[Samba] Public Share on Samba with ADS security

McNamara, Bradley Bradley.McNamara at seattle.gov
Fri Feb 14 16:20:06 MST 2014

Thank you for the response.

I tried what you suggested, and it still didn't work.  I did some more changes/testing with the security set to "user", and I finally got it to work by changing "map to guest" from "Bad User" to "Bad Password".  I then tried using "map to guest = Bad Password" with "security = ADS", but that didn't work, either.  I really think there's an issue with "Bad User", but I got it working so I'm happy for now.


From: David Bear [mailto:dwbear75 at gmail.com]
Sent: Thursday, February 13, 2014 7:55 PM
To: McNamara, Bradley
Cc: samba at lists.samba.org
Subject: Re: [Samba] Public Share on Samba with ADS security

you may want to consider doing things a little different. If you want an anonymously readable share, why not instead create an smb.conf and use 'security = user', and 'guest ok' on the share. It may be that 'security = ads' is doing something you want to avoid. I know I've created anonymous shares with samba before so I know its possible, It just may be that it is incompatible with ad domain style security. If you need ads security for part of samba, then it should be possible to have 2 smb.conf files -- create a second 'alias' for your NIC, add a different ip address for it, then create a samba instance that binds only to that interface. It should permit you to have 2 different sambas on the same machine. Note that I have never tried this -- but it seems to me theoretically possible.

On Thu, Feb 13, 2014 at 5:26 PM, McNamara, Bradley <Bradley.McNamara at seattle.gov<mailto:Bradley.McNamara at seattle.gov>> wrote:
Hello, list;

This is my second try asking for help.  One person responded and provided help, but I still can't seem to work this out.  I've searched, but have failed.  I'm not new to Samba, but I can and do make mistakes...so here I am.

I have a fresh install of Ubuntu 13.10 with Samba 3.6.18.  I have Kerberos properly configured and have successfully joined the domain, and can list users, groups, etc.  All I want to do is have a server that is part of AD, and have a public share on it.  The smb.conf is very simple and listed here:

   workgroup = SPU
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   log level = 3
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ADS
   realm = SPU.COS.LOCAL
   map to guest = Bad User
   usershare allow guests = yes
   guest account = nobody

        comment = SPU King County GIS
        path = /mnt
        read only = yes
        guest only = yes
        guest ok = yes
        browseable = yes

The only accounts on the server are the default accounts that are there when the server is built.  The "nobody" account does exist.  All I want is to have a public share that does not prompt for username/password.  Right now, when one browses for the share, they are prompted for username and password.  When I put "nobody" in for username, and blank password, they are granted access to the share.  Thereafter, they are granted access to the share without being prompted for username and password.

I turned up the logging level and this appears in the log for the client, which is what I would expect to be in there.  I would also expect that any user not known on the server (not in passwd file) would be mapped to "Bad User" and then granted access as nobody.  This does not seem to happening.

[2014/02/13 16:04:42.031246,  3] smbd/sesssetup.c:1114(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2014/02/13 16:04:42.031303,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 2437
[2014/02/13 16:04:42.163990,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: McNamaB [Bradley W. McNamara]
[2014/02/13 16:04:42.164061,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [McNamaB at SPU.COS.LOCAL]
[2014/02/13 16:04:42.164296,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username SPU\McNamaB is invalid on this system
[2014/02/13 16:04:42.164338,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2014/02/13 16:04:53.294408,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client read error = NT_STATUS_CONNECTION_RESET.
[2014/02/13 16:04:53.385036,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

Of course, when the user does exist in the password file, everything works as expected:  no prompting for username and password.  Am I asking for something that Samba cannot deliver?  Am I just losing it and have not done something basic and trivial that is preventing what I want to do?  I am not running 'windbind' as I don't need account info from AD.

Thanks for any and all help!

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

David Bear
mobile: (602) 903-6476

More information about the samba mailing list