[Samba] In mac guest user is not working when AD connected - samba 4.9.3

Rowland penny rpenny at samba.org
Wed Sep 25 13:26:03 UTC 2019


On 25/09/2019 13:17, VigneshDhanraj G via samba wrote:
> Hi Andrew,
>
> If I give register user as vignesh/guest, its working fine. While selecting
> the Guest radio button, guest user is not working.
>
> Guest user is working fine without AD connection.

Andrew said:

server signing as mandatory makes no sense with a guest connection, 
where there is no password with which to secure the session.

Which is okay as far as it goes.

Your client seems to be using SMBv2:

[2019/09/25 15:01:46.695622, 
5]../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)  signed SMB2 
message

And 'man smb.conf' has this to say about 'server signing':

This controls whether the client is allowed or required to use SMB1 and 
SMB2 signing. Possible values are default, auto, mandatory and disabled.

By default, and when smb signing is set to default, smb signing is 
required when server role is active directory domain controller and 
disabled otherwise.

For the SMB2 protocol, by design, signing cannot be disabled. In the 
case where SMB2 is negotiated, if this parameter is set to disabled, it 
will be treated as auto. Setting it to mandatory will still require SMB2 
clients to use signing.

Default: server signing = default

So, for SMBv2 you can only use 'default', 'auto' or 'mandatory'

As your computer is not a DC, 'default' means 'disabled' and, as you are 
using SMBv2, if 'server signing' is set to 'default', it will be treated 
as 'auto', so really, you can only use 'auto' or Mandatory.

'auto' will attempt to use signing and 'mandatory' will insist on using 
signing.

So, from my point of view, it doesn't seem to matter what you set it to, 
your client is trying to use it, so Samba will attempt to use it.

I actually think that you do not fully understand how guest access on 
Samba works ;-)

You have this line in smb.conf:

map to guest= Bad User

What this means is that any unknown user is mapped to the Samba guest 
user (typically the user 'nobody'), you are connecting as 
'vignesh/guest' and as your workgroup is 'GHANA' this user will be 
unknown to Samba and will be mapped to the guest user before it gets 
anywhere near any shares (which, incidentally, you haven't shown us) and 
if you have 'guest ok = yes' set in a share, then the guest user will be 
allowed access.

You seem to think you can connect as the user 'vignesh/guest' and be 
allowed access as the same user, this will never work.

Your smb.conf seems to be set up using a mixture of the old ways of 
doing things and the current way of doing things, can I suggest you use 
this smb.conf:

[Global]
Workgroup= GNANA
realm= GNANA.COM
security= ADS
netbios name= px4-400d
server string= Test

idmap config * : backend= tdb
idmap config * : range = 5000-9999999
idmap config GNANA : backend= rid
idmap config GNANA : range= 10000000-19999999

dns proxy= no
inherit acls= yes

winbind separator= \\
winbind offline logon= true
template shell= /bin/sh
kerberos method= secrets and keytab
map to guest= Bad User
printcap name= lpstat

ntlm auth= Yes

Rowland





More information about the samba mailing list