[Samba] Cannot share folders access denid PDC+LDAP.
Alberto Moreno
portsbsd at gmail.com
Tue Jun 7 22:53:24 UTC 2016
mathias, that flag help me, is now working, thanks!!!
On Mon, Jun 6, 2016 at 11:48 AM, Alberto Moreno <portsbsd at gmail.com> wrote:
> Hi mathias, thanks for taking time to see this issue.
>
> In my case is not a AD, is still a NT4 style.
>
> I will try the option, thanks.
>
> On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com>
> wrote:
>
>> Hi Alberto,
>>
>> No idea about your issue as I'm playing with Samba to build AD only, I
>> can only tell you that I did tested on my Samba AD DC and I can use upper,
>> lower or mixed case in user names:
>>
>> dc108:/opt/initial_setup# id mtest
>> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
>> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
>> dc108:/opt/initial_setup# id mTest
>> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
>> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
>> dc108:/opt/initial_setup# id MTEST
>> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
>> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
>> dc108:/opt/initial_setup#
>>
>> I'm using recent version of Samba, the latest in fact. Perhaps you could
>> try with more recent version of the product to see if you still get this
>> error.
>>
>> There is also that option in smb.conf manpage:
>> username level (G)
>>
>> This option helps Samba to try and 'guess' at the real UNIX
>> username, as many DOS clients send an all-uppercase username.
>> By default Samba tries all lowercase, followed by the username
>> with the first letter capitalized, and fails if the username is not found
>> on the UNIX machine.
>>
>> If this parameter is set to non-zero the behavior changes.
>> This parameter is a number that specifies the number of uppercase
>> combinations to try while trying to determine the UNIX user name. The
>> higher the number the more combinations will be tried, but the slower the
>> discovery of usernames will be. Use this parameter when you have strange
>> usernames on your UNIX machine, such as AstrangeUser .
>>
>> This parameter is needed only on UNIX systems that have case
>> sensitive usernames.
>>
>> Default: username level = 0
>>
>> Example: username level = 5
>>
>> Some others tests I did after reading "This parameter is needed only on
>> UNIX systems that have case sensitive usernames."
>> dc108:/opt/initial_setup# id ROOT
>> id: ROOT : utilisateur inexistant
>> dc108:/opt/initial_setup# id rOOt
>> id: rOOt : utilisateur inexistant
>> dc108:/opt/initial_setup# id root
>> uid=0(root) gid=0(root) groupes=0(root)
>> dc108:/opt/initial_setup#
>>
>> So my UNIX system is case sensitive regarding user names but not when it
>> comes to AD users.
>>
>> Using testparm -v and grep:
>> testparm -v | grep "username level"
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> username level = 0
>> dc108:/opt/initial_setup#
>>
>> So "username level" is the default: 0 on the system which case sensitive
>> for non-AD usernames and non-case-sensitive ofr AD users.
>>
>> Hoping this helps...
>>
>> mathias
>>
>>
>> 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
>>
>>> Hi, is time to get help.
>>>
>>> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
>>> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
>>> I have even 2 Linux Centos 5.x in my domain x64
>>>
>>> Now, I have add 1 Centos 6.x x64 updated.
>>>
>>> Samba 3.6.23-35.el6_8
>>>
>>> I had setup LDAP client on this server to get users/groups and add to my
>>> domain with net rpc join, no issue.
>>>
>>> I can see the server on my domain no issue, the problem start went I
>>> setup
>>> my shares folders and some users.
>>>
>>> Public folders no problem, the problem are went I use usernames where
>>> have
>>> 'Uppercase' the firs letter.
>>>
>>> For some strange reason cannot talk very well with my ldap server.
>>>
>>> Case 1: upper and lower case.
>>>
>>> SERVER GOOD:
>>>
>>> [root at servera ~]# id Test
>>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
>>> [root at aervera ~]# id test
>>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>>> [root at servera ~]#
>>>
>>> Test or test return info.
>>>
>>> Now let test the SERVER-BAD
>>> [root at mbx-server2 opt]# id test
>>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
>>> [root at mbx-server2 opt]# id Test
>>> id: Test: No such user
>>> [root at mbx-server2 opt]#
>>>
>>> test is diff than Test.
>>>
>>> Now, what happen on my domain?
>>>
>>> I have some users that appear like this on windows:
>>>
>>> Notadmin.
>>>
>>> I setup my share:
>>>
>>> [nasa]
>>> path = /opt/it
>>> writeable = Yes
>>> public = No
>>> guest ok = No
>>> valid users = test, Notadmin, dflores
>>> create mode = 0770
>>> directory mode = 0770
>>> force group = itmbx
>>> force create mode = 0770
>>> force directory mode = 0770
>>> admin users = root Notadmin
>>>
>>> The user Notadmin cannot access this share.
>>>
>>> I had check settings but I use the same us the other servers, some new
>>> flags but nothing that took my attention:
>>>
>>> [global]
>>> workgroup = MYDOMAIN
>>> netbios name = mbx-server2
>>> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
>>> 192.168.30., 192.168.40., 192.168.50.
>>> hosts deny = 0.0.0.0
>>> smb ports = 139 445
>>> lanman auth = Yes
>>> client lanman auth = Yes
>>> security = DOMAIN
>>> encrypt passwords = yes
>>> syslog = 1
>>> log level = 1
>>> log file = /var/log/samba/%m.%U.log
>>> max log size = 2048
>>> socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
>>> name resolve order = wins bcast hosts lmhost
>>> username map = /etc/samba/usermap
>>> domain logons = No
>>> domain master = No
>>> local master = No
>>> preferred master = No
>>> wins server = 192.168.2.24
>>> idmap config * : backend = ldap
>>> idmap config * : range = 10000-20000
>>> logon path =
>>> logon home =
>>> display charset = LOCALE
>>> unix charset = UTF-8
>>> dos charset = CP850
>>> client ipc signing = auto
>>> map to guest = Bad User
>>> load printers = No
>>> show add printer wizard = No
>>> use sendfile = Yes
>>> map readonly = no
>>> case sensitive = No
>>> dns proxy = No
>>> winbind separator = +
>>>
>>>
>>> What SAMBA-BAD say on logs:
>>>
>>> [2016/05/31 09:24:48.856147, 3]
>>> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
>>> Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM]
>>> len1=24
>>> len2=288
>>> [2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
>>> check_ntlm_password: Checking password for unmapped user
>>> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
>>> [2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
>>> check_ntlm_password: mapped user is:
>>> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
>>> [2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
>>> Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
>>> denying access.
>>> [2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
>>> check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>> [2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
>>>
>>> Any recomendation about I will appreciated, thanks!!!
>>> --
>>> LIving the dream...
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>
>
> --
> LIving the dream...
>
--
LIving the dream...
More information about the samba
mailing list