[Samba] DM: samba 4.5 -> 4.8, guest access and machine account access troubles.

L.P.H. van Belle belle at bazuin.nl
Mon Sep 24 10:17:31 UTC 2018


Hai Marco, 

Few pointers. 
First, time is in sync? I guess it is, but check it.

Second. 
Guest access enabled on a domain joint PC ? 
If you really really want that, then enable user guest in the AD also. 

But better is avoiding Guest access completely. 
Join the domain, dont allow guest access and configure it correctly, 
best tip i can give, for the software deploying share. 

  [wpkg]
 	path = /srv/samba/wpkg
 	browseable = No
 	comment = WPKG Automated Software Deploying System
	acl_xattr:ignore system acls = yes
	acl_xattr:default acl style = windows
 	wide links = Yes


Now setup the share from a windows client. 
On the Share tab: activate sharing. 
- Allow read access to that share for the special group "Domain Computers", or to everyone, and write access for yourself.
- On the Security tab: grant read access to the special group "Domain Computers", or to everyone, and write access for yourself.

And try again. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: maandag 24 september 2018 11:44
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] DM: samba 4.5 -> 4.8, guest access and 
> machine account access troubles.
> 
> 
> I've just upgraded my DM from samba 4.5 to 4.8, using luois repos
> (also, debian jessie -> stretch).
> 
> I'm experimenting some troubles on some shares, seems that both guest
> access and 'machine account' access does not work.
> 
> The share is rather simple:
> 
>  [wpkg]
> 	browseable = No
> 	comment = WPKG Automated Software Deploying System
> 	force create mode = 0664
> 	force directory mode = 02775
> 	guest ok = Yes
> 	path = /srv/samba/wpkg
> 	wide links = Yes
> 
> 
> I've got two troubles.
> 
> 
> a) seems there's no more a guest access on the share. EG, if i use the
> loca administrator user to access the share, i got 'access denied'.
> Logs say:
> 
> [2018/09/24 11:31:02.650786,  3] 
> ../source3/auth/auth.c:189(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user 
> [unci-unci]\[Administrator]@[UNCI-UNCI] with the new password 
> interface
> [2018/09/24 11:31:02.650799,  3] 
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [unci-unci]\[root]@[UNCI-UNCI]
> [2018/09/24 11:31:02.650811,  5] ../lib/util/util.c:514(dump_data)
>   [0000] 4B 1E 50 9E 92 74 FA 9C                             K.P..t.. 
> [2018/09/24 11:31:02.650833,  4] 
> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2018/09/24 11:31:02.650846,  4] 
> ../source3/smbd/uid.c:493(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2018/09/24 11:31:02.650859,  4] 
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2018/09/24 11:31:02.650871,  5] 
> ../libcli/security/security_token.c:53(security_token_debug)
>   Security token: (NULL)
> [2018/09/24 11:31:02.650882,  5] 
> ../source3/auth/token_util.c:810(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2018/09/24 11:31:02.652805,  4] 
> ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2018/09/24 11:31:02.652840,  5] 
> ../source3/auth/auth.c:251(auth_check_ntlm_password)
>   auth_check_ntlm_password: winbind authentication for user 
> [Administrator] FAILED with error NT_STATUS_WRONG_PASSWORD, 
> authoritative=1
> [2018/09/24 11:31:02.652887,  2] 
> ../source3/auth/auth.c:332(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user 
> [Administrator] -> [root] FAILED with error 
> NT_STATUS_WRONG_PASSWORD, authoritative=1
> [2018/09/24 11:31:02.652917,  2] 
> ../auth/auth_log.c:760(log_authentication_event_human_readable)
>   Auth: [SMB2,(null)] user [unci-unci]\[Administrator] at 
> [lun, 24 set 2018 11:31:02.652908 CEST] with [NTLMv2] status 
> [NT_STATUS_WRONG_PASSWORD] workstation [UNCI-UNCI] remote 
> host [ipv4:10.5.2.145:63155] mapped to [unci-unci]\[root]. 
> local host [ipv4:10.5.1.26:445] 
> [2018/09/24 11:31:02.653242,  2] ../auth/auth_log.c:220(log_json)
>   JSON Authentication: {"timestamp": 
> "2018-09-24T11:31:02.653150+0200", "type": "Authentication", 
> "Authentication": {"version": {"major": 1, "minor": 0}, 
> "status": "NT_STATUS_WRONG_PASSWORD", "localAddress": 
> "ipv4:10.5.1.26:445", "remoteAddress": 
> "ipv4:10.5.2.145:63155", "serviceDescription": "SMB2", 
> "authDescription": null, "clientDomain": "unci-unci", 
> "clientAccount": "Administrator", "workstation": "UNCI-UNCI", 
> "becameAccount": null, "becameDomain": null, "becameSid": 
> "(NULL SID)", "mappedAccount": "root", "mappedDomain": 
> "unci-unci", "netlogonComputer": null, 
> "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
> "0x00000000", "netlogonSecureChannelType": 0, 
> "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}}
> [2018/09/24 11:31:02.653281,  5] 
> ../source3/auth/auth_ntlmssp.c:196(auth3_check_password)
>   Checking NTLMSSP password for unci-unci\Administrator 
> failed: NT_STATUS_WRONG_PASSWORD, authoritative=1
> [2018/09/24 11:31:02.653299,  5] 
> ../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send)
>   ntlmssp_server_auth_send: Checking NTLMSSP password for 
> unci-unci\Administrator failed: NT_STATUS_WRONG_PASSWORD
> [2018/09/24 11:31:02.653324,  4] 
> ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/09/24 11:31:02.653375,  5] 
> ../auth/gensec/gensec.c:492(gensec_update_done)
>   gensec_update_done: ntlmssp[0x5594f5555760]: 
> NT_STATUS_WRONG_PASSWORD
> [2018/09/24 11:31:02.653409,  3] 
> ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
>   gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) 
> login failed: NT_STATUS_WRONG_PASSWORD
> [2018/09/24 11:31:02.653427,  5] 
> ../auth/gensec/gensec.c:492(gensec_update_done)
>   gensec_update_done: spnego[0x5594f5554d20]: NT_STATUS_WRONG_PASSWORD
> [2018/09/24 11:31:02.653444,  4] 
> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2018/09/24 11:31:02.653459,  4] 
> ../source3/smbd/uid.c:493(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2018/09/24 11:31:02.653472,  4] 
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2018/09/24 11:31:02.653485,  5] 
> ../libcli/security/security_token.c:53(security_token_debug)
>   Security token: (NULL)
> 
> clearly, i've on [globals] 'map to guest = Bad User'.
> 
> 
> b) most of the WPKG scripts access the share with the SYSTEM 
> users, eg,
>  using the machine account; seems this does not work anymore, even if
> users seems mapped correctly and share permissione have permission to
> 'everyone' set.
> 
> Relevant log here seems:
> 
> [2018/09/24 11:20:29.023447,  3] 
> ../lib/util/access.c:365(allow_access)
>   Allowed connection from 10.5.2.145 (10.5.2.145)
> [2018/09/24 11:20:29.023511,  3] 
> ../source3/smbd/service.c:595(make_connection_snum)
>   Connect path is '/srv/samba/wpkg' for service [wpkg]
> [2018/09/24 11:20:29.023558,  3] 
> ../source3/smbd/vfs.c:113(vfs_init_default)
>   Initialising default vfs hooks
> [2018/09/24 11:20:29.023597,  5] 
> ../source3/smbd/vfs.c:103(smb_register_vfs)
>   Successfully added vfs backend '/[Default VFS]/'
> [2018/09/24 11:20:29.023619,  5] 
> ../source3/smbd/vfs.c:103(smb_register_vfs)
>   Successfully added vfs backend 'posixacl'
> [2018/09/24 11:20:29.023637,  3] 
> ../source3/smbd/vfs.c:139(vfs_init_custom)
>   Initialising custom vfs hooks from [/[Default VFS]/]
>   Successfully loaded vfs module [/[Default VFS]/] with the 
> new modules system
> [2018/09/24 11:20:29.023676,  5] 
> ../source3/lib/messages.c:678(messaging_register)
>   Registering messaging pointer for type 784 - 
> private_data=0x5594f5558ea0
> [2018/09/24 11:20:29.023699,  5] 
> ../source3/lib/messages.c:678(messaging_register)
>   Registering messaging pointer for type 793 - 
> private_data=0x5594f5551260
> [2018/09/24 11:20:29.023713,  5] 
> ../source3/lib/messages.c:678(messaging_register)
>   Registering messaging pointer for type 799 - 
> private_data=0x5594f5551260
> [2018/09/24 11:20:29.023791,  4] 
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>   setting sec ctx (49976, 10515) - sec_ctx_stack_ndx = 0
> [2018/09/24 11:20:29.023816,  5] 
> ../libcli/security/security_token.c:63(security_token_debug)
>   Security token SIDs (10):
>     SID[  0]: S-1-5-21-160080369-3601385002-3131615632-1811
>     SID[  1]: S-1-5-21-160080369-3601385002-3131615632-515
>     SID[  2]: S-1-1-0
>     SID[  3]: S-1-5-2
>     SID[  4]: S-1-5-11
>     SID[  5]: S-1-22-1-49976
>     SID[  6]: S-1-22-2-10515
>     SID[  7]: S-1-22-2-5002
>     SID[  8]: S-1-22-2-5003
>     SID[  9]: S-1-22-2-5004
>    Privileges (0x               0):
>    Rights (0x               0):
> [2018/09/24 11:20:29.023913,  5] 
> ../source3/auth/token_util.c:810(debug_unix_user_token)
>   UNIX token of user 49976
>   Primary group is 10515 and contains 4 supplementary groups
>   Group[  0]: 10515
>   Group[  1]: 5002
>   Group[  2]: 5003
>   Group[  3]: 5004
> [2018/09/24 11:20:29.023990,  5] 
> ../source3/smbd/uid.c:365(change_to_user_internal)
>   Impersonated user: uid=(49976,49976), gid=(0,10515)
> [2018/09/24 11:20:29.024019,  4] 
> ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2018/09/24 11:20:29.024041,  5] 
> ../libcli/security/security_token.c:53(security_token_debug)
>   Security token: (NULL)
> [2018/09/24 11:20:29.024054,  5] 
> ../source3/auth/token_util.c:810(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2018/09/24 11:20:29.024091,  5] 
> ../source3/smbd/uid.c:427(smbd_change_to_root_user)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2018/09/24 11:20:29.024143,  2] 
> ../source3/smbd/service.c:841(make_connection_snum)
>   10.5.2.145 (ipv4:10.5.2.145:49207) connect to service wpkg 
> initially as user LNFFVG\unci-unci$ (uid=49976, gid=10515) (pid 18207)
> [2018/09/24 11:20:29.024188,  5] 
> ../lib/dbwrap/dbwrap.c:130(dbwrap_lock_order_lock)
>   dbwrap_lock_order_lock: check lock order 1 for 
> /var/run/samba/smbXsr