsd at gmail.com
Mon Jun 6 18:48:45 UTC 2016 

Hi mathias, thanks for taking time to see this issue.

In my case is not  a AD, is still a NT4 style.

I will try the option, thanks.

On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com>
wrote:

> Hi Alberto,
>
> No idea about your issue as I'm playing with Samba to build AD only, I can
> only tell you that I did tested on my Samba AD DC and I can use upper,
> lower or mixed case in user names:
>
> dc108:/opt/initial_setup# id mtest
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup# id mTest
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup# id MTEST
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup#
>
> I'm using recent version of Samba, the latest in fact. Perhaps you could
> try with more recent version of the product to see if you still get this
> error.
>
> There is also that option in smb.conf manpage:
>        username level (G)
>
>            This option helps Samba to try and 'guess' at the real UNIX
> username, as many DOS clients send an all-uppercase username.
>            By default Samba tries all lowercase, followed by the username
> with the first letter capitalized, and fails if the username is not found
> on the UNIX machine.
>
>            If this parameter is set to non-zero the behavior changes. This
> parameter is a number that specifies the number of uppercase combinations
> to try while trying to determine the UNIX user name. The higher the number
> the more combinations will be tried, but the slower the discovery of
> usernames will be. Use this parameter when you have strange usernames on
> your UNIX machine, such as AstrangeUser .
>
>            This parameter is needed only on UNIX systems that have case
> sensitive usernames.
>
>            Default: username level = 0
>
>            Example: username level = 5
>
> Some others tests I did after reading "This parameter is needed only on
> UNIX systems that have case sensitive usernames."
> dc108:/opt/initial_setup# id ROOT
> id: ROOT : utilisateur inexistant
> dc108:/opt/initial_setup# id rOOt
> id: rOOt : utilisateur inexistant
> dc108:/opt/initial_setup# id root
> uid=0(root) gid=0(root) groupes=0(root)
> dc108:/opt/initial_setup#
>
> So my UNIX system is case sensitive regarding user names but not when it
> comes to AD users.
>
> Using testparm -v and grep:
>  testparm -v | grep "username level"
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
>         username level = 0
> dc108:/opt/initial_setup#
>
> So "username level" is the default: 0 on the system which case sensitive
> for non-AD usernames and non-case-sensitive ofr AD users.
>
> Hoping this helps...
>
> mathias
>
>
> 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
>
>> Hi, is time to get help.
>>
>> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
>> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
>> I have even 2 Linux Centos 5.x in my domain x64
>>
>> Now, I have add 1 Centos 6.x x64 updated.
>>
>> Samba 3.6.23-35.el6_8
>>
>> I had setup LDAP client on this server to get users/groups  and add to my
>> domain with net rpc join, no issue.
>>
>> I can see the server on my domain no issue, the problem start went I setup
>> my shares folders and some users.
>>
>> Public folders no problem, the problem are went I use  usernames where
>> have
>> 'Uppercase' the firs letter.
>>
>> For some strange reason cannot talk very well with my ldap server.
>>
>> Case 1: upper and lower case.
>>
>> SERVER GOOD:
>>
>> [root at servera ~]# id Test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
>> [root at aervera ~]# id test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>> [root at servera ~]#
>>
>> Test or test return info.
>>
>> Now let test the SERVER-BAD
>> [root at mbx-server2 opt]# id test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>> [root at mbx-server2 opt]# id Test
>> id: Test: No such user
>> [root at mbx-server2 opt]#
>>
>> test is diff than Test.
>>
>> Now, what happen on my domain?
>>
>> I have some users that appear like this on windows:
>>
>> Notadmin.
>>
>> I setup my share:
>>
>> [nasa]
>>         path = /opt/it
>>         writeable = Yes
>>         public = No
>>         guest ok = No
>>         valid users = test, Notadmin, dflores
>>         create mode = 0770
>>         directory mode = 0770
>>         force group = itmbx
>>         force create mode = 0770
>>         force directory mode = 0770
>>         admin users = root Notadmin
>>
>> The user Notadmin cannot access this share.
>>
>> I had check settings but I use the same us the other servers, some new
>> flags but nothing that took my attention:
>>
>> [global]
>>         workgroup = MYDOMAIN
>>         netbios name = mbx-server2
>>         hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
>> 192.168.30., 192.168.40., 192.168.50.
>>         hosts deny = 0.0.0.0
>>         smb ports = 139 445
>>         lanman auth = Yes
>>         client lanman auth = Yes
>>         security = DOMAIN
>>         encrypt passwords = yes
>>         syslog = 1
>>         log level = 1
>>         log file = /var/log/samba/%m.%U.log
>>         max log size = 2048
>>         socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
>>         name resolve order = wins bcast hosts lmhost
>>         username map = /etc/samba/usermap
>>         domain logons = No
>>         domain master = No
>>         local master = No
>>         preferred master = No
>>         wins server = 192.168.2.24
>>         idmap config * : backend = ldap
>>         idmap config * : range = 10000-20000
>>         logon path =
>>         logon home =
>>         display charset = LOCALE
>>         unix charset = UTF-8
>>         dos charset = CP850
>>         client ipc signing = auto
>>         map to guest = Bad User
>>         load printers = No
>>         show add printer wizard = No
>>         use sendfile = Yes
>>         map readonly = no
>>         case sensitive = No
>>         dns proxy = No
>>         winbind separator = +
>>
>>
>> What SAMBA-BAD say on logs:
>>
>> [2016/05/31 09:24:48.856147,  3]
>> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
>>   Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
>> len2=288
>> [2016/05/31 09:24:48.856641,  3] auth/auth.c:219(check_ntlm_password)
>>   check_ntlm_password:  Checking password for unmapped user
>> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
>> [2016/05/31 09:24:48.856751,  3] auth/auth.c:222(check_ntlm_password)
>>   check_ntlm_password:  mapped user is:
>> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
>> [2016/05/31 09:24:48.864733,  3] auth/auth_util.c:1087(check_account)
>>   Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
>> denying access.
>> [2016/05/31 09:24:48.864888,  2] auth/auth.c:330(check_ntlm_password)
>>   check_ntlm_password:  Authentication for user [Notadmin] -> [Notadmin]
>> FAILED with error NT_STATUS_NO_SUCH_USER
>> [2016/05/31 09:24:48.864935,  3] smbd/sesssetup.c:63(do_map_to_guest)
>>
>> Any recomendation about I will appreciated, thanks!!!
>> --
>> LIving the dream...
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


-- 
LIving the dream...

More information about the samba mailing list