[Samba] Cannot share folders access denid PDC+LDAP.
mathias dufresne
infractory at gmail.com
Wed Jun 8 08:15:53 UTC 2016
Hey! I'm glad to read that to begin my day ;)
2016-06-08 0:53 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
> mathias, that flag help me, is now working, thanks!!!
>
> On Mon, Jun 6, 2016 at 11:48 AM, Alberto Moreno <portsbsd at gmail.com>
> wrote:
>
> > Hi mathias, thanks for taking time to see this issue.
> >
> > In my case is not a AD, is still a NT4 style.
> >
> > I will try the option, thanks.
> >
> > On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com>
> > wrote:
> >
> >> Hi Alberto,
> >>
> >> No idea about your issue as I'm playing with Samba to build AD only, I
> >> can only tell you that I did tested on my Samba AD DC and I can use
> upper,
> >> lower or mixed case in user names:
> >>
> >> dc108:/opt/initial_setup# id mtest
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup# id mTest
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup# id MTEST
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup#
> >>
> >> I'm using recent version of Samba, the latest in fact. Perhaps you could
> >> try with more recent version of the product to see if you still get this
> >> error.
> >>
> >> There is also that option in smb.conf manpage:
> >> username level (G)
> >>
> >> This option helps Samba to try and 'guess' at the real UNIX
> >> username, as many DOS clients send an all-uppercase username.
> >> By default Samba tries all lowercase, followed by the
> username
> >> with the first letter capitalized, and fails if the username is not
> found
> >> on the UNIX machine.
> >>
> >> If this parameter is set to non-zero the behavior changes.
> >> This parameter is a number that specifies the number of uppercase
> >> combinations to try while trying to determine the UNIX user name. The
> >> higher the number the more combinations will be tried, but the slower
> the
> >> discovery of usernames will be. Use this parameter when you have strange
> >> usernames on your UNIX machine, such as AstrangeUser .
> >>
> >> This parameter is needed only on UNIX systems that have case
> >> sensitive usernames.
> >>
> >> Default: username level = 0
> >>
> >> Example: username level = 5
> >>
> >> Some others tests I did after reading "This parameter is needed only on
> >> UNIX systems that have case sensitive usernames."
> >> dc108:/opt/initial_setup# id ROOT
> >> id: ROOT : utilisateur inexistant
> >> dc108:/opt/initial_setup# id rOOt
> >> id: rOOt : utilisateur inexistant
> >> dc108:/opt/initial_setup# id root
> >> uid=0(root) gid=0(root) groupes=0(root)
> >> dc108:/opt/initial_setup#
> >>
> >> So my UNIX system is case sensitive regarding user names but not when it
> >> comes to AD users.
> >>
> >> Using testparm -v and grep:
> >> testparm -v | grep "username level"
> >> Load smb config files from /etc/samba/smb.conf
> >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> >> Processing section "[netlogon]"
> >> Processing section "[sysvol]"
> >> Loaded services file OK.
> >> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>
> >> Press enter to see a dump of your service definitions
> >>
> >> username level = 0
> >> dc108:/opt/initial_setup#
> >>
> >> So "username level" is the default: 0 on the system which case sensitive
> >> for non-AD usernames and non-case-sensitive ofr AD users.
> >>
> >> Hoping this helps...
> >>
> >> mathias
> >>
> >>
> >> 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
> >>
> >>> Hi, is time to get help.
> >>>
> >>> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
> >>> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
> >>> I have even 2 Linux Centos 5.x in my domain x64
> >>>
> >>> Now, I have add 1 Centos 6.x x64 updated.
> >>>
> >>> Samba 3.6.23-35.el6_8
> >>>
> >>> I had setup LDAP client on this server to get users/groups and add to
> my
> >>> domain with net rpc join, no issue.
> >>>
> >>> I can see the server on my domain no issue, the problem start went I
> >>> setup
> >>> my shares folders and some users.
> >>>
> >>> Public folders no problem, the problem are went I use usernames where
> >>> have
> >>> 'Uppercase' the firs letter.
> >>>
> >>> For some strange reason cannot talk very well with my ldap server.
> >>>
> >>> Case 1: upper and lower case.
> >>>
> >>> SERVER GOOD:
> >>>
> >>> [root at servera ~]# id Test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
> >>> [root at aervera ~]# id test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain
> Users),10001(pvsw)
> >>> [root at servera ~]#
> >>>
> >>> Test or test return info.
> >>>
> >>> Now let test the SERVER-BAD
> >>> [root at mbx-server2 opt]# id test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain
> Users),10001(pvsw)
> >>> [root at mbx-server2 opt]# id Test
> >>> id: Test: No such user
> >>> [root at mbx-server2 opt]#
> >>>
> >>> test is diff than Test.
> >>>
> >>> Now, what happen on my domain?
> >>>
> >>> I have some users that appear like this on windows:
> >>>
> >>> Notadmin.
> >>>
> >>> I setup my share:
> >>>
> >>> [nasa]
> >>> path = /opt/it
> >>> writeable = Yes
> >>> public = No
> >>> guest ok = No
> >>> valid users = test, Notadmin, dflores
> >>> create mode = 0770
> >>> directory mode = 0770
> >>> force group = itmbx
> >>> force create mode = 0770
> >>> force directory mode = 0770
> >>> admin users = root Notadmin
> >>>
> >>> The user Notadmin cannot access this share.
> >>>
> >>> I had check settings but I use the same us the other servers, some new
> >>> flags but nothing that took my attention:
> >>>
> >>> [global]
> >>> workgroup = MYDOMAIN
> >>> netbios name = mbx-server2
> >>> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> >>> 192.168.30., 192.168.40., 192.168.50.
> >>> hosts deny = 0.0.0.0
> >>> smb ports = 139 445
> >>> lanman auth = Yes
> >>> client lanman auth = Yes
> >>> security = DOMAIN
> >>> encrypt passwords = yes
> >>> syslog = 1
> >>> log level = 1
> >>> log file = /var/log/samba/%m.%U.log
> >>> max log size = 2048
> >>> socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
> >>> name resolve order = wins bcast hosts lmhost
> >>> username map = /etc/samba/usermap
> >>> domain logons = No
> >>> domain master = No
> >>> local master = No
> >>> preferred master = No
> >>> wins server = 192.168.2.24
> >>> idmap config * : backend = ldap
> >>> idmap config * : range = 10000-20000
> >>> logon path =
> >>> logon home =
> >>> display charset = LOCALE
> >>> unix charset = UTF-8
> >>> dos charset = CP850
> >>> client ipc signing = auto
> >>> map to guest = Bad User
> >>> load printers = No
> >>> show add printer wizard = No
> >>> use sendfile = Yes
> >>> map readonly = no
> >>> case sensitive = No
> >>> dns proxy = No
> >>> winbind separator = +
> >>>
> >>>
> >>> What SAMBA-BAD say on logs:
> >>>
> >>> [2016/05/31 09:24:48.856147, 3]
> >>> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
> >>> Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM]
> >>> len1=24
> >>> len2=288
> >>> [2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
> >>> check_ntlm_password: Checking password for unmapped user
> >>> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
> >>> [2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
> >>> check_ntlm_password: mapped user is:
> >>> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
> >>> [2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
> >>> Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
> >>> denying access.
> >>> [2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
> >>> check_ntlm_password: Authentication for user [Notadmin] ->
> [Notadmin]
> >>> FAILED with error NT_STATUS_NO_SUCH_USER
> >>> [2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
> >>>
> >>> Any recomendation about I will appreciated, thanks!!!
> >>> --
> >>> LIving the dream...
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >>
> >
> >
> > --
> > LIving the dream...
> >
>
>
>
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list