[Samba] Access to Windows 2016 server works with IP but not with netbios name

Rowland Penny rpenny at samba.org
Mon Jan 15 19:01:59 UTC 2018 

On Mon, 15 Jan 2018 13:15:07 -0500
Rob Marshall <rob.marshall17 at gmail.com> wrote:

> Hi Rowland,
> 
> I'm sorry if I just didn't understand what you were saying. I know
> next to nothing about Samba and I'm looking at a customer environment.
> I happen to support a product that includes Samba (which is stuck at a
> 3.6.x variant because it's stuck on an old OS), but I have no real
> experience with it. The customer is stating that they changed from a
> Window 2008 server to a Windows 2016 server in Windows 2008
> compatibility mode. I got involved because, even though we don't
> support this configuration, the customer wants it to work. And I
> happen to be "where the buck stops" for all things related to the
> product I support.
> 
> Based on what I read, it seems like the only thing missing from the
> customer's smb.conf was:
> 
> idmap config * : backend = tab
> 
> OR, were you saying that they should NOT be using '*' and should
> instead specify the domain explicitly? Since I wasn't sure I tried
> (this is output from testparm -v after making various changes):
> 
> Initially just add the above backend parameter:
> 
> rob at robs-xubuntu2: [MTI_Samba]$ grep idmap testparm.out
> ldap idmap suffix =
> idmap backend = tdb
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid =
> idmap gid =
> idmap config * : range = 10000-20000
> idmap config * : backend = tdb
> 
> After restarting Samba and attempting to access the share I received
> the same error, i.e.:
> 
> [2018/01/15 18:24:14.986326,  3]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>   string_to_sid: SID @WG\dl_fred1_testshare_m is not in a valid format
> [2018/01/15 18:24:15.010177,  3]
> ../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
>   string_to_sid: SID @WG\dl_fred1_testshare_r is not in a valid format
> [2018/01/15 18:24:15.016152,  2]
> smbd/service.c:627(create_connection_session_info)
>   user 'WG\testuser01' (from session setup) not permitted to access
> this share (TestShare)
> [2018/01/15 18:24:15.016215,  1]
> smbd/service.c:805(make_connection_snum)
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> [2018/01/15 18:24:15.016266,  3] smbd/error.c:81(error_packet_set)
> error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
> NT_STATUS_ACCESS_DENIED
> 
> I then changed smb.conf to explicitly use the domain name:
> 
> rob at robs-xubuntu2: [MTI_Samba]$ grep idmap
> testparm_post_explicit_domain.out ldap idmap suffix =
> idmap backend = tdb
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid =
> idmap gid =
> idmap config PC.BGU-MURNAU.DE : range = 10000-20000
> idmap config PC.BGU-MURNAU.DE : backend = tdb
> idmap config * : backend = tdb
> 
> But the error didn't change.
> 
> I then changed the backend to be "ad":
> 
> rob at robs-xubuntu2: [MTI_Samba]$ grep idmap
> testparm_post_backend_ad.out ldap idmap suffix =
> idmap backend = tdb
> idmap cache time = 604800
> idmap negative cache time = 120
> idmap uid =
> idmap gid =
> idmap config PC.BGU-MURNAU.DE : range = 10000-20000
> idmap config PC.BGU-MURNAU.DE : backend = ad
> idmap config * : backend = tdb
> 
> But, again, same error.
> 
> Sorry to be a bother on this, and I really appreciate your help, but I
> don't know what to check next.
> 

I take it you didn't understand the wiki pages I pointed you to ;-)

Lets start with the premise that there only standard windows attributes
in AD and no rfc2307 attributes.

If this is the case, you need some thing like this in smb.conf:

    idmap config * : backend = tdb
    idmap config * : range = 2000-9999
    idmap config PC.BGU-MURNAU.DE : backend = rid
    idmap config PC.BGU-MURNAU.DE : range = 10000-999999

The '*' domain is where the well known SIDs are mapped.
The 'PC.BGU-MURNAU.DE' domain is where your domain users & groups are
mapped.
With this setup, winbind will automatically calculate the Unix ID from
the objects RID and these numbers will be inside the range set in
smb.conf (in this case 10000-999999). Provided you use the same
smb.conf on all Unix domain members (hint: do not set 'netbios name',
Samba will do it for you), you will always get the same IDs.
You definitely do not want 'idmap uid' and 'idmap gid', these are
deprecated and replaced by 'idmap config'.
You also do not need to set any 'idmap' lines other than the ones above.

If you still cannot get your head around this, cut and paste the your
entire smb.conf into an email (you can sanitise if you want) and then
send it to me direct (i.e. not to the list) and I will change it so it
should work.

Rowland

More information about the samba mailing list