[Samba] Access to Windows 2016 server works with IP but not with netbios name
Gaeseric Vandal
gaiseric.vandal at gmail.com
Sun Jan 14 16:43:00 UTC 2018
Just for reference, on a working Samba 4.x server in an AD domain I have the following entries
Idmap config *:backend = tdb
Idmap config *:range = 2000-2999
Idmap config MYDOMAIN:backend = ad
Idmap config MYDOMAIN:schema_mode = rfc2307
Idmap config *:range = 1000-1999
I use active directory users and groups to explicitly set the uid and gid numbers (this was to keep everything happy when migrating from a classic domain.) The "*" range in idmap will handle accounts that are not in the domain (which there really shouldn't be any.)
The "getent passwd' command verifies that the winbind entry in nsswitch is working. You should also fine that "wbinfo -n someuser" and "wbinfo -n YOURDOMAIN\someuser" should return the same SID. And "wbinfo -s someid" should return the correct "YOURDOMAIN\someuser" value.
I really don't understand why the this should behave differently when connecting to server IP vs server name. The various logs on the samba server should show if you are seeing connection attempts from "YOURDOMAIN\someuser" or use "someuser" and is maybe mapping the users differently. You might need to bump up the logging level.
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Sunday, January 14, 2018 3:38 AM
To: samba at lists.samba.org
Cc: Rob Marshall <rob.marshall17 at gmail.com>
Subject: Re: [Samba] Access to Windows 2016 server works with IP but not with netbios name
On Sat, 13 Jan 2018 19:12:14 -0500
Rob Marshall via samba <samba at lists.samba.org> wrote:
> Hi,
>
> When I initially tested the "getent passwd testuser01" I got nothing
> back. I then did: "getent passwd "wg\testuser01"" and got the entry. A
> "troubleshooting" wiki I was reading suggested adding: "winbind use
> default domain = yes" to fix that. I added that and was then able to
> lookup the user without needing the "wg\".
>
> In looking at the sources for libcli/security/dom_sid.c, which is
> where the "invalid format" messages are displayed, I'm a bit confused.
> That function seems to be assuming it's received an actual SID and not
> the group designation. Does anyone know why it would be checking the
> @WG\dl_fred1_testshare_r?
>
> Also, as I mentioned earlier, I only see the NT_STATUS_ACCESS_DENIED
> when using the NETBIOS name to try and access the share. When using
> the IP address it doesn't seem to be checking much of anything, but
> allows access (at least read access) to the share. For example when
> using the NETBIOS name I see it checking the kerberos ticket, which is
> NOT happening when using the IP address.
>
> Again, does the assumption make any sense that when using the IP
> address the user is being granted some sort of "guest" access but when
> using the NETBIOS (or FQDN) name the authentication is actually being
> checked and failing for some reason?
>
> Thanks,
>
> Rob
>
I will say it again, your smb.conf is incorrect, you are putting EVERYTHING into the '*' domain, please read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
and this:
https://wiki.samba.org/index.php/Idmap_config_rid
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list