[Samba] Cannot share folders access denid PDC+LDAP.

mathias dufresne infractory at gmail.com
Mon Jun 6 12:31:34 UTC 2016 

Hi Alberto,

No idea about your issue as I'm playing with Samba to build AD only, I can
only tell you that I did tested on my Samba AD DC and I can use upper,
lower or mixed case in user names:

dc108:/opt/initial_setup# id mtest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id mTest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id MTEST
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup#

I'm using recent version of Samba, the latest in fact. Perhaps you could
try with more recent version of the product to see if you still get this
error.

There is also that option in smb.conf manpage:
       username level (G)

           This option helps Samba to try and 'guess' at the real UNIX
username, as many DOS clients send an all-uppercase username.
           By default Samba tries all lowercase, followed by the username
with the first letter capitalized, and fails if the username is not found
on the UNIX machine.

           If this parameter is set to non-zero the behavior changes. This
parameter is a number that specifies the number of uppercase combinations
to try while trying to determine the UNIX user name. The higher the number
the more combinations will be tried, but the slower the discovery of
usernames will be. Use this parameter when you have strange usernames on
your UNIX machine, such as AstrangeUser .

           This parameter is needed only on UNIX systems that have case
sensitive usernames.

           Default: username level = 0

           Example: username level = 5

Some others tests I did after reading "This parameter is needed only on
UNIX systems that have case sensitive usernames."
dc108:/opt/initial_setup# id ROOT
id: ROOT : utilisateur inexistant
dc108:/opt/initial_setup# id rOOt
id: rOOt : utilisateur inexistant
dc108:/opt/initial_setup# id root
uid=0(root) gid=0(root) groupes=0(root)
dc108:/opt/initial_setup#

So my UNIX system is case sensitive regarding user names but not when it
comes to AD users.

Using testparm -v and grep:
 testparm -v | grep "username level"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

        username level = 0
dc108:/opt/initial_setup#

So "username level" is the default: 0 on the system which case sensitive
for non-AD usernames and non-case-sensitive ofr AD users.

Hoping this helps...

mathias


2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:

> Hi, is time to get help.
>
> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
> I have even 2 Linux Centos 5.x in my domain x64
>
> Now, I have add 1 Centos 6.x x64 updated.
>
> Samba 3.6.23-35.el6_8
>
> I had setup LDAP client on this server to get users/groups  and add to my
> domain with net rpc join, no issue.
>
> I can see the server on my domain no issue, the problem start went I setup
> my shares folders and some users.
>
> Public folders no problem, the problem are went I use  usernames where have
> 'Uppercase' the firs letter.
>
> For some strange reason cannot talk very well with my ldap server.
>
> Case 1: upper and lower case.
>
> SERVER GOOD:
>
> [root at servera ~]# id Test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
> [root at aervera ~]# id test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
> [root at servera ~]#
>
> Test or test return info.
>
> Now let test the SERVER-BAD
> [root at mbx-server2 opt]# id test
> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
> [root at mbx-server2 opt]# id Test
> id: Test: No such user
> [root at mbx-server2 opt]#
>
> test is diff than Test.
>
> Now, what happen on my domain?
>
> I have some users that appear like this on windows:
>
> Notadmin.
>
> I setup my share:
>
> [nasa]
>         path = /opt/it
>         writeable = Yes
>         public = No
>         guest ok = No
>         valid users = test, Notadmin, dflores
>         create mode = 0770
>         directory mode = 0770
>         force group = itmbx
>         force create mode = 0770
>         force directory mode = 0770
>         admin users = root Notadmin
>
> The user Notadmin cannot access this share.
>
> I had check settings but I use the same us the other servers, some new
> flags but nothing that took my attention:
>
> [global]
>         workgroup = MYDOMAIN
>         netbios name = mbx-server2
>         hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> 192.168.30., 192.168.40., 192.168.50.
>         hosts deny = 0.0.0.0
>         smb ports = 139 445
>         lanman auth = Yes
>         client lanman auth = Yes
>         security = DOMAIN
>         encrypt passwords = yes
>         syslog = 1
>         log level = 1
>         log file = /var/log/samba/%m.%U.log
>         max log size = 2048
>         socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
>         name resolve order = wins bcast hosts lmhost
>         username map = /etc/samba/usermap
>         domain logons = No
>         domain master = No
>         local master = No
>         preferred master = No
>         wins server = 192.168.2.24
>         idmap config * : backend = ldap
>         idmap config * : range = 10000-20000
>         logon path =
>         logon home =
>         display charset = LOCALE
>         unix charset = UTF-8
>         dos charset = CP850
>         client ipc signing = auto
>         map to guest = Bad User
>         load printers = No
>         show add printer wizard = No
>         use sendfile = Yes
>         map readonly = no
>         case sensitive = No
>         dns proxy = No
>         winbind separator = +
>
>
> What SAMBA-BAD say on logs:
>
> [2016/05/31 09:24:48.856147,  3]
> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
>   Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
> len2=288
> [2016/05/31 09:24:48.856641,  3] auth/auth.c:219(check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
> [2016/05/31 09:24:48.856751,  3] auth/auth.c:222(check_ntlm_password)
>   check_ntlm_password:  mapped user is:
> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
> [2016/05/31 09:24:48.864733,  3] auth/auth_util.c:1087(check_account)
>   Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
> denying access.
> [2016/05/31 09:24:48.864888,  2] auth/auth.c:330(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [Notadmin] -> [Notadmin]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2016/05/31 09:24:48.864935,  3] smbd/sesssetup.c:63(do_map_to_guest)
>
> Any recomendation about I will appreciated, thanks!!!
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list