[Samba] Classic PDC appears to revert to guest login on Samba 4

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 08:42:05 UTC 2015 

On 11/09/15 15:51, tda at ls83.eclipse.co.uk wrote:
> Hi
>
> Just upgraded a classic PDC running Samba 3.6 to 4.1 and although I 
> can log in from a workstation (testing with W2k and XP), no drives are 
> mapped. From the logs it appears that I'm being logged in as guest. 
> smb.conf has been stable for 10+ years under Samba 3. I have added the 
> first line (server role), other than that it's untouched:
>
>
> [global]
>         server role = classic primary domain controller
>     workgroup = NTDOMAIN
>     server string = Samba %v
>     passdb backend = tdbsam
>     log file = /var/log/samba/log.%m
>         log level = 5
>     max log size = 500
>     time server = Yes
>     socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8760 
> SO_RCVBUF=8760
>     show add printer wizard = No
>     logon script = logon.bat
>     logon path =
>     logon home =
>     domain logons = Yes
>     os level = 64
>     preferred master = Yes
>     domain master = Yes
>     dns proxy = No
>     hosts allow = 172.27.113., 192.168.2., 127.
>         load printers = yes
>     printing = cups
>         printcap name = cups
>     print command =
>     lpq command = %p
>     lprm command =
>     veto files = /*:/
>         msdfs root = no
>         wins support = yes
>         name resolve order = wins hosts lmhosts bcast
>
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         browseable = no
>         public = yes
>         guest ok = yes
>         read only = yes
>         printable = yes
>
> [Data]
>     comment = Development Data
>     path = /mnt/sdb1/samba/share1/Data
>     valid users = +devel
>     read only = No
>         create mask = 0770
>         directory mask = 0770
>         force directory mode = 02770
>         force create mode = 0660
>
> [homes]
>     comment = Home Directory
>     path = /mnt/sdb1/samba/share1/Users/%S
>     valid users = +users
>     read only = No
>     create mask = 0700
>     directory mask = 0700
>         force directory mode = 0
>         force create mode = 0
>     browseable = No
>
> [netlogon]
>     path = /home/netlogon
>     write list = root
>         msdfs root = yes
>
> [print$]
>         comment = Printer Drivers
>         path = /var/lib/samba/printers
>         browseable = yes
>         guest ok = no
>         read only = no
>         write list = root
>
>
> In the logs this looks suspicious:
>
> [2015/09/11 15:22:55.478781,  4] 
> ../source3/param/loadparm.c:4878(lp_load_ex)
>   pm_process() returned Yes
> [2015/09/11 15:22:55.478818,  3] 
> ../source3/param/loadparm.c:1774(lp_add_ipc)
>   adding IPC service
> [2015/09/11 15:22:55.478860,  5] 
> ../source3/auth/auth_util.c:115(make_user_info_map)
>   Mapping user []\[] from workstation [DELL]
> [2015/09/11 15:22:55.478906,  5] 
> ../source3/auth/auth_util.c:137(make_user_info_map)
>   Mapped domain from [] to [NTDOMAIN] for user [] from workstation [DELL]
> [2015/09/11 15:22:55.478935,  5] 
> ../source3/auth/user_info.c:61(make_user_info)
>   attempting to make a user_info for  ()
> [2015/09/11 15:22:55.478961,  5] 
> ../source3/auth/user_info.c:72(make_user_info)
>   making strings for 's user_info struct
> [2015/09/11 15:22:55.478989,  5] 
> ../source3/auth/user_info.c:92(make_user_info)
>   making blobs for 's user_info struct
> [2015/09/11 15:22:55.479017,  3] 
> ../source3/auth/auth.c:177(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user 
> []\[]@[DELL] with the new password interface
> [2015/09/11 15:22:55.479045,  3] 
> ../source3/auth/auth.c:180(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [NTDOMAIN]\[]@[DELL]
> [2015/09/11 15:22:55.479078,  5] ../lib/util/util.c:556(dump_data)
>   [0000] 54 9F 54 CF 39 A9 CD 4B T.T.9..K
> [2015/09/11 15:22:55.479130,  3] 
> ../source3/auth/auth.c:226(auth_check_ntlm_password)
>   check_ntlm_password: guest authentication for user [] succeeded
> [2015/09/11 15:22:55.479159,  5] 
> ../source3/auth/auth.c:278(auth_check_ntlm_password)
>   check_ntlm_password:  guest authentication for user [] -> [] -> 
> [nobody] succeeded
> [2015/09/11 15:22:55.479200,  3] 
> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2015/09/11 15:22:55.479227,  3] 
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>
>
> Looks like I'm ending up as a guest.
>
> Thanks
>
> Tim
>

How did you do the upgrade ? what I mean is, did you upgrade the OS as 
well, or did you just upgrade samba and if so how.

I think you are correct in your assumption, there is this in your log 
fragment:

mapped user is: [NTDOMAIN]\[]@[DELL]

Note that the whilst the domain is mapped, there is no username.

A couple of things you could try, add 'map to guest = bad user' to 
smb.conf and restart, this will not cure the problem, but it may get the 
shares mapped. The other thing you could try, remove the 'server role' 
line, you do not need it, the only 'server role' that works at present 
is being an AD DC.

Rowland

More information about the samba mailing list