[Samba] In mac guest user is not working when AD connected - samba 4.9.3
Rowland penny
rpenny at samba.org
Wed Sep 25 13:26:03 UTC 2019
On 25/09/2019 13:17, VigneshDhanraj G via samba wrote:
> Hi Andrew,
>
> If I give register user as vignesh/guest, its working fine. While selecting
> the Guest radio button, guest user is not working.
>
> Guest user is working fine without AD connection.
Andrew said:
server signing as mandatory makes no sense with a guest connection,
where there is no password with which to secure the session.
Which is okay as far as it goes.
Your client seems to be using SMBv2:
[2019/09/25 15:01:46.695622,
5]../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2
message
And 'man smb.conf' has this to say about 'server signing':
This controls whether the client is allowed or required to use SMB1 and
SMB2 signing. Possible values are default, auto, mandatory and disabled.
By default, and when smb signing is set to default, smb signing is
required when server role is active directory domain controller and
disabled otherwise.
For the SMB2 protocol, by design, signing cannot be disabled. In the
case where SMB2 is negotiated, if this parameter is set to disabled, it
will be treated as auto. Setting it to mandatory will still require SMB2
clients to use signing.
Default: server signing = default
So, for SMBv2 you can only use 'default', 'auto' or 'mandatory'
As your computer is not a DC, 'default' means 'disabled' and, as you are
using SMBv2, if 'server signing' is set to 'default', it will be treated
as 'auto', so really, you can only use 'auto' or Mandatory.
'auto' will attempt to use signing and 'mandatory' will insist on using
signing.
So, from my point of view, it doesn't seem to matter what you set it to,
your client is trying to use it, so Samba will attempt to use it.
I actually think that you do not fully understand how guest access on
Samba works ;-)
You have this line in smb.conf:
map to guest= Bad User
What this means is that any unknown user is mapped to the Samba guest
user (typically the user 'nobody'), you are connecting as
'vignesh/guest' and as your workgroup is 'GHANA' this user will be
unknown to Samba and will be mapped to the guest user before it gets
anywhere near any shares (which, incidentally, you haven't shown us) and
if you have 'guest ok = yes' set in a share, then the guest user will be
allowed access.
You seem to think you can connect as the user 'vignesh/guest' and be
allowed access as the same user, this will never work.
Your smb.conf seems to be set up using a mixture of the old ways of
doing things and the current way of doing things, can I suggest you use
this smb.conf:
[Global]
Workgroup= GNANA
realm= GNANA.COM
security= ADS
netbios name= px4-400d
server string= Test
idmap config * : backend= tdb
idmap config * : range = 5000-9999999
idmap config GNANA : backend= rid
idmap config GNANA : range= 10000000-19999999
dns proxy= no
inherit acls= yes
winbind separator= \\
winbind offline logon= true
template shell= /bin/sh
kerberos method= secrets and keytab
map to guest= Bad User
printcap name= lpstat
ntlm auth= Yes
Rowland
More information about the samba
mailing list