[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

Rowland Penny rpenny at samba.org
Mon Aug 6 14:26:11 UTC 2018 

On Mon, 6 Aug 2018 09:05:22 -0500 (CDT)
Andrew Martin <amartin at xes-inc.com> wrote:

> ----- Original Message -----
> > From: "samba" <samba at lists.samba.org>
> > To: "samba" <samba at lists.samba.org>
> > Sent: Tuesday, July 17, 2018 2:29:59 PM
> > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined
> > Samba 4.7.0 fileserver when map untrusted to domain = auto
> 
> > On Tue, 17 Jul 2018 13:53:41 -0500 (CDT)
> > Andrew Martin <amartin at xes-inc.com> wrote:
> > 
> >> ----- Original Message -----
> >> > From: "samba" <samba at lists.samba.org>
> >> > To: "samba" <samba at lists.samba.org>
> >> > Sent: Tuesday, July 17, 2018 2:54:17 AM
> >> > Subject: Re: [Samba] Cannot authenticate as guest to
> >> > domain-joined Samba 4.7.0 fileserver when map untrusted to
> >> > domain = auto
> >> 
> >> > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
> >> > Andrew Martin via samba <samba at lists.samba.org> wrote:
> >> > 
> >> >> Hello,
> >> >> 
> >> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
> >> >> fileserver is joined to a Samba4 AD Domain. I have configured
> >> >> the following options to allow guest access to a share:
> >> >> 
> >> >> [global]
> >> >>     guest account = nobody
> >> >>     map to guest = Bad User
> >> >> 
> >> >> [Share]
> >> >>     guest ok = yes
> >> >> 
> >> >> When attempting to connect from a local account on a Windows 7
> >> >> client (the client is joined to the domain but the local account
> >> >> is local to the machine), I can no longer connect as a guest to
> >> >> this share, receiving STATUS_LOGON_FAILURE. Looking into it
> >> >> further, I can successfully authenticate as a guest if I specify
> >> >> the AD domain name (EXAMPLE.COM) or the hostname of the
> >> >> fileserver (FILESERVER) but NOT if I use the hostname of the
> >> >> Windows 7 client (WINDOWS7CLIENT):
> >> >> 
> >> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share
> >> >> -ULocalWindowsUser% # this works
> >> >> 
> >> >> $ smbclient -WFILESERVER -L //fileserver/share
> >> >> -ULocalWindowsUser% # this works
> >> >> 
> >> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share
> >> >> -ULocalWindowsUser% session setup failed:
> >> >> NT_STATUS_LOGON_FAILURE
> >> >> 
> >> >> I think setting "map untrusted to domain = no" will resolve this
> >> >> problem since the user will get mapped to
> >> >> FILESERVER\LocalWindowsUser instead of
> >> >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto",
> >> >> however this is not a long-term solution since it looks like
> >> >> this option is being removed in Samba 4.8. How can I allow a
> >> >> local Windows user to authenticate as a guest to this share?
> >> >> 
> >> >> 
> >> >> Thanks,
> >> >> 
> >> >> Andrew
> >> >> 
> >> > 
> >> > Have you tried not using '-W' ?
> >> > 
> >> > You talk about 'authenticating' as guest, but this is the last
> >> > thing that will happen, if a user connects to a share with an
> >> > invalid password it will be rejected, unless the user is also
> >> > invalid (i.e. unknown), if so the user is silently mapped to
> >> > guest. There is no authentication involved, exactly the
> >> > opposite ;-)
> >> > 
> >> > Rowland
> >> > 
> >> 
> >> Rowland,
> >> 
> >> Yes, if I do not use '-W' then it works as expected, mapping to the
> >> guest account. However, the use case I am trying to make work is
> >> having a local account on a Windows 7 client access the share as
> >> guest. Windows will always pass along the workgroup of the local
> >> account so there's no way for me to omit it. How can I allow
> >> successful guest mapping in this case?
> >> 
> >> Thanks,
> >> 
> >> Andrew
> > 
> > I see what you are getting at, the Windows PC is sending
> > ANOTHERWORKGROUP\username to a Samba machine that expects
> > WORKGROUP\username and is being rejected.
> > 
> > man smb.conf says this about 'map to guest = Bad User':
> > 
> > Means user logins with an invalid password
> > are rejected, unless the username does not exist, in
> > which case it is treated as a guest login and mapped
> > into the guest account.
> > 
> > So from my reading, never mind an invalid password, the user
> > 'ANOTHERWORKROUP\username' will not exist on the Samba machine with
> > the 'WORKGROUP' workgroup, so it should get mapped to guest. If it
> > doesn't then it sounds like a bug, so can you please open a bug
> > report.
> > 
> > Rowland
> > 
> 
> Rowland,
> 
> I submitted a request to the samba bugzilla maintenance for this bug
> but have not heard back on the status of my bug report. Is there a
> way to check on the status of a bug report sent to this list?
> 
> Thanks,
> 
> Andrew

Hi Andrew, I just tried to get the account request mail sent to you,
but it seems your account exists, have you tried looking in your spam
folder ?

Rowland

More information about the samba mailing list