[Samba] User mapping/login issue

Stephen Davies sdavies at sdc.com.au
Tue Apr 23 05:31:24 UTC 2019 

On 21/04/19 17:12, Rowland Penny wrote:
> On Sun, 21 Apr 2019 08:59:01 +0930
> Stephen Davies via samba <samba at lists.samba.org> wrote:
> 
>> I have been a bit divorced from Samba for a while and am stumped by a
>> recently seen issue.
>>
>> My Samba server (V4.8.3) is Centos 7 and the remote clients are
>> windoze boxes at the other end of a VPN (OpenVPN). At some point in
>> "recent" history, access to shares on the Centos server started to
>> fail with password failures. The reason seems to be associated with
>> user mapping. (See log fragment below).
>>
>> I have added entries to smbusers trying to map the remote user to
>> local user simon without success.
>>
>> There is no windoze domain server involved.
>>
>> The clients can FTP to the server and retrieve emails via IMAP.
>>
>> What am I missing?
>>
>>
>> [2019/04/18 16:10:52.327632,
>> 3] ../source3/auth/auth.c:189(auth_check_ntlm_pass word)
>> check_ntlm_password: Checking password for unmapped user
>> [SIMON-DELLPC]\[simo n]@[SIMON-DELLPC] with the new password interface
>> [2019/04/18 16:10:52.327658,
>> 3] ../source3/auth/auth.c:192(auth_check_ntlm_pass word)
>> check_ntlm_password: mapped user is:
>> [SIMON-DELLPC]\[simon]@[SIMON-DELLPC] [2019/04/18 16:10:52.327686,
>> 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) :
>> sec_ctx_stack_ndx = 2
> 
> By default NTLMv1 is now turned off, could this be your problem ?, try
> (as a test) adding 'ntlm auth = yes' to your smb.conf and
> reload/restart Samba.
> 
> If this doesn't work, can you please post your smb.conf and tells us
> what the Windows machines are.
> 
> Rowland
> 
> 

There is no ntlm auth entry in smb.conf (included below)  but I don't think 
the NTLM setting is the cause as I can use smbclient to successfully login as 
user simon and get the following log fragment:

[2019/04/23 14:33:59.978465,  3] 
../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
   Got user=[simon] domain=[BENPARTS] workstation=[SERVER] len1=24 len2=224
[2019/04/23 14:33:59.978554,  3] ../source3/param/loadparm.c:3868(lp_load_ex)
   lp_load_ex: refreshing parameters
[2019/04/23 14:33:59.978656,  3] ../source3/param/loadparm.c:547(init_globals)
.
.
.
   adding IPC service
[2019/04/23 14:33:59.987819,  3] 
../source3/auth/auth.c:189(auth_check_ntlm_password) 

   check_ntlm_password:  Checking password for unmapped user 
[BENPARTS]\[simon]@[SERVER] with the new password interface 

[2019/04/23 14:33:59.987843,  3] 
../source3/auth/auth.c:192(auth_check_ntlm_password) 

   check_ntlm_password:  mapped user is: [BENPARTS]\[simon]@[SERVER]

No smbuser entry is required for this combination so it looks as if the remote 
Windows workgroup/domain is not being handled.

The remote client involved is running W10 Professional 64-bit.

The full smb.conf is:

#======================= Global Settings =====================================
[global]

     workgroup = BENPARTS

     netbios name = server

     # server string is the equivalent of the NT Description field
     server string = Samba Server %v

     printcap name = cups
     load printers = yes

     printing = cups

     log file = /var/log/samba/log.%m

     max log size = 50

     log level = 4

     guest account = benparts
     # Allow users to map to guest:
     map to guest = baduser

     # Security mode. Most people will want user level security. See
     # security_level.txt for details.
     security = user
     passdb backend = tdbsam
     # Use password server option only with security = server or security = domain
       username level = 8

     encrypt passwords = yes

     preferred master = yes

     name resolve order = host lmhosts wins bcast

     wins support = yes

     preserve case = yes
     dos charset = 850
     unix charset = ISO8859-1
     domain master = yes
     domain logons = yes
     os level = 128
     add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 
'Machine Account' -s /bin/false -M '%u'
#============================ Share Definitions ==============================
[homes]
     comment = Home Directories
     browseable = no
     writable = yes

[printers]
     comment = All Printers
     path = /var/spool/samba
     browseable = no
     # to allow user 'guest account' to print.
     guest ok = yes
     writable = no
     printable = yes
     create mode = 0700
     # =====================================
     # print command: see above for details.
     # =====================================
     print command = lpr-cups -P %p -o raw %s -r # using client side printer 
drivers.

[print$]
     path = /var/lib/samba/printers
     browseable = yes
     read only = yes
     write list = @adm root
     guest ok = yes

[pdf-generator]
     path = /var/tmp
     guest ok = No
     printable = Yes
     comment = PDF Generator (only valid users)
     #print command = /usr/share/samba/scripts/print-pdf file path win_path 
recipient IP doc_name &
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I &

[pdf-screen]
     copy = pdf-generator
     comment = PDF Generator - Screen quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

[pdf-printer]
     copy = pdf-generator
     comment = PDF Generator - Print quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

[pdf-prepress]
     copy = pdf-generator
     comment = PDF Generator - PrePress quality (only valid users)
     print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m %I 
"" %S &

# This one is useful for people to share files
[tmp]
    comment = Temporary file space
    path = /tmp
    read only = no
    public = yes


[var]
     comment = General shared storage
     path = /var
     read only = no
     public = yes

Thank you,
Stephen

More information about the samba mailing list