[Samba] User mapping/login issue

Nico Kadel-Garcia nkadel at gmail.com
Sun Apr 21 17:52:39 UTC 2019

On Sat, Apr 20, 2019 at 7:29 PM Stephen Davies via samba
<samba at lists.samba.org> wrote:
> I have been a bit divorced from Samba for a while and am stumped by a recently seen issue.
> My Samba server (V4.8.3) is Centos 7 and the remote clients are windoze boxes at the other end of a VPN (OpenVPN).
> At some point in "recent" history, access to shares on the Centos server started to fail with password failures.
> The reason seems to be associated with user mapping. (See log fragment below).
> I have added entries to smbusers trying to map the remote user to local user simon without success.
> There is no windoze domain server involved.
> The clients can FTP to the server and retrieve emails via IMAP.
> What am I missing?

Just as a matter of course: check SSH access, if any user accounts
have permitted SSH, verify consistent NTP between all the servers.
FTP..... can have login access permitted by local password files that
have nothing to do with Kerberos, and your clients may not even be
aware. Also, FTP, is *not* encrypted. I'd discuss with your clients
switching to a more secure protocol, such as FTPS (which is supported
via vsftpd on CentOS sysetms) or SFTP with a robust chroot cage (to
prevent shell access) or WebDAV over SSL. (Web based, works
surprisingly well.).

I've seen many internal and external setups that had poor NTP setups
and dirifted so far apart in time that the necessary time
synchronization for Kerberos started failiing. And DNS can.... become
an adventure in VPN segregated environments. I'd check both NTP and
DNS between the Samba server and these clients for consistency.

More information about the samba mailing list