[Samba] Public Share on Samba with ADS security
Bradley.McNamara at seattle.gov
Thu Feb 13 17:26:12 MST 2014
This is my second try asking for help. One person responded and provided help, but I still can't seem to work this out. I've searched, but have failed. I'm not new to Samba, but I can and do make mistakes...so here I am.
I have a fresh install of Ubuntu 13.10 with Samba 3.6.18. I have Kerberos properly configured and have successfully joined the domain, and can list users, groups, etc. All I want to do is have a server that is part of AD, and have a public share on it. The smb.conf is very simple and listed here:
workgroup = SPU
server string = %h server (Samba, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
log level = 3
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = ADS
realm = SPU.COS.LOCAL
map to guest = Bad User
usershare allow guests = yes
guest account = nobody
comment = SPU King County GIS
path = /mnt
read only = yes
guest only = yes
guest ok = yes
browseable = yes
The only accounts on the server are the default accounts that are there when the server is built. The "nobody" account does exist. All I want is to have a public share that does not prompt for username/password. Right now, when one browses for the share, they are prompted for username and password. When I put "nobody" in for username, and blank password, they are granted access to the share. Thereafter, they are granted access to the share without being prompted for username and password.
I turned up the logging level and this appears in the log for the client, which is what I would expect to be in there. I would also expect that any user not known on the server (not in passwd file) would be mapped to "Bad User" and then granted access as nobody. This does not seem to happening.
[2014/02/13 16:04:42.031246, 3] smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
NativeOS= NativeLanMan= PrimaryDomain=
[2014/02/13 16:04:42.031303, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 2437
[2014/02/13 16:04:42.163990, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: McNamaB [Bradley W. McNamara]
[2014/02/13 16:04:42.164061, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [McNamaB at SPU.COS.LOCAL]
[2014/02/13 16:04:42.164296, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
Username SPU\McNamaB is invalid on this system
[2014/02/13 16:04:42.164338, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2014/02/13 16:04:53.294408, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 22.214.171.124 read error = NT_STATUS_CONNECTION_RESET.
[2014/02/13 16:04:53.385036, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
Of course, when the user does exist in the password file, everything works as expected: no prompting for username and password. Am I asking for something that Samba cannot deliver? Am I just losing it and have not done something basic and trivial that is preventing what I want to do? I am not running 'windbind' as I don't need account info from AD.
Thanks for any and all help!
More information about the samba