[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

Mon Aug 6 14:05:22 UTC 2018

----- Original Message -----
> From: "samba" <samba at lists.samba.org>
> To: "samba" <samba at lists.samba.org>
> Sent: Tuesday, July 17, 2018 2:29:59 PM
> Subject: Re: [Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain =
> auto

> On Tue, 17 Jul 2018 13:53:41 -0500 (CDT)
> Andrew Martin <amartin at xes-inc.com> wrote:
> 
>> ----- Original Message -----
>> > From: "samba" <samba at lists.samba.org>
>> > To: "samba" <samba at lists.samba.org>
>> > Sent: Tuesday, July 17, 2018 2:54:17 AM
>> > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined
>> > Samba 4.7.0 fileserver when map untrusted to domain = auto
>> 
>> > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
>> > Andrew Martin via samba <samba at lists.samba.org> wrote:
>> > 
>> >> Hello,
>> >> 
>> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
>> >> fileserver is joined to a Samba4 AD Domain. I have configured the
>> >> following options to allow guest access to a share:
>> >> 
>> >> [global]
>> >>     guest account = nobody
>> >>     map to guest = Bad User
>> >> 
>> >> [Share]
>> >>     guest ok = yes
>> >> 
>> >> When attempting to connect from a local account on a Windows 7
>> >> client (the client is joined to the domain but the local account
>> >> is local to the machine), I can no longer connect as a guest to
>> >> this share, receiving STATUS_LOGON_FAILURE. Looking into it
>> >> further, I can successfully authenticate as a guest if I specify
>> >> the AD domain name (EXAMPLE.COM) or the hostname of the fileserver
>> >> (FILESERVER) but NOT if I use the hostname of the Windows 7 client
>> >> (WINDOWS7CLIENT):
>> >> 
>> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
>> >> # this works
>> >> 
>> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
>> >> # this works
>> >> 
>> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share
>> >> -ULocalWindowsUser% session setup failed: NT_STATUS_LOGON_FAILURE
>> >> 
>> >> I think setting "map untrusted to domain = no" will resolve this
>> >> problem since the user will get mapped to
>> >> FILESERVER\LocalWindowsUser instead of
>> >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto",
>> >> however this is not a long-term solution since it looks like this
>> >> option is being removed in Samba 4.8. How can I allow a local
>> >> Windows user to authenticate as a guest to this share?
>> >> 
>> >> 
>> >> Thanks,
>> >> 
>> >> Andrew
>> >> 
>> > 
>> > Have you tried not using '-W' ?
>> > 
>> > You talk about 'authenticating' as guest, but this is the last thing
>> > that will happen, if a user connects to a share with an invalid
>> > password it will be rejected, unless the user is also invalid (i.e.
>> > unknown), if so the user is silently mapped to guest. There is no
>> > authentication involved, exactly the opposite ;-)
>> > 
>> > Rowland
>> > 
>> 
>> Rowland,
>> 
>> Yes, if I do not use '-W' then it works as expected, mapping to the
>> guest account. However, the use case I am trying to make work is
>> having a local account on a Windows 7 client access the share as
>> guest. Windows will always pass along the workgroup of the local
>> account so there's no way for me to omit it. How can I allow
>> successful guest mapping in this case?
>> 
>> Thanks,
>> 
>> Andrew
> 
> I see what you are getting at, the Windows PC is sending
> ANOTHERWORKGROUP\username to a Samba machine that expects
> WORKGROUP\username and is being rejected.
> 
> man smb.conf says this about 'map to guest = Bad User':
> 
> Means user logins with an invalid password
> are rejected, unless the username does not exist, in
> which case it is treated as a guest login and mapped
> into the guest account.
> 
> So from my reading, never mind an invalid password, the user
> 'ANOTHERWORKROUP\username' will not exist on the Samba machine with the
> 'WORKGROUP' workgroup, so it should get mapped to guest. If it doesn't
> then it sounds like a bug, so can you please open a bug report.
> 
> Rowland
> 

Rowland,

I submitted a request to the samba bugzilla maintenance for this bug but have 
not heard back on the status of my bug report. Is there a way to check on 
the status of a bug report sent to this list?

Thanks,

Andrew