[Samba] Public Share on Samba with ADS security

David Bear dwbear75 at gmail.com
Thu Feb 13 20:55:02 MST 2014 

you may want to consider doing things a little different. If you want an
anonymously readable share, why not instead create an smb.conf and use
'security = user', and 'guest ok' on the share. It may be that 'security =
ads' is doing something you want to avoid. I know I've created anonymous
shares with samba before so I know its possible, It just may be that it is
incompatible with ad domain style security. If you need ads security for
part of samba, then it should be possible to have 2 smb.conf files --
create a second 'alias' for your NIC, add a different ip address for it,
then create a samba instance that binds only to that interface. It should
permit you to have 2 different sambas on the same machine. Note that I have
never tried this -- but it seems to me theoretically possible.


On Thu, Feb 13, 2014 at 5:26 PM, McNamara, Bradley <
Bradley.McNamara at seattle.gov> wrote:

> Hello, list;
>
> This is my second try asking for help.  One person responded and provided
> help, but I still can't seem to work this out.  I've searched, but have
> failed.  I'm not new to Samba, but I can and do make mistakes...so here I
> am.
>
> I have a fresh install of Ubuntu 13.10 with Samba 3.6.18.  I have Kerberos
> properly configured and have successfully joined the domain, and can list
> users, groups, etc.  All I want to do is have a server that is part of AD,
> and have a public share on it.  The smb.conf is very simple and listed here:
>
> [global]
>    workgroup = SPU
>    server string = %h server (Samba, Ubuntu)
>    dns proxy = no
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>    log level = 3
>    syslog = 0
>    panic action = /usr/share/samba/panic-action %d
>    security = ADS
>    realm = SPU.COS.LOCAL
>    map to guest = Bad User
>    usershare allow guests = yes
>    guest account = nobody
>
> [SPU_KC_GIS]
>         comment = SPU King County GIS
>         path = /mnt
>         read only = yes
>         guest only = yes
>         guest ok = yes
>         browseable = yes
>
> The only accounts on the server are the default accounts that are there
> when the server is built.  The "nobody" account does exist.  All I want is
> to have a public share that does not prompt for username/password.  Right
> now, when one browses for the share, they are prompted for username and
> password.  When I put "nobody" in for username, and blank password, they
> are granted access to the share.  Thereafter, they are granted access to
> the share without being prompted for username and password.
>
> I turned up the logging level and this appears in the log for the client,
> which is what I would expect to be in there.  I would also expect that any
> user not known on the server (not in passwd file) would be mapped to "Bad
> User" and then granted access as nobody.  This does not seem to happening.
>
> [2014/02/13 16:04:42.031246,  3]
> smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
>   NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2014/02/13 16:04:42.031303,  3]
> smbd/sesssetup.c:660(reply_spnego_negotiate)
>   reply_spnego_negotiate: Got secblob of size 2437
> [2014/02/13 16:04:42.163990,  3] libads/authdata.c:332(decode_pac_data)
>   Found account name from PAC: McNamaB [Bradley W. McNamara]
> [2014/02/13 16:04:42.164061,  3]
> auth/user_krb5.c:50(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [McNamaB at SPU.COS.LOCAL]
> [2014/02/13 16:04:42.164296,  1]
> auth/user_krb5.c:162(get_user_from_kerberos_info)
>   Username SPU\McNamaB is invalid on this system
> [2014/02/13 16:04:42.164338,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2014/02/13 16:04:53.294408,  1] smbd/process.c:457(receive_smb_talloc)
>   receive_smb_raw_talloc failed for client 156.74.130.227 read error =
> NT_STATUS_CONNECTION_RESET.
> [2014/02/13 16:04:53.385036,  3] smbd/server_exit.c:181(exit_server_common)
>   Server exit (failed to receive smb request)
>
> Of course, when the user does exist in the password file, everything works
> as expected:  no prompting for username and password.  Am I asking for
> something that Samba cannot deliver?  Am I just losing it and have not done
> something basic and trivial that is preventing what I want to do?  I am not
> running 'windbind' as I don't need account info from AD.
>
> Thanks for any and all help!
>
> Brad
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
David Bear
mobile: (602) 903-6476

More information about the samba mailing list