[Samba] Machines joined to a domain can't access shares on standalone Samba server

Rowland penny rpenny at samba.org
Sun Sep 29 19:32:48 UTC 2019


On 29/09/2019 19:48, Robert Marcano via samba wrote:
> Greetings. I updated and old server to run Samba 4.9, It was running a
> distribution that still supported Samba 3.x. That Samba server has always
> been standalone, there is no interest in joining it to the Windows AD
> domain already in place.
>
> When it was running on Samba 3, users from a Windows domain joined machine,
> users were able to use the defined user on the Samba server to access the
> share. The user was added to the server as a normal Linux user, and
> password for Samba is added with smbpasswd -a.
>
> Now on the updated installation users from Windows domain joined machines
> can't access the shares. no matter if the user used <hostname>\user,
> localhost\user, <workgroup>\user or simply user.
>
> We know the user authentication is working fine because from another Linux
> machine or a Windows laptop that isn't joined to the domain the user is
> perfectly authenticated and can access the share contents.
>
> The problem could be an extra security setting on the Windows based AD
> domain that I don't manage but wish to give the admins a hint of a fix,
> hopefully someone already has experienced this. Maybe the way to refer to a
> local user on the standalone server is different of the names already tried
> above.
>
> The smb.conf is pretty simple (some little redaction on the names), Any
> help is greatly appreciated
>
> Notes:
> - Played unsuccessfully with "username map" setting just to check if I
> could map the user.
> - Accessing the standalone server by IP still fails with authentication
> (trying to fallback to SMB1 for testing)
> - Increasing logs verbosity, I see things like:
>
> check_ntlm_password:  Checking password for unmapped user
> [WIN_DOMAIN]\[Windows User]@[Windows_host] with the new password interface
> check_ntlm_password:  mapped user is: [WIN_DOMAIN]\[Windows
> User]@[Windows_host]
>
> and
>
> auth_check_ntlm_password: sam_ignoredomain authentication for user
> [linux_user] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
>
> [global]
> # Tried with the workgroup being the same than the Windows AD domain and
> different
> workgroup = DOMAIN
> security = user
> netbios aliases = ALIAS
>
> # Added only to allow browsing the shares without authentication (tried
> without this too)
> map to guest = Bad User
>
> passdb backend = tdbsam
>
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> map archive = no
> map hidden = no
> map read only = no
> map system = no
> store dos attributes = yes
>
> [our_share]
> comment = <comment here>
> path = <valid_path_here>
> browsable = no
> create mask = 0660
> directory mask = 0770
> force group = our_group
> write list = @our_group
> valid users = @our_group
>
>
This is interesting, from a Unix domain member using smbclient it works:

rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland
Enter rowland at SAMDOM.EXAMPLE.COM's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
rowland at devstation:~/tests$ smbclient //192.168.0.27/rowland -U 
WORKGROUP\\rowland
Enter WORKGROUP\rowland's password:
Try "help" to get a list of possible commands.
smb: \> ls
   .                                   D        0  Mon May 22 10:11:00 2017
   ..                                  D        0  Sun Sep 22 10:14:17 2019
   .bash_logout                        H      220  Fri Oct  7 16:41:03 2016
   .profile                            H      675  Fri Oct  7 16:41:03 2016
   .bashrc                             H     3515  Fri Oct  7 16:41:03 2016
   sprinkler.sh                        N      307  Mon May 22 13:20:48 2017
   .bash_history                       H      102  Wed Dec 28 11:02:35 2016
   sprinkler                           D        0  Mon May 22 13:22:29 2017
   ftptest.txt                         N        9  Fri Oct  7 16:42:33 2016

         7736784 blocks of size 1024. 1752716 blocks available
smb: \> q

As you can see, without the workgroup, it uses the domain workgroup and 
fails, but with the workgroup on the standalone server, it works.

However, I cannot get it work from the GUI, I have tried numerous 
different settings, but it just fails. This would lead me to suspect a 
problem with the GUI and not Samba.

Rowland





More information about the samba mailing list