[Samba] Cannot share folders access denid PDC+LDAP.
Alberto Moreno
portsbsd at gmail.com
Mon Jun 6 18:48:45 UTC 2016
Hi mathias, thanks for taking time to see this issue.
In my case is not a AD, is still a NT4 style.
I will try the option, thanks.
On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com>
wrote:
> Hi Alberto,
>
> No idea about your issue as I'm playing with Samba to build AD only, I can
> only tell you that I did tested on my Samba AD DC and I can use upper,
> lower or mixed case in user names:
>
> dc108:/opt/initial_setup# id mtest
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup# id mTest
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup# id MTEST
> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> dc108:/opt/initial_setup#
>
> I'm using recent version of Samba, the latest in fact. Perhaps you could
> try with more recent version of the product to see if you still get this
> error.
>
> There is also that option in smb.conf manpage:
> username level (G)
>
> This option helps Samba to try and 'guess' at the real UNIX
> username, as many DOS clients send an all-uppercase username.
> By default Samba tries all lowercase, followed by the username
> with the first letter capitalized, and fails if the username is not found
> on the UNIX machine.
>
> If this parameter is set to non-zero the behavior changes. This
> parameter is a number that specifies the number of uppercase combinations
> to try while trying to determine the UNIX user name. The higher the number
> the more combinations will be tried, but the slower the discovery of
> usernames will be. Use this parameter when you have strange usernames on
> your UNIX machine, such as AstrangeUser .
>
> This parameter is needed only on UNIX systems that have case
> sensitive usernames.
>
> Default: username level = 0
>
> Example: username level = 5
>
> Some others tests I did after reading "This parameter is needed only on
> UNIX systems that have case sensitive usernames."
> dc108:/opt/initial_setup# id ROOT
> id: ROOT : utilisateur inexistant
> dc108:/opt/initial_setup# id rOOt
> id: rOOt : utilisateur inexistant
> dc108:/opt/initial_setup# id root
> uid=0(root) gid=0(root) groupes=0(root)
> dc108:/opt/initial_setup#
>
> So my UNIX system is case sensitive regarding user names but not when it
> comes to AD users.
>
> Using testparm -v and grep:
> testparm -v | grep "username level"
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> username level = 0
> dc108:/opt/initial_setup#
>
> So "username level" is the default: 0 on the system which case sensitive
> for non-AD usernames and non-case-sensitive ofr AD users.
>
> Hoping this helps...
>
> mathias
>
>
> 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
>
>> Hi, is time to get help.
>>
>> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
>> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
>> I have even 2 Linux Centos 5.x in my domain x64
>>
>> Now, I have add 1 Centos 6.x x64 updated.
>>
>> Samba 3.6.23-35.el6_8
>>
>> I had setup LDAP client on this server to get users/groups and add to my
>> domain with net rpc join, no issue.
>>
>> I can see the server on my domain no issue, the problem start went I setup
>> my shares folders and some users.
>>
>> Public folders no problem, the problem are went I use usernames where
>> have
>> 'Uppercase' the firs letter.
>>
>> For some strange reason cannot talk very well with my ldap server.
>>
>> Case 1: upper and lower case.
>>
>> SERVER GOOD:
>>
>> [root at servera ~]# id Test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
>> [root at aervera ~]# id test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>> [root at servera ~]#
>>
>> Test or test return info.
>>
>> Now let test the SERVER-BAD
>> [root at mbx-server2 opt]# id test
>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>> [root at mbx-server2 opt]# id Test
>> id: Test: No such user
>> [root at mbx-server2 opt]#
>>
>> test is diff than Test.
>>
>> Now, what happen on my domain?
>>
>> I have some users that appear like this on windows:
>>
>> Notadmin.
>>
>> I setup my share:
>>
>> [nasa]
>> path = /opt/it
>> writeable = Yes
>> public = No
>> guest ok = No
>> valid users = test, Notadmin, dflores
>> create mode = 0770
>> directory mode = 0770
>> force group = itmbx
>> force create mode = 0770
>> force directory mode = 0770
>> admin users = root Notadmin
>>
>> The user Notadmin cannot access this share.
>>
>> I had check settings but I use the same us the other servers, some new
>> flags but nothing that took my attention:
>>
>> [global]
>> workgroup = MYDOMAIN
>> netbios name = mbx-server2
>> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
>> 192.168.30., 192.168.40., 192.168.50.
>> hosts deny = 0.0.0.0
>> smb ports = 139 445
>> lanman auth = Yes
>> client lanman auth = Yes
>> security = DOMAIN
>> encrypt passwords = yes
>> syslog = 1
>> log level = 1
>> log file = /var/log/samba/%m.%U.log
>> max log size = 2048
>> socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
>> name resolve order = wins bcast hosts lmhost
>> username map = /etc/samba/usermap
>> domain logons = No
>> domain master = No
>> local master = No
>> preferred master = No
>> wins server = 192.168.2.24
>> idmap config * : backend = ldap
>> idmap config * : range = 10000-20000
>> logon path =
>> logon home =
>> display charset = LOCALE
>> unix charset = UTF-8
>> dos charset = CP850
>> client ipc signing = auto
>> map to guest = Bad User
>> load printers = No
>> show add printer wizard = No
>> use sendfile = Yes
>> map readonly = no
>> case sensitive = No
>> dns proxy = No
>> winbind separator = +
>>
>>
>> What SAMBA-BAD say on logs:
>>
>> [2016/05/31 09:24:48.856147, 3]
>> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
>> Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
>> len2=288
>> [2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
>> check_ntlm_password: Checking password for unmapped user
>> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
>> [2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
>> check_ntlm_password: mapped user is:
>> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
>> [2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
>> Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
>> denying access.
>> [2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
>> check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
>> FAILED with error NT_STATUS_NO_SUCH_USER
>> [2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
>>
>> Any recomendation about I will appreciated, thanks!!!
>> --
>> LIving the dream...
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
--
LIving the dream...
More information about the samba
mailing list