[Samba] Cannot share folders access denid PDC+LDAP.

mathias dufresne infractory at gmail.com
Wed Jun 8 08:15:53 UTC 2016 

Hey! I'm glad to read that to begin my day ;)

2016-06-08 0:53 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:

> mathias, that flag help me, is now working, thanks!!!
>
> On Mon, Jun 6, 2016 at 11:48 AM, Alberto Moreno <portsbsd at gmail.com>
> wrote:
>
> > Hi mathias, thanks for taking time to see this issue.
> >
> > In my case is not  a AD, is still a NT4 style.
> >
> > I will try the option, thanks.
> >
> > On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infractory at gmail.com>
> > wrote:
> >
> >> Hi Alberto,
> >>
> >> No idea about your issue as I'm playing with Samba to build AD only, I
> >> can only tell you that I did tested on my Samba AD DC and I can use
> upper,
> >> lower or mixed case in user names:
> >>
> >> dc108:/opt/initial_setup# id mtest
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup# id mTest
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup# id MTEST
> >> uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
> >> groupes=3000018(AD\not_system_users),3000017(AD\mtest)
> >> dc108:/opt/initial_setup#
> >>
> >> I'm using recent version of Samba, the latest in fact. Perhaps you could
> >> try with more recent version of the product to see if you still get this
> >> error.
> >>
> >> There is also that option in smb.conf manpage:
> >>        username level (G)
> >>
> >>            This option helps Samba to try and 'guess' at the real UNIX
> >> username, as many DOS clients send an all-uppercase username.
> >>            By default Samba tries all lowercase, followed by the
> username
> >> with the first letter capitalized, and fails if the username is not
> found
> >> on the UNIX machine.
> >>
> >>            If this parameter is set to non-zero the behavior changes.
> >> This parameter is a number that specifies the number of uppercase
> >> combinations to try while trying to determine the UNIX user name. The
> >> higher the number the more combinations will be tried, but the slower
> the
> >> discovery of usernames will be. Use this parameter when you have strange
> >> usernames on your UNIX machine, such as AstrangeUser .
> >>
> >>            This parameter is needed only on UNIX systems that have case
> >> sensitive usernames.
> >>
> >>            Default: username level = 0
> >>
> >>            Example: username level = 5
> >>
> >> Some others tests I did after reading "This parameter is needed only on
> >> UNIX systems that have case sensitive usernames."
> >> dc108:/opt/initial_setup# id ROOT
> >> id: ROOT : utilisateur inexistant
> >> dc108:/opt/initial_setup# id rOOt
> >> id: rOOt : utilisateur inexistant
> >> dc108:/opt/initial_setup# id root
> >> uid=0(root) gid=0(root) groupes=0(root)
> >> dc108:/opt/initial_setup#
> >>
> >> So my UNIX system is case sensitive regarding user names but not when it
> >> comes to AD users.
> >>
> >> Using testparm -v and grep:
> >>  testparm -v | grep "username level"
> >> Load smb config files from /etc/samba/smb.conf
> >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> >> Processing section "[netlogon]"
> >> Processing section "[sysvol]"
> >> Loaded services file OK.
> >> Server role: ROLE_ACTIVE_DIRECTORY_DC
> >>
> >> Press enter to see a dump of your service definitions
> >>
> >>         username level = 0
> >> dc108:/opt/initial_setup#
> >>
> >> So "username level" is the default: 0 on the system which case sensitive
> >> for non-AD usernames and non-case-sensitive ofr AD users.
> >>
> >> Hoping this helps...
> >>
> >> mathias
> >>
> >>
> >> 2016-06-03 2:30 GMT+02:00 Alberto Moreno <portsbsd at gmail.com>:
> >>
> >>> Hi, is time to get help.
> >>>
> >>> I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
> >>> Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
> >>> I have even 2 Linux Centos 5.x in my domain x64
> >>>
> >>> Now, I have add 1 Centos 6.x x64 updated.
> >>>
> >>> Samba 3.6.23-35.el6_8
> >>>
> >>> I had setup LDAP client on this server to get users/groups  and add to
> my
> >>> domain with net rpc join, no issue.
> >>>
> >>> I can see the server on my domain no issue, the problem start went I
> >>> setup
> >>> my shares folders and some users.
> >>>
> >>> Public folders no problem, the problem are went I use  usernames where
> >>> have
> >>> 'Uppercase' the firs letter.
> >>>
> >>> For some strange reason cannot talk very well with my ldap server.
> >>>
> >>> Case 1: upper and lower case.
> >>>
> >>> SERVER GOOD:
> >>>
> >>> [root at servera ~]# id Test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
> >>> [root at aervera ~]# id test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain
> Users),10001(pvsw)
> >>> [root at servera ~]#
> >>>
> >>> Test or test return info.
> >>>
> >>> Now let test the SERVER-BAD
> >>> [root at mbx-server2 opt]# id test
> >>> uid=1062(test) gid=513(Domain Users) groups=513(Domain
> Users),10001(pvsw)
> >>> [root at mbx-server2 opt]# id Test
> >>> id: Test: No such user
> >>> [root at mbx-server2 opt]#
> >>>
> >>> test is diff than Test.
> >>>
> >>> Now, what happen on my domain?
> >>>
> >>> I have some users that appear like this on windows:
> >>>
> >>> Notadmin.
> >>>
> >>> I setup my share:
> >>>
> >>> [nasa]
> >>>         path = /opt/it
> >>>         writeable = Yes
> >>>         public = No
> >>>         guest ok = No
> >>>         valid users = test, Notadmin, dflores
> >>>         create mode = 0770
> >>>         directory mode = 0770
> >>>         force group = itmbx
> >>>         force create mode = 0770
> >>>         force directory mode = 0770
> >>>         admin users = root Notadmin
> >>>
> >>> The user Notadmin cannot access this share.
> >>>
> >>> I had check settings but I use the same us the other servers, some new
> >>> flags but nothing that took my attention:
> >>>
> >>> [global]
> >>>         workgroup = MYDOMAIN
> >>>         netbios name = mbx-server2
> >>>         hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> >>> 192.168.30., 192.168.40., 192.168.50.
> >>>         hosts deny = 0.0.0.0
> >>>         smb ports = 139 445
> >>>         lanman auth = Yes
> >>>         client lanman auth = Yes
> >>>         security = DOMAIN
> >>>         encrypt passwords = yes
> >>>         syslog = 1
> >>>         log level = 1
> >>>         log file = /var/log/samba/%m.%U.log
> >>>         max log size = 2048
> >>>         socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
> >>>         name resolve order = wins bcast hosts lmhost
> >>>         username map = /etc/samba/usermap
> >>>         domain logons = No
> >>>         domain master = No
> >>>         local master = No
> >>>         preferred master = No
> >>>         wins server = 192.168.2.24
> >>>         idmap config * : backend = ldap
> >>>         idmap config * : range = 10000-20000
> >>>         logon path =
> >>>         logon home =
> >>>         display charset = LOCALE
> >>>         unix charset = UTF-8
> >>>         dos charset = CP850
> >>>         client ipc signing = auto
> >>>         map to guest = Bad User
> >>>         load printers = No
> >>>         show add printer wizard = No
> >>>         use sendfile = Yes
> >>>         map readonly = no
> >>>         case sensitive = No
> >>>         dns proxy = No
> >>>         winbind separator = +
> >>>
> >>>
> >>> What SAMBA-BAD say on logs:
> >>>
> >>> [2016/05/31 09:24:48.856147,  3]
> >>> ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
> >>>   Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM]
> >>> len1=24
> >>> len2=288
> >>> [2016/05/31 09:24:48.856641,  3] auth/auth.c:219(check_ntlm_password)
> >>>   check_ntlm_password:  Checking password for unmapped user
> >>> [MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
> >>> [2016/05/31 09:24:48.856751,  3] auth/auth.c:222(check_ntlm_password)
> >>>   check_ntlm_password:  mapped user is:
> >>> [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
> >>> [2016/05/31 09:24:48.864733,  3] auth/auth_util.c:1087(check_account)
> >>>   Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
> >>> denying access.
> >>> [2016/05/31 09:24:48.864888,  2] auth/auth.c:330(check_ntlm_password)
> >>>   check_ntlm_password:  Authentication for user [Notadmin] ->
> [Notadmin]
> >>> FAILED with error NT_STATUS_NO_SUCH_USER
> >>> [2016/05/31 09:24:48.864935,  3] smbd/sesssetup.c:63(do_map_to_guest)
> >>>
> >>> Any recomendation about I will appreciated, thanks!!!
> >>> --
> >>> LIving the dream...
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>
> >>
> >
> >
> > --
> > LIving the dream...
> >
>
>
>
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list