[Samba] Access to Windows 2016 server works with IP but not with netbios name
Rowland Penny
rpenny at samba.org
Sat Jan 13 09:00:10 UTC 2018
On Fri, 12 Jan 2018 18:34:35 -0500
Rob Marshall <rob.marshall17 at gmail.com> wrote:
> Hi,
>
> Here's a modified (to protect the customer's information) truncated
> smb.conf that, for the most part, mirrors what they have:
>
> [global]
> log level = 3
> os level = 1
> security = ADS
> server string = TEST CIFS Server
> workgroup = WG
> netbios name = FRED1
> realm = WB.DOM-NAME.COM
> idmap config * : range = 10000-20000
> log file = /var/log/samba/%m.log
> encrypt passwords = yes
> syslog = 1
> winbind enum users = no
> winbind enum groups = no
> winbind use default domain = yes
> wins support = yes
> printcap name = /dev/null
> socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
> strict sync = yes
> oplocks = yes
> kernel oplocks = no
> wide links = yes
> deadtime = 1
> case sensitive = no
> map to guest = bad user
> guest account = nobody
> unix extensions = no
>
> [TestShare]
> comment = Test Share for further testing
> path = /cifs/TestShare_test
> hosts allow =ALL
> hosts deny = ALL
> browseable = yes
> writeable = no
> directory mask = 0777
> force user = cifs_user
> guest ok = No
> valid users = @WG\dl_fred1_testshare_m,
> @WG\dl_fred1_testshare_r write list = @WG\dl_fred1_testshare_m
>
> My questions are:
>
> 1) What does the error:
>
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
>
> mean?
>
> 2) For the connections using the NETBIOS name, I see lots of messages
> similar to:
>
> [2018/01/12 23:10:38.716169, 2]
> smbd/service.c:627(create_connection_session_info)
> user 'WG\testuser01' (from session setup) not permitted to access
> this share (TestShare)
> [2018/01/12 23:10:38.716216, 1]
> smbd/service.c:805(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
>
> Given the above smb.conf is it possible that the attempts using the IP
> address, rather than the NETBIOS name, are being allowed access (in
> this case read only) because Samba can't determine who the user is and
> is, therefore, allowing some sort of guest access? I don't really have
> any other way to explain why the access via the NETBIOS name, which
> appears to correctly see that the user doesn't have access to the
> share, fails and the access via the IP address works. Does that even
> make sense?
>
> Thanks,
>
You do not seem to have correct authentication lines, you have:
idmap config * : range = 10000-20000
I would expect to see something like this:
## map ids outside of domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 10000-999999
Also are the 'passwd' & 'group' lines in /etc/nsswitch.conf set up to
use winbind ?
Rowland
More information about the samba
mailing list