[Samba] Access to Windows 2016 server works with IP but not with netbios name

Rowland Penny rpenny at samba.org
Sat Jan 13 09:00:10 UTC 2018 

On Fri, 12 Jan 2018 18:34:35 -0500
Rob Marshall <rob.marshall17 at gmail.com> wrote:

> Hi,
> 
> Here's a modified (to protect the customer's information) truncated
> smb.conf that, for the most part, mirrors what they have:
> 
> [global]
>         log level = 3
>         os level = 1
>         security = ADS
>         server string = TEST CIFS Server
>         workgroup = WG
>         netbios name = FRED1
>         realm = WB.DOM-NAME.COM
>         idmap config * : range = 10000-20000
>         log file = /var/log/samba/%m.log
>         encrypt passwords = yes
>         syslog = 1
>         winbind enum users = no
>         winbind enum groups = no
>         winbind use default domain = yes
>         wins support = yes
>         printcap name = /dev/null
>         socket options = SO_RCVBUF=65536 SO_SNDBUF=65536
>         strict sync = yes
>         oplocks = yes
>         kernel oplocks = no
>         wide links = yes
>         deadtime = 1
>         case sensitive = no
>         map to guest = bad user
>         guest account = nobody
>         unix extensions = no
> 
> [TestShare]
>         comment = Test Share for further testing
>         path = /cifs/TestShare_test
>         hosts allow =ALL
>         hosts deny = ALL
>         browseable = yes
>         writeable = no
>         directory mask = 0777
>         force user = cifs_user
>         guest ok = No
>         valid users = @WG\dl_fred1_testshare_m,
> @WG\dl_fred1_testshare_r write list = @WG\dl_fred1_testshare_m
> 
> My questions are:
> 
> 1) What does the error:
> 
> string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
> 
> mean?
> 
> 2) For the connections using the NETBIOS name, I see lots of messages
> similar to:
> 
> [2018/01/12 23:10:38.716169,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access
> this share (TestShare)
> [2018/01/12 23:10:38.716216,  1]
> smbd/service.c:805(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/12 23:10:38.716260,  3] smbd/error.c:81(error_packet_set)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> Given the above smb.conf is it possible that the attempts using the IP
> address, rather than the NETBIOS name, are being allowed access (in
> this case read only) because Samba can't determine who the user is and
> is, therefore, allowing some sort of guest access? I don't really have
> any other way to explain why the access via the NETBIOS name, which
> appears to correctly see that the user doesn't have access to the
> share, fails and the access via the IP address works. Does that even
> make sense?
> 
> Thanks,
> 

You do not seem to have correct authentication lines, you have:

idmap config * : range = 10000-20000

I would expect to see something like this:

    ## map ids outside of domain to tdb files.
    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999

Also are the 'passwd' & 'group' lines in /etc/nsswitch.conf set up to
use winbind ?

Rowland

More information about the samba mailing list