[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto
Andrew Martin
amartin at xes-inc.com
Mon Aug 6 14:05:22 UTC 2018
----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, July 17, 2018 2:29:59 PM
> Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain =
> auto
> On Tue, 17 Jul 2018 13:53:41 -0500 (CDT)
> Andrew Martin <amartin at xes-inc.com> wrote:
>
>> ----- Original Message -----
>> > From: "samba" <samba at lists.samba.org>
>> > To: "samba" <samba at lists.samba.org>
>> > Sent: Tuesday, July 17, 2018 2:54:17 AM
>> > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined
>> > Samba 4.7.0 fileserver when map untrusted to domain = auto
>>
>> > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
>> > Andrew Martin via samba <samba at lists.samba.org> wrote:
>> >
>> >> Hello,
>> >>
>> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
>> >> fileserver is joined to a Samba4 AD Domain. I have configured the
>> >> following options to allow guest access to a share:
>> >>
>> >> [global]
>> >> guest account = nobody
>> >> map to guest = Bad User
>> >>
>> >> [Share]
>> >> guest ok = yes
>> >>
>> >> When attempting to connect from a local account on a Windows 7
>> >> client (the client is joined to the domain but the local account
>> >> is local to the machine), I can no longer connect as a guest to
>> >> this share, receiving STATUS_LOGON_FAILURE. Looking into it
>> >> further, I can successfully authenticate as a guest if I specify
>> >> the AD domain name (EXAMPLE.COM) or the hostname of the fileserver
>> >> (FILESERVER) but NOT if I use the hostname of the Windows 7 client
>> >> (WINDOWS7CLIENT):
>> >>
>> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
>> >> # this works
>> >>
>> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
>> >> # this works
>> >>
>> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share
>> >> -ULocalWindowsUser% session setup failed: NT_STATUS_LOGON_FAILURE
>> >>
>> >> I think setting "map untrusted to domain = no" will resolve this
>> >> problem since the user will get mapped to
>> >> FILESERVER\LocalWindowsUser instead of
>> >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto",
>> >> however this is not a long-term solution since it looks like this
>> >> option is being removed in Samba 4.8. How can I allow a local
>> >> Windows user to authenticate as a guest to this share?
>> >>
>> >>
>> >> Thanks,
>> >>
>> >> Andrew
>> >>
>> >
>> > Have you tried not using '-W' ?
>> >
>> > You talk about 'authenticating' as guest, but this is the last thing
>> > that will happen, if a user connects to a share with an invalid
>> > password it will be rejected, unless the user is also invalid (i.e.
>> > unknown), if so the user is silently mapped to guest. There is no
>> > authentication involved, exactly the opposite ;-)
>> >
>> > Rowland
>> >
>>
>> Rowland,
>>
>> Yes, if I do not use '-W' then it works as expected, mapping to the
>> guest account. However, the use case I am trying to make work is
>> having a local account on a Windows 7 client access the share as
>> guest. Windows will always pass along the workgroup of the local
>> account so there's no way for me to omit it. How can I allow
>> successful guest mapping in this case?
>>
>> Thanks,
>>
>> Andrew
>
> I see what you are getting at, the Windows PC is sending
> ANOTHERWORKGROUP\username to a Samba machine that expects
> WORKGROUP\username and is being rejected.
>
> man smb.conf says this about 'map to guest = Bad User':
>
> Means user logins with an invalid password
> are rejected, unless the username does not exist, in
> which case it is treated as a guest login and mapped
> into the guest account.
>
> So from my reading, never mind an invalid password, the user
> 'ANOTHERWORKROUP\username' will not exist on the Samba machine with the
> 'WORKGROUP' workgroup, so it should get mapped to guest. If it doesn't
> then it sounds like a bug, so can you please open a bug report.
>
> Rowland
>
Rowland,
I submitted a request to the samba bugzilla maintenance for this bug but have
not heard back on the status of my bug report. Is there a way to check on
the status of a bug report sent to this list?
Thanks,
Andrew
More information about the samba
mailing list