[Samba] RODC in remote Site

Andrew Bartlett abartlet at samba.org
Tue Feb 16 07:11:53 UTC 2021

On Tue, 2021-02-16 at 07:35 +0100, cn--- via samba wrote:
> Thanks Andrew for looking at this.
> Am 15.02.21 um 21:42 schrieb Andrew Bartlett via samba:
> > I would turn up the logs on the DC and see why it objects.
> on the DC that is contacted I see this:
> Feb 16 06:45:45 dc4.hq.domain.de smbd[971474]: [2021/02/16 
> 06:45:45.904935,  1] 
> ../../source3/smbd/service.c:355(create_connection_session_info)
> Feb 16 06:45:45 dc4.hq.domain.de smbd[971474]: 
> create_connection_session_info: guest user (from session setup) not 
> permitted to access this share (IPC$)
> Feb 16 06:45:45 dc4.hq.domain.de smbd[971474]: [2021/02/16 
> 06:45:45.904978,  1]
> ../../source3/smbd/service.c:544(make_connection_snum)
> Feb 16 06:45:45 dc4.hq.domain.de smbd[971474]: 
> create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
> GUEST Access??

It will be the 'restrict anonymous = 2' on the DC I suppose.  I don't
know why winbindd on the RODC isn't authenticating the SMB layer of the
connection, and I suppose that makes it a bug (we are almost certainly
authenticating the next layer in, the NETLOGON pipe with schannel), but
if that fixes it at least we know what is going on.

My guess is that we are not NTLMSSP/kerberos authenticating the SMB the
netlogon pipe is on because we used to use this to bootstrap
authentication of the other pipes (also with schannel) before MS broke
that (fixed a security bug actually...).

Anyway, try that and use the information to file a bug.

Another of the many features I would love to see implemented in samba
is an audit of things like IPC$ access and matching it with current
Windows, and then work out what we can secure further anyway.  It is
silly that in 2020 guest access is both needed and default.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list