[Samba] Access to Windows 2016 server works with IP but not with netbios name

Rob Marshall rob.marshall17 at gmail.com
Fri Jan 12 23:34:35 UTC 2018 

Hi,

Here's a modified (to protect the customer's information) truncated
smb.conf that, for the most part, mirrors what they have:

[global]
        log level = 3
        os level = 1
        security = ADS
        server string = TEST CIFS Server
        workgroup = WG
        netbios name = FRED1
        realm = WB.DOM-NAME.COM
        idmap config * : range = 10000-20000
        log file = /var/log/samba/%m.log
        encrypt passwords = yes
        syslog = 1
        winbind enum users = no
        winbind enum groups = no
        winbind use default domain = yes
        wins support = yes
        printcap name = /dev/null
        socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
        strict sync = yes
        oplocks = yes
        kernel oplocks = no
        wide links = yes
        deadtime = 1
        case sensitive = no
        map to guest = bad user
        guest account = nobody
        unix extensions = no

[TestShare]
        comment = Test Share for further testing
        path = /cifs/TestShare_test
        hosts allow =ALL
        hosts deny = ALL
        browseable = yes
        writeable = no
        directory mask = 0777
        force user = cifs_user
        guest ok = No
        valid users = @WG\dl_fred1_testshare_m, @WG\dl_fred1_testshare_r
        write list = @WG\dl_fred1_testshare_m

My questions are:

1) What does the error:

string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format

mean?

2) For the connections using the NETBIOS name, I see lots of messages
similar to:

[2018/01/12 23:10:38.716169,  2]
smbd/service.c:627(create_connection_session_info)
  user 'WG\testuser01' (from session setup) not permitted to access
this share (TestShare)
[2018/01/12 23:10:38.716216,  1] smbd/service.c:805(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED

Given the above smb.conf is it possible that the attempts using the IP
address, rather than the NETBIOS name, are being allowed access (in
this case read only) because Samba can't determine who the user is and
is, therefore, allowing some sort of guest access? I don't really have
any other way to explain why the access via the NETBIOS name, which
appears to correctly see that the user doesn't have access to the
share, fails and the access via the IP address works. Does that even
make sense?

Thanks,

Rob

On Fri, Jan 12, 2018 at 1:45 PM, Luke Barone via samba
<samba at lists.samba.org> wrote:
> In a perfect world, SysVol would be on an AD Domain Controller, but there
> are people on here who do things out of the perfect world ;-)
>
> If the answer was yes though, then I would be able to post the Reg Setting
> to enable access from Windows 10 and above to those shares. I needed to
> apply it as we are still running PDCs in almost every site. Trust me, I
> can't wait to roll out AD
>
> On Fri, Jan 12, 2018 at 9:29 AM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 12 Jan 2018 09:21:42 -0800
>> Luke Barone <lukebarone at gmail.com> wrote:
>>
>> > As well as what share... Are you trying to access the \\*\netlogon or
>> > \\*\sysvol shares of a PDC?
>> >
>>
>> There wouldn't be a sysvol share on a PDC, or do you mean a DC ?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list