[Samba] Upgraded samba, mostly still works, but have one issue

Dale Schroeder dale at BriannasSaladDressing.com
Mon Dec 12 13:47:29 MST 2011 

On 12/12/2011 1:25 PM, Mark Casey wrote:
> Dale,
>
> That fixed it. Thanks very much for your time in looking at this 
> issue! That leads to another question though. I don't get why 'winbind 
> use default domain' did not cover the issue, since I have it set to 
> yes. I assumed I could leave off the "DOMAIN\" portion and it would 
> add it for me...but more specifically, even using DOMAIN\camera 
> wouldn't work. I should clarify though that nowhere in my config am I 
> actually typing "DOMAIN\"; I'm only swapping that in on the mailing 
> list as a redaction. When I tried the fully qualified user account in 
> the IP camera's config the domain matched the one that this samba 
> server is joined to.
>
> I did note this part in smb.conf's man page about 'winbind use default 
> domain':
> *"While this does not benifit Windows users, it makes SSH, FTP and 
> e-mail function in a way much closer to the way they would in a native 
> unix system.*"
>
> This would all make more sense if that line means that 'winbind use 
> default domain' excludes not only Windows users but *all* smb/cifs 
> authentication attempts. Then, it wouldn't apply the the IP cameras at 
> all. However even if that were the case I still can't explain the 
> failure when I tried the user DOMAIN\camera.
>
> Would you (or anyone) be able to provide any insight? Regardless, 
> thanks again for your help thus far as I can now get this out of the 
> urgent section of my list!
>
> Thank you,
> Mark

I don't know that I can explain it sufficiently, but I'll try.  
Essentially, "map untrusted to domain" was a new parameter to make Samba 
perform as it did prior to 3.4.  "winbind use default name" refers to 
something completely different.  As the man page indicates, I can ssh 
into the system as "valid_user" instead of DOMAIN\valid_user.  This 
applies to a valid user on a domain host.  On the other hand, since the 
cameras are not able to join the domain, the new parameter maps 
HOSTNAME\camera to DOMAIN\camera.

Others have explained "winbind use default domain" this way:

http://wiki.samba.org/index.php/Samba_&_Active_Directory
|winbind use default domain = Yes| removes the domain prefix from 
usernames, so you can login as /Username/ instead of /DOMAIN\Username/ 
or in some cases /DOMAIN+Username/ (see next explanation).

http://www.justlinux.com/forum/archive/index.php/t-118512.html
This winbind parameter eliminates the need to use the domain name with 
the user/group name. The domain name plus the separator will 
automatically be prepended to the user name.

Not perfect, but I hope it helps.

Dale

>
> On 12/12/2011 12:23 PM, Dale Schroeder wrote:
>> On 12/12/2011 10:14 AM, Mark Casey wrote:
>>> Hello list,
>>>
>>> I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS 
>>> which took the installed version of samba from version 3.0.28a to 
>>> version 3.4.7. The server is an AD member using idmap-rid. I have 
>>> updated the idmap directives in the config and it mostly worked 
>>> (winbind works, Windows users can get to their shares with their 
>>> correct permissions, etc.). The only thing that got broken is the 
>>> ability of our IP security cameras to store data directly to the 
>>> server through samba. I believe this may have been caused by a 
>>> change to a default setting, such as the  allowed authentication 
>>> methods or possibly something like 'allow trusted domains', since 
>>> these cameras are not capable of actually joining the domain. I've 
>>> looked at some of the in-between release notes but no changes have 
>>> jumped out at me.
>>>
>>> The cameras are configured to connect to the given smb/cifs server 
>>> and share (which exists and can be mapped from Windows if you use 
>>> the right user). The share ('camshare') has share-level permissions 
>>> set such that DOMAIN\camera should have full access. I have winbind 
>>> set to use the default domain so the cameras are configured to 
>>> connect as 'camera' instead of 'DOMAIN\camera' (but I've tried both 
>>> anyway, to no avail). I have checked the password on the 'camera' 
>>> account repeatedly.
>>>
>>> However you can see that something isn't right when the cameras try 
>>> to mount the share:
>>>> root at server:~# tail -f /var/log/samba/log.smbd | grep camera
>>>>   check_ntlm_password:  Authentication for user [camera] -> 
>>>> [camera] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>   check_ntlm_password:  Authentication for user [camera] -> 
>>>> [camera] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>   check_ntlm_password:  Authentication for user [camera] -> 
>>>> [camera] FAILED with error NT_STATUS_NO_SUCH_USER
>>>
>>> If I use that username with the password when mapping the share from 
>>> Win7, it works and the correct permissions are there.
>>>
>>> Here is the smb.conf:
>>>> [global]
>>>>         server string = File Server
>>>>         workgroup = DOMAIN
>>>>         realm = DOMAIN.COM
>>>>         security = ADS
>>>>         password server = *
>>>>         #password server = dc1.domain.com
>>>>         username map = /etc/samba/smbusers
>>>>         obey pam restrictions = Yes
>>>>         enable privileges = Yes
>>>>         map to guest = Bad User
>>>>         client NTLMv2 auth = Yes
>>>>         log level = 2, vfs:1
>>>>         syslog = 0
>>>>         max log size = 0
>>>>         load printers = No
>>>>         preferred master = No
>>>>         local master = No
>>>>         domain master = No
>>>>         dns proxy = No
>>>>         disable netbios = yes
>>>>         ldap ssl = no
>>>>         host msdfs = No
>>>>         template shell = /bin/false
>>>>         winbind enum users = Yes
>>>>         winbind enum groups = Yes
>>>>         winbind use default domain = Yes
>>>>         winbind refresh tickets = Yes
>>>>
>>>>         idmap backend = tdb
>>>>         idmap uid = 100000-199999
>>>>         idmap gid = 100000-199999
>>>>         idmap config DOMAIN:backend = rid
>>>>         idmap config DOMAIN:range = 100000 - 500000
>>>>         idmap config DOMAIN:default = yes
>>>>
>>>>         hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0 
>>>> 10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 
>>>> 10.1.8.0/255.255.255.0 10.2.8.0/255.255.255.0 
>>>> 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0
>>>>         map acl inherit = No
>>>>         hide special files = Yes
>>>>         map archive = No
>>>>         map readonly = No
>>>>         map system = No
>>>>         map hidden = No
>>>>         force create mode = 707
>>>>         force directory mode = 707
>>>>         ea support = No
>>>>         store dos attributes = No
>>>>         wide links = No
>>>>         follow symlinks = No
>>>>         dos filemode = No
>>>>         add share command=/etc/samba/command.pl
>>>>         delete share command=/etc/samba/command.pl
>>>>         change share command=/etc/samba/command.pl
>>>>
>>>> [camshare]
>>>>         comment = Camera data share
>>>>         path = /home/camshare
>>>>         read only = No
>>>>         writeable = Yes
>>>>         inherit owner = Yes
>>>>         guest ok = No
>>>>
>>>> [mainshare]
>>>>         comment = Main Fileshare
>>>>         path = /home/mainshare
>>>>         read only = No
>>>>         writeable = Yes
>>>>         inherit owner = Yes
>>>>         guest ok = Yes
>>>>
>>>>         vfs objects = recycle extd_audit
>>>>         recycle:repository = Recycle Bin
>>>>         recycle:directory_mode = 707
>>>>         recycle:keeptree = yes
>>>>         recycle:versions = no
>>>>         recycle:touch = yes
>>>>         recycle:touch_mtime = no
>>>>         recycle:maxsize = 209715200
>>>>         recycle:exclude = *.tmp *.temp ~$* *.~??
>>>
>>> I've left off some other shares that don't seem relevant.
>>>
>>> I can provide other info and or more logs if needed. Thanks in 
>>> advance for any assistance you may be able to provide.
>>>
>>> Thank you,
>>> Mark
>>
>>
>> Mark,
>>
>> Try adding the parameter "map untrusted to domain = Yes"
>>
>>
>>       map untrusted to domain (G)
>>
>>     If a client connects to smbd using an untrusted domain name, such
>>     as BOGUS\user, smbd replaces the BOGUS domain with it's SAM name
>>     before attempting to authenticate that user. In the case where
>>     smbd is acting as a PDC this will be DOMAIN\user. In the case
>>     where smbd is acting as a domain member server or a standalone
>>     server this will be WORKSTATION\user.
>>
>>     In previous versions of Samba (pre 3.4), if smbd was acting as a
>>     domain member server, the BOGUS domain name would instead be
>>     replaced by the primary domain which smbd was a member of. In
>>     this case authentication would be deferred off to a DC using the
>>     credentials DOMAIN\user.
>>
>>     When this parameter is set to |yes| smbd provides the legacy
>>     behavior of mapping untrusted domain names to the primary domain.
>>     When smbd is not acting as a domain member server, this parameter
>>     has no effect.
>>
>>     Default: //|map untrusted to domain|/ = |no| /
>>
>>
>> Dale

More information about the samba mailing list