[Samba] Cannot authenticate as guest to domain-joined Samba 4.7.0 fileserver when map untrusted to domain = auto

Rowland Penny rpenny at samba.org
Tue Jul 17 19:29:59 UTC 2018


On Tue, 17 Jul 2018 13:53:41 -0500 (CDT)
Andrew Martin <amartin at xes-inc.com> wrote:

> ----- Original Message -----
> > From: "samba" <samba at lists.samba.org>
> > To: "samba" <samba at lists.samba.org>
> > Sent: Tuesday, July 17, 2018 2:54:17 AM
> > Subject: Re: [Samba] Cannot authenticate as guest to domain-joined
> > Samba 4.7.0 fileserver when map untrusted to domain = auto
> 
> > On Mon, 16 Jul 2018 16:47:57 -0500 (CDT)
> > Andrew Martin via samba <samba at lists.samba.org> wrote:
> > 
> >> Hello,
> >> 
> >> I just upgraded Samba on a fileserver from 4.6.8 to 4.7.0; this
> >> fileserver is joined to a Samba4 AD Domain. I have configured the
> >> following options to allow guest access to a share:
> >> 
> >> [global]
> >>     guest account = nobody
> >>     map to guest = Bad User
> >> 
> >> [Share]
> >>     guest ok = yes
> >> 
> >> When attempting to connect from a local account on a Windows 7
> >> client (the client is joined to the domain but the local account
> >> is local to the machine), I can no longer connect as a guest to
> >> this share, receiving STATUS_LOGON_FAILURE. Looking into it
> >> further, I can successfully authenticate as a guest if I specify
> >> the AD domain name (EXAMPLE.COM) or the hostname of the fileserver
> >> (FILESERVER) but NOT if I use the hostname of the Windows 7 client
> >> (WINDOWS7CLIENT):
> >> 
> >> $ smbclient -WEXAMPLE.COM -L //fileserver/share -ULocalWindowsUser%
> >> # this works
> >> 
> >> $ smbclient -WFILESERVER -L //fileserver/share -ULocalWindowsUser%
> >> # this works
> >> 
> >> $ smbclient -WWINDOWS7CLIENT -L //fileserver/share
> >> -ULocalWindowsUser% session setup failed: NT_STATUS_LOGON_FAILURE
> >> 
> >> I think setting "map untrusted to domain = no" will resolve this
> >> problem since the user will get mapped to
> >> FILESERVER\LocalWindowsUser instead of
> >> WINDOWS7CLIENT\LocalWindowsUser as it is now when set to "auto",
> >> however this is not a long-term solution since it looks like this
> >> option is being removed in Samba 4.8. How can I allow a local
> >> Windows user to authenticate as a guest to this share?
> >> 
> >> 
> >> Thanks,
> >> 
> >> Andrew
> >> 
> > 
> > Have you tried not using '-W' ?
> > 
> > You talk about 'authenticating' as guest, but this is the last thing
> > that will happen, if a user connects to a share with an invalid
> > password it will be rejected, unless the user is also invalid (i.e.
> > unknown), if so the user is silently mapped to guest. There is no
> > authentication involved, exactly the opposite ;-)
> > 
> > Rowland
> > 
> 
> Rowland,
> 
> Yes, if I do not use '-W' then it works as expected, mapping to the
> guest account. However, the use case I am trying to make work is 
> having a local account on a Windows 7 client access the share as
> guest. Windows will always pass along the workgroup of the local
> account so there's no way for me to omit it. How can I allow
> successful guest mapping in this case?
> 
> Thanks,
> 
> Andrew

I see what you are getting at, the Windows PC is sending
ANOTHERWORKGROUP\username to a Samba machine that expects
WORKGROUP\username and is being rejected.

man smb.conf says this about 'map to guest = Bad User':

Means user logins with an invalid password
are rejected, unless the username does not exist, in
which case it is treated as a guest login and mapped
into the guest account.

So from my reading, never mind an invalid password, the user
'ANOTHERWORKROUP\username' will not exist on the Samba machine with the
'WORKGROUP' workgroup, so it should get mapped to guest. If it doesn't
then it sounds like a bug, so can you please open a bug report.

Rowland



More information about the samba mailing list