[Samba] Again guest access and machine account...

Marco Gaiarin gaio at sv.lnf.it
Thu Feb 8 12:02:48 UTC 2018 

I'm still fighting a bit with guest access to shares via machine
account.

Little fast rewind: i'm using samba 4.5.8+dfsg-2+deb9u1~bpo8+1 (louis
packages), and i use an SCM system called WPKG to deploy ad manage
windows machine; that system do their works as SYSTEM account on local
windows workstation.


If the machine account (say, MALCOBB$) have a valid UID/GID, machine
account are used to logon to the shares; but i've found now that, if
there's no UID/GID, there's no fallback on guest account, log say:

 [2018/02/08 12:21:49.457857,  3, pid=2619, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
   Kerberos ticket principal name is [MALCOBB$@AD.FVG.LNF.IT]
 [2018/02/08 12:21:49.457896, 10, pid=2619, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:83(get_user_from_kerberos_info)
   Domain is [LNFFVG] (using PAC)
 [2018/02/08 12:21:49.457938,  4, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:362(map_username)
   Scanning username map /etc/samba/user.map
 [2018/02/08 12:21:49.457980, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:196(user_in_list)
   user_in_list: checking user LNFFVG\MALCOBB$ in list
 [2018/02/08 12:21:49.458018, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\Administrator|
 [2018/02/08 12:21:49.458051, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |LNFFVG\administrator|
 [2018/02/08 12:21:49.458073, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |Administrator|
 [2018/02/08 12:21:49.458095, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:201(user_in_list)
   user_in_list: checking user |LNFFVG\MALCOBB$| against |administrator|
 [2018/02/08 12:21:49.458124,  8, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/user_util.c:435(map_username)
   The user 'LNFFVG\MALCOBB$' has no mapping. Skip it next time.
 [2018/02/08 12:21:49.458150,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user LNFFVG\MALCOBB$
 [2018/02/08 12:21:49.458173,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is lnffvg\malcobb$
 [2018/02/08 12:21:49.458521,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is LNFFVG\MALCOBB$
 [2018/02/08 12:21:49.458752,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in lnffvg\malcobb$
 [2018/02/08 12:21:49.458796,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [LNFFVG\MALCOBB$]!
 [2018/02/08 12:21:49.458827,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user MALCOBB$
 [2018/02/08 12:21:49.458850,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is malcobb$
 [2018/02/08 12:21:49.459067,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is MALCOBB$
 [2018/02/08 12:21:49.459300,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in malcobb$
 [2018/02/08 12:21:49.459350,  5, pid=2619, effective(0, 0), real(0, 0)] ../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [MALCOBB$]!
 [2018/02/08 12:21:49.459489,  3, pid=2619, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
   get_user_from_kerberos_info: Username LNFFVG\MALCOBB$ is invalid on this system
 [2018/02/08 12:21:49.459520,  3, pid=2619, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
 [2018/02/08 12:21:49.459588,  3, pid=2619, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
 [2018/02/08 12:21:49.459627, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
   smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
 [2018/02/08 12:21:49.459663, 10, pid=2619, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:912(smb2_set_operation_credit)
   smb2_set_operation_credit: requested 31, charge 1, granted 1, current possible/max 512/512, total granted/max/low/range 1/8192/2/1

Share is simply defined as:

 [wpkg]
        comment = WPKG Automated Software Deploying System
        path = /srv/samba/wpkg
        guest ok = yes
        browseable = no
        writable = no  
        force create mode = 0664
        force directory mode = 2775
        wide links = yes

and the only way i've found to ''solve'' this is to define:

	map to guest = Bad Uid

(normally i use 'Bad User'), that confirm me that samba try to map
machine account to an UID/GID and fail.


But... why samba does not fallback to Guest access? Someone can explain
me? Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list