[Samba] In mac guest user is not working when AD connected - samba 4.9.3

Thu Sep 26 09:21:11 UTC 2019

Hi,

Thanks for your reply.
Is there any way to avoid singing only for AD guest user ?

Thanks,
Rajalakshmi S.

On Wed, Sep 25, 2019 at 6:57 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 25/09/2019 13:17, VigneshDhanraj G via samba wrote:
> > Hi Andrew,
> >
> > If I give register user as vignesh/guest, its working fine. While
> selecting
> > the Guest radio button, guest user is not working.
> >
> > Guest user is working fine without AD connection.
>
> Andrew said:
>
> server signing as mandatory makes no sense with a guest connection,
> where there is no password with which to secure the session.
>
> Which is okay as far as it goes.
>
> Your client seems to be using SMBv2:
>
> [2019/09/25 15:01:46.695622,
> 5]../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)  signed SMB2
> message
>
> And 'man smb.conf' has this to say about 'server signing':
>
> This controls whether the client is allowed or required to use SMB1 and
> SMB2 signing. Possible values are default, auto, mandatory and disabled.
>
> By default, and when smb signing is set to default, smb signing is
> required when server role is active directory domain controller and
> disabled otherwise.
>
> For the SMB2 protocol, by design, signing cannot be disabled. In the
> case where SMB2 is negotiated, if this parameter is set to disabled, it
> will be treated as auto. Setting it to mandatory will still require SMB2
> clients to use signing.
>
> Default: server signing = default
>
> So, for SMBv2 you can only use 'default', 'auto' or 'mandatory'
>
> As your computer is not a DC, 'default' means 'disabled' and, as you are
> using SMBv2, if 'server signing' is set to 'default', it will be treated
> as 'auto', so really, you can only use 'auto' or Mandatory.
>
> 'auto' will attempt to use signing and 'mandatory' will insist on using
> signing.
>
> So, from my point of view, it doesn't seem to matter what you set it to,
> your client is trying to use it, so Samba will attempt to use it.
>
> I actually think that you do not fully understand how guest access on
> Samba works ;-)
>
> You have this line in smb.conf:
>
> map to guest= Bad User
>
> What this means is that any unknown user is mapped to the Samba guest
> user (typically the user 'nobody'), you are connecting as
> 'vignesh/guest' and as your workgroup is 'GHANA' this user will be
> unknown to Samba and will be mapped to the guest user before it gets
> anywhere near any shares (which, incidentally, you haven't shown us) and
> if you have 'guest ok = yes' set in a share, then the guest user will be
> allowed access.
>
> You seem to think you can connect as the user 'vignesh/guest' and be
> allowed access as the same user, this will never work.
>
> Your smb.conf seems to be set up using a mixture of the old ways of
> doing things and the current way of doing things, can I suggest you use
> this smb.conf:
>
> [Global]
> Workgroup= GNANA
> realm= GNANA.COM
> security= ADS
> netbios name= px4-400d
> server string= Test
>
> idmap config * : backend= tdb
> idmap config * : range = 5000-9999999
> idmap config GNANA : backend= rid
> idmap config GNANA : range= 10000000-19999999
>
> dns proxy= no
> inherit acls= yes
>
> winbind separator= \\
> winbind offline logon= true
> template shell= /bin/sh
> kerberos method= secrets and keytab
> map to guest= Bad User
> printcap name= lpstat
>
> ntlm auth= Yes
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>