Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] user authentication issue
1,571 views
Skip to first unread message
Itamar Gal
Apr 17, 2015, 4:20:03 PM4/17/15
to
Hey Samba list,
First a brief comment regarding my background and situation. This is my
first time posting to this list. I've been asked to resolve a Samba
authentication issue, but I have next to no experience using Samba.
Unfortunately no one else here knows how to use it either; we're operating
with an inherited environment from a sysadmin who left minimal
documentation, and we have limited human resources in the context of IT.
Now on to my problem! A user is unable to access a Samba share. My company
has a web interface for adding new users, but apparently it's not doing the
trick this time for some reason. That's all of the information I've been
given, along with the user's UID. Preferring to work at the command line,
I've tried the following (from the host running the Samba server):
1. First I checked that the user has an entry in our LDAP server:
ldapsearch -h sambahost -x -LLL uid=userid
This returns an entry of the following form:
dn: uid=userid,ou=people,o=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
uid:: c2tkNjg0IA==
uidNumber: 1076
homeDirectory:: L2hvbWUvc2tkNjg0IA==
loginShell: /bin/bash
gidNumber: 1076
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-3439207220-2335887646-243107566-3152
sambaPrimaryGroupSID: S-1-5-21-3439207220-2335887646-243107566-3153
sn: Lastname
cn: Firstname Lastname
displayName: Firstname Lastname
givenName: Firstname
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaAcctFlags: [UX ]
sambaPwdLastSet: 1429299642
2. Next, I tried using pdbedit to search for the user:
sudo pdbedit -L | grep userid
This yielded the following output:
init_sam_from_ldap: Entry found for user: userid
userid :4294967295:Firstname Lastname
I also tried pdbclient with verbose output enabled:
sudo pdbedit -L -v | grep userid
This resulted in the following output:
init_sam_from_ldap: Entry found for user: userid
Failed to find a Unix account for userid init_sam_from_ldap: Entry found
for user: otheruserid
Unix username: userid
NT username: userid
Home Directory: \\files\userid
Profile Path: \\files\userid \profile
3. I reset the user's password:
echo -e "password\npassword\n" | passwordsudo smbpasswd -s
Then I tried to connect to the Samba server as the user:
smbclient //fileserver/domain -U userid
Unfortunately I was unable to authenticate; I get the following error
message:
Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
tree connect failed: NT_STATUS_ACCESS_DENIED
4. I checked to see if there was in fact a Unix account for the user, and
there wasn't, so I added one, and set the UNIX password to match the
password set with smbpasswd. Then I tried again to connect to the Samba
server, but was still unable to connect.
Can anyone shed any light on this? Help!
Thanks in advance for your time and consideration.
Cheers,
Itamar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
First a brief comment regarding my background and situation. This is my
first time posting to this list. I've been asked to resolve a Samba
authentication issue, but I have next to no experience using Samba.
Unfortunately no one else here knows how to use it either; we're operating
with an inherited environment from a sysadmin who left minimal
documentation, and we have limited human resources in the context of IT.
Now on to my problem! A user is unable to access a Samba share. My company
has a web interface for adding new users, but apparently it's not doing the
trick this time for some reason. That's all of the information I've been
given, along with the user's UID. Preferring to work at the command line,
I've tried the following (from the host running the Samba server):
1. First I checked that the user has an entry in our LDAP server:
ldapsearch -h sambahost -x -LLL uid=userid
This returns an entry of the following form:
dn: uid=userid,ou=people,o=org
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
uid:: c2tkNjg0IA==
uidNumber: 1076
homeDirectory:: L2hvbWUvc2tkNjg0IA==
loginShell: /bin/bash
gidNumber: 1076
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-3439207220-2335887646-243107566-3152
sambaPrimaryGroupSID: S-1-5-21-3439207220-2335887646-243107566-3153
sn: Lastname
cn: Firstname Lastname
displayName: Firstname Lastname
givenName: Firstname
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaAcctFlags: [UX ]
sambaPwdLastSet: 1429299642
2. Next, I tried using pdbedit to search for the user:
sudo pdbedit -L | grep userid
This yielded the following output:
init_sam_from_ldap: Entry found for user: userid
userid :4294967295:Firstname Lastname
I also tried pdbclient with verbose output enabled:
sudo pdbedit -L -v | grep userid
This resulted in the following output:
init_sam_from_ldap: Entry found for user: userid
Failed to find a Unix account for userid init_sam_from_ldap: Entry found
for user: otheruserid
Unix username: userid
NT username: userid
Home Directory: \\files\userid
Profile Path: \\files\userid \profile
3. I reset the user's password:
echo -e "password\npassword\n" | passwordsudo smbpasswd -s
Then I tried to connect to the Samba server as the user:
smbclient //fileserver/domain -U userid
Unfortunately I was unable to authenticate; I get the following error
message:
Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
tree connect failed: NT_STATUS_ACCESS_DENIED
4. I checked to see if there was in fact a Unix account for the user, and
there wasn't, so I added one, and set the UNIX password to match the
password set with smbpasswd. Then I tried again to connect to the Samba
server, but was still unable to connect.
Can anyone shed any light on this? Help!
Thanks in advance for your time and consideration.
Cheers,
Itamar
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Apr 17, 2015, 5:40:02 PM4/17/15
to
On Fri, Apr 17, 2015 at 03:15:48PM -0500, Itamar Gal wrote:
> Hey Samba list,
at the logs produced when smbclient tries to connect.
Here's how I set that up in smb.conf:
log file = /usr/local/samba/var/log.%m
max log size = 0
log level = 10
That will be the quickest way to track down the problem.
Jeremy.
> Hey Samba list,
> Home Directory: \\files\userid
> Profile Path: \\files\userid \profile
>
> 3. I reset the user's password:
>
> echo -e "password\npassword\n" | passwordsudo smbpasswd -s
>
> Then I tried to connect to the Samba server as the user:
>
> smbclient //fileserver/domain -U userid
>
> Unfortunately I was unable to authenticate; I get the following error
> message:
>
> Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> 4. I checked to see if there was in fact a Unix account for the user, and
> there wasn't, so I added one, and set the UNIX password to match the
> password set with smbpasswd. Then I tried again to connect to the Samba
> server, but was still unable to connect.
>
> Can anyone shed any light on this? Help!
Set the log level in smbd to 10, then take a look
> Profile Path: \\files\userid \profile
>
> 3. I reset the user's password:
>
> echo -e "password\npassword\n" | passwordsudo smbpasswd -s
>
> Then I tried to connect to the Samba server as the user:
>
> smbclient //fileserver/domain -U userid
>
> Unfortunately I was unable to authenticate; I get the following error
> message:
>
> Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> 4. I checked to see if there was in fact a Unix account for the user, and
> there wasn't, so I added one, and set the UNIX password to match the
> password set with smbpasswd. Then I tried again to connect to the Samba
> server, but was still unable to connect.
>
> Can anyone shed any light on this? Help!
at the logs produced when smbclient tries to connect.
Here's how I set that up in smb.conf:
log file = /usr/local/samba/var/log.%m
max log size = 0
log level = 10
That will be the quickest way to track down the problem.
Jeremy.
Itamar Gal
Apr 18, 2015, 10:10:03 AM4/18/15
to
Hey Jeremy,
Thanks for the advice. I followed your suggestion collected the logged
information for a single connection attempt (i.e. smbclient
//servername/sharename -U username); I've included the log data below (in
the postscript). It looks like Samba is still looking for a Unix user
account and not finding one. I should mention that it seems that I am able
to authenticate as the user; the following command executes properly, for
example:
smbclient -L //servername -U username
So I'm guessing that problem is that the user doesn't have permission to
access the shares they're trying to access. However, my (extremely limited)
understanding is that Samba inherits permissions from the host Linux
system, and in this case the corresponding Linux user is a member of the
appropriate group for each corresponding share. Any further thoughts would
be greatly appreciated. Thanks again!
Cheers,
Itamar
Here's the log data:
[2015/04/18 13:41:26.261983, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[Sharename]\[username]@[Server] with the new password interface
[2015/04/18 13:41:26.262024, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [Sharename]\[username]@[Server]
[2015/04/18 13:41:26.275787, 3] lib/smbldap.c:803(smb_ldap_start_tls)
StartTLS issued: using a TLS connection
[2015/04/18 13:41:26.275830, 2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened
[2015/04/18 13:41:26.277053, 3] lib/smbldap.c:1240(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2015/04/18 13:41:26.277795, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: username
[2015/04/18 13:41:26.279734, 0]
passdb/lookup_sid.c:1684(get_primary_group_sid)
Failed to find a Unix account for username User username in passdb, but
getpwnam() fails!
[2015/04/18 13:41:26.279895, 0] auth/check_samsec.c:492(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2015/04/18 13:41:26.279929, 3]
auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [Sharename]
was for this SAM.
[2015/04/18 13:41:26.279954, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [username] -> [username]
FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/18 13:41:26.279981, 3] smbd/sesssetup.c:63(do_map_to_guest)
No such user username [Sharename] - using guest account
[2015/04/18 13:41:26.280011, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: nobody Real name: (null)
[2015/04/18 13:41:26.280039, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be
vuid 100
[2015/04/18 13:41:26.280327, 3] smbd/process.c:1662(process_smb)
Transaction 3 of length 116 (0 toread)
[2015/04/18 13:41:26.280396, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.280443, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.280481, 3] smbd/service.c:837(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2015/04/18 13:41:26.280531, 3] smbd/vfs.c:102(vfs_init_default)
Initialising default vfs hooks
[2015/04/18 13:41:26.280562, 3] smbd/vfs.c:128(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2015/04/18 13:41:26.280630, 3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
string_to_sid: SID ig3223 is not in a valid format
[2015/04/18 13:41:26.281305, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: ig3223
[2015/04/18 13:41:26.282110, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283328, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283448, 3] smbd/service.c:1081(make_connection_snum)
Server (127.0.0.1) connect to service IPC$ initially as user nobody
(uid=65534, gid=65534) (pid 32646)
[2015/04/18 13:41:26.283485, 3] smbd/reply.c:871(reply_tcon_and_X)
tconX service=IPC$
[2015/04/18 13:41:26.283699, 3] smbd/process.c:1662(process_smb)
Transaction 4 of length 136 (0 toread)
[2015/04/18 13:41:26.283769, 3] smbd/process.c:1467(switch_message)
switch message SMBtrans2 (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.283836, 3] smbd/msdfs.c:891(get_referred_path)
get_referred_path: |Sharename| in dfs path \Server.hosturl\Sharename is
not a dfs root.
[2015/04/18 13:41:26.283867, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/trans2.c(8345) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2015/04/18 13:41:26.284057, 3] smbd/process.c:1662(process_smb)
Transaction 5 of length 39 (0 toread)
[2015/04/18 13:41:26.284127, 3] smbd/process.c:1467(switch_message)
switch message SMBtdis (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.284182, 3] smbd/service.c:1345(close_cnum)
Server (127.0.0.1) closed connection to service IPC$
[2015/04/18 13:41:26.284211, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2015/04/18 13:41:26.284347, 3] smbd/process.c:1662(process_smb)
Transaction 6 of length 116 (0 toread)
[2015/04/18 13:41:26.284381, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.284417, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.284446, 2]
smbd/service.c:616(create_connection_session_info)
guest user (from session setup) not permitted to access this share
(Sharename)
[2015/04/18 13:41:26.284471, 1] smbd/service.c:770(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284496, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284777, 3] smbd/server_exit.c:180(exit_server_common)
Server exit (failed to receive smb request)
Thanks for the advice. I followed your suggestion collected the logged
information for a single connection attempt (i.e. smbclient
//servername/sharename -U username); I've included the log data below (in
the postscript). It looks like Samba is still looking for a Unix user
account and not finding one. I should mention that it seems that I am able
to authenticate as the user; the following command executes properly, for
example:
smbclient -L //servername -U username
So I'm guessing that problem is that the user doesn't have permission to
access the shares they're trying to access. However, my (extremely limited)
understanding is that Samba inherits permissions from the host Linux
system, and in this case the corresponding Linux user is a member of the
appropriate group for each corresponding share. Any further thoughts would
be greatly appreciated. Thanks again!
Cheers,
Itamar
Here's the log data:
[2015/04/18 13:41:26.261983, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[Sharename]\[username]@[Server] with the new password interface
[2015/04/18 13:41:26.262024, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [Sharename]\[username]@[Server]
[2015/04/18 13:41:26.275787, 3] lib/smbldap.c:803(smb_ldap_start_tls)
StartTLS issued: using a TLS connection
[2015/04/18 13:41:26.275830, 2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened
[2015/04/18 13:41:26.277053, 3] lib/smbldap.c:1240(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2015/04/18 13:41:26.277795, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: username
[2015/04/18 13:41:26.279734, 0]
passdb/lookup_sid.c:1684(get_primary_group_sid)
Failed to find a Unix account for username User username in passdb, but
getpwnam() fails!
[2015/04/18 13:41:26.279895, 0] auth/check_samsec.c:492(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2015/04/18 13:41:26.279929, 3]
auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [Sharename]
was for this SAM.
[2015/04/18 13:41:26.279954, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [username] -> [username]
FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/18 13:41:26.279981, 3] smbd/sesssetup.c:63(do_map_to_guest)
No such user username [Sharename] - using guest account
[2015/04/18 13:41:26.280011, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: nobody Real name: (null)
[2015/04/18 13:41:26.280039, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be
vuid 100
[2015/04/18 13:41:26.280327, 3] smbd/process.c:1662(process_smb)
Transaction 3 of length 116 (0 toread)
[2015/04/18 13:41:26.280396, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.280443, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.280481, 3] smbd/service.c:837(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2015/04/18 13:41:26.280531, 3] smbd/vfs.c:102(vfs_init_default)
Initialising default vfs hooks
[2015/04/18 13:41:26.280562, 3] smbd/vfs.c:128(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2015/04/18 13:41:26.280630, 3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
string_to_sid: SID ig3223 is not in a valid format
[2015/04/18 13:41:26.281305, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: ig3223
[2015/04/18 13:41:26.282110, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283328, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283448, 3] smbd/service.c:1081(make_connection_snum)
Server (127.0.0.1) connect to service IPC$ initially as user nobody
(uid=65534, gid=65534) (pid 32646)
[2015/04/18 13:41:26.283485, 3] smbd/reply.c:871(reply_tcon_and_X)
tconX service=IPC$
[2015/04/18 13:41:26.283699, 3] smbd/process.c:1662(process_smb)
Transaction 4 of length 136 (0 toread)
[2015/04/18 13:41:26.283769, 3] smbd/process.c:1467(switch_message)
switch message SMBtrans2 (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.283836, 3] smbd/msdfs.c:891(get_referred_path)
get_referred_path: |Sharename| in dfs path \Server.hosturl\Sharename is
not a dfs root.
[2015/04/18 13:41:26.283867, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/trans2.c(8345) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2015/04/18 13:41:26.284057, 3] smbd/process.c:1662(process_smb)
Transaction 5 of length 39 (0 toread)
[2015/04/18 13:41:26.284127, 3] smbd/process.c:1467(switch_message)
switch message SMBtdis (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.284182, 3] smbd/service.c:1345(close_cnum)
Server (127.0.0.1) closed connection to service IPC$
[2015/04/18 13:41:26.284211, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2015/04/18 13:41:26.284347, 3] smbd/process.c:1662(process_smb)
Transaction 6 of length 116 (0 toread)
[2015/04/18 13:41:26.284381, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.284417, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.284446, 2]
smbd/service.c:616(create_connection_session_info)
guest user (from session setup) not permitted to access this share
(Sharename)
[2015/04/18 13:41:26.284471, 1] smbd/service.c:770(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284496, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284777, 3] smbd/server_exit.c:180(exit_server_common)
Server exit (failed to receive smb request)
Rowland Penny
Apr 18, 2015, 10:20:03 AM4/18/15
to
posted the smb.conf, what OS you are using etc
Rowland
Itamar Gal
Apr 18, 2015, 10:50:03 AM4/18/15
to
Hey Rowland,
Thanks for the advice. The host is running Ubuntu 12.04 and I've included
the smb.conf below (reverted it to its "original" state prior to following
Jeremy's advice). I don't suppose you know why the user is able obtain a
list of Samba services (i.e. smbclient -L host -U user) if they aren't
known to Samba? I find that confusing.
- Itamar
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = UserGroup
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = yes
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
passdb backend = ldapsam:"ldap://hosturl"
admin users = adminuser
ldap suffix = o=org
ldap ssl = start tls
ldap admin dn="cn=admin,o=org"
ldap delete dn = no
ldap user suffix = ou=people
ldap group suffix = ou=group
obey pam restrictions = no
unix password sync = no
map to guest = bad user
########## Domains ###########
domain logons = yes
domain master = yes
preferred master = yes
usershare allow guests = no
guest account = nobody
logon home = \\%N\%U
logon path = \\%N\%U\profile
log level = 3
log file = /var/log/samba/%U.log
max log size = 50
template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writeable = yes
guest ok = no
create mask = 0700
directory mask = 0700
root preexec = /usr/local/sbin/mkhomedir.sh %U
[groups]
comment = group shares
browseable = yes
writeable = yes
path = /export/groups
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = no
inherit permissions = yes
[UserGroup]
comment = files for UserGroup group
browseable = yes
writeable = yes
path = /export/groups/UserGroup
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = yes
inherit permissions = yes
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
force group = +UserGroup
[AdminGroup]
comment = files for admingroup group
browseable = yes
writeable = yes
path = /export/groups/AdminGroup
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = yes
inherit permissions = yes
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
force group = +admingroup
On Sat, Apr 18, 2015 at 9:16 AM, Rowland Penny <rowlan...@googlemail.com>
wrote:
Thanks for the advice. The host is running Ubuntu 12.04 and I've included
the smb.conf below (reverted it to its "original" state prior to following
Jeremy's advice). I don't suppose you know why the user is able obtain a
list of Samba services (i.e. smbclient -L host -U user) if they aren't
known to Samba? I find that confusing.
- Itamar
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = UserGroup
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = yes
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user
# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true
passdb backend = ldapsam:"ldap://hosturl"
admin users = adminuser
ldap suffix = o=org
ldap ssl = start tls
ldap admin dn="cn=admin,o=org"
ldap delete dn = no
ldap user suffix = ou=people
ldap group suffix = ou=group
obey pam restrictions = no
unix password sync = no
map to guest = bad user
########## Domains ###########
domain logons = yes
domain master = yes
preferred master = yes
usershare allow guests = no
guest account = nobody
logon home = \\%N\%U
logon path = \\%N\%U\profile
log level = 3
log file = /var/log/samba/%U.log
max log size = 50
template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writeable = yes
guest ok = no
create mask = 0700
directory mask = 0700
root preexec = /usr/local/sbin/mkhomedir.sh %U
[groups]
comment = group shares
browseable = yes
writeable = yes
path = /export/groups
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = no
inherit permissions = yes
[UserGroup]
comment = files for UserGroup group
browseable = yes
writeable = yes
path = /export/groups/UserGroup
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = yes
inherit permissions = yes
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
force group = +UserGroup
[AdminGroup]
comment = files for admingroup group
browseable = yes
writeable = yes
path = /export/groups/AdminGroup
guest ok = no
create mask = 0664
directory mask = 2775
inherit owner = yes
inherit permissions = yes
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
force group = +admingroup
On Sat, Apr 18, 2015 at 9:16 AM, Rowland Penny <rowlan...@googlemail.com>
wrote:
Rowland Penny
Apr 18, 2015, 11:10:03 AM4/18/15
to
to show that it is running as an NT-4 style PDC.
passdb backend = ldapsam:"ldap://hosturl"
running on.
ldap suffix = o=org
Is this correct ?? I would expect something like 'dc=example,dc=com'
unix password sync = no
they can have different passwords!
logon home = \\%N\%U
Do you have a NIS home directory server ?
If not (and samba as been compiled in the right way) this could also
mean the NetBIOS name of the server, in which case it may be better to
just set this to NetBIOS name.
map to guest = bad user
this: 'guest ok = no'
As is, your users need to exist, but if they don't, they get mapped to
nobody and can see the shares, but because 'guest ok = no' is set on the
shares, they cannot do anything.
Itamar Gal
Apr 18, 2015, 12:20:04 PM4/18/15
to
Hey Rowland,
Thank you so much for your help and patience.
OK, just a few questions based on what is in your smb.conf, which seems to
> show that it is running as an NT-4 style PDC.
>
That's consistent with my understanding.
passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is running
> on.
>
Yeah, sorry. I anonymized some of the parameters in order to (hopefully)
comply with policy. I'll take this opportunity to apologize for all past
and future clumsiness.
> ldap suffix = o=org
> Is this correct ?? I would expect something like 'dc=example,dc=com'
>
Actually, yes. Moreover, there is no line of the form 'dc=example,dc=com'
anywhere in the file.
> unix password sync = no
> This means that there is no sync between samba and local unix users i.e.
> they can have different passwords!
>
Yeah, that directive is brutally intuitive; it's funny what total
intellectual disorientation causes me to view with suspicion. I was
thinking that it was possible that some other directive might have a side
effect that overrides the 'unix password sync' directive.
> logon home = \\%N\%U
> %N means 'replace this with the name of your NIS home directory server'
> Do you have a NIS home directory server ?
> If not (and samba as been compiled in the right way) this could also mean
> the NetBIOS name of the server, in which case it may be better to just set
> this to NetBIOS name.
>
I don't believe that there is a NIS home directory server running. I've
replaced "logon home = \\%N\%U" with "logon home = \\%L\%U"; thanks for the
pointer.
> map to guest = bad user
> There doesn't seem to be much point to this because all the shares have
> this: 'guest ok = no'
>
Got it.
> As is, your users need to exist, but if they don't, they get mapped to
> nobody and can see the shares, but because 'guest ok = no' is set on the
> shares, they cannot do anything.
Ah. Ok, I think I understand, sort of. However I'm still required to
authenticate using the user's Samba password (set via smbpasswd) in order
to view the shares. Is that consistent with the user being mapped to nobody?
I'm also still unclear on why Samba doesn't see the user; the user appears
in the list generated by 'pdbedit -L', for instance. What gives?
Thanks again for your help!
Cheers,
Itamar
Thank you so much for your help and patience.
OK, just a few questions based on what is in your smb.conf, which seems to
> show that it is running as an NT-4 style PDC.
>
passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is running
> on.
>
comply with policy. I'll take this opportunity to apologize for all past
and future clumsiness.
> ldap suffix = o=org
> Is this correct ?? I would expect something like 'dc=example,dc=com'
>
anywhere in the file.
> unix password sync = no
> This means that there is no sync between samba and local unix users i.e.
> they can have different passwords!
>
intellectual disorientation causes me to view with suspicion. I was
thinking that it was possible that some other directive might have a side
effect that overrides the 'unix password sync' directive.
> logon home = \\%N\%U
> %N means 'replace this with the name of your NIS home directory server'
> Do you have a NIS home directory server ?
> If not (and samba as been compiled in the right way) this could also mean
> the NetBIOS name of the server, in which case it may be better to just set
> this to NetBIOS name.
>
replaced "logon home = \\%N\%U" with "logon home = \\%L\%U"; thanks for the
pointer.
> map to guest = bad user
> There doesn't seem to be much point to this because all the shares have
> this: 'guest ok = no'
>
> As is, your users need to exist, but if they don't, they get mapped to
> nobody and can see the shares, but because 'guest ok = no' is set on the
> shares, they cannot do anything.
authenticate using the user's Samba password (set via smbpasswd) in order
to view the shares. Is that consistent with the user being mapped to nobody?
I'm also still unclear on why Samba doesn't see the user; the user appears
in the list generated by 'pdbedit -L', for instance. What gives?
Thanks again for your help!
Cheers,
Itamar
Rowland Penny
Apr 18, 2015, 1:10:02 PM4/18/15
to
On 18/04/15 17:17, Itamar Gal wrote:
> Hey Rowland,
>
> Thank you so much for your help and patience.
>
> OK, just a few questions based on what is in your smb.conf, which
> seems to show that it is running as an NT-4 style PDC.
>
>
> That's consistent with my understanding.
>
> passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is
> running on.
>
>
> Yeah, sorry. I anonymized some of the parameters in order to
> (hopefully) comply with policy. I'll take this opportunity to
> apologize for all past and future clumsiness.
No, it is not a problem, I was just checking that ldap was running on
> Hey Rowland,
>
> Thank you so much for your help and patience.
>
> OK, just a few questions based on what is in your smb.conf, which
> seems to show that it is running as an NT-4 style PDC.
>
>
> That's consistent with my understanding.
>
> passdb backend = ldapsam:"ldap://hosturl"
> I take it that 'hosturl' is the fqdn of the machine that samba is
> running on.
>
>
> Yeah, sorry. I anonymized some of the parameters in order to
> (hopefully) comply with policy. I'll take this opportunity to
> apologize for all past and future clumsiness.
the same machine as samba, so there is no apology needed.
> ldap suffix = o=org
> Is this correct ?? I would expect something like 'dc=example,dc=com'
>
>
> Actually, yes. Moreover, there is no line of the form
> 'dc=example,dc=com' anywhere in the file.
>
> unix password sync = no
> This means that there is no sync between samba and local unix
> users i.e. they can have different passwords!
>
>
> Yeah, that directive is brutally intuitive; it's funny what total
> intellectual disorientation causes me to view with suspicion. I was
> thinking that it was possible that some other directive might have a
> side effect that overrides the 'unix password sync' directive.
but if that is what is in ldap, you will just have to work with it.
> logon home = \\%N\%U
> %N means 'replace this with the name of your NIS home directory
> server'
> Do you have a NIS home directory server ?
> If not (and samba as been compiled in the right way) this could
> also mean the NetBIOS name of the server, in which case it may be
> better to just set this to NetBIOS name.
>
>
> I don't believe that there is a NIS home directory server running.
> I've replaced "logon home = \\%N\%U" with "logon home = \\%L\%U";
> thanks for the pointer.
>
> map to guest = bad user
> There doesn't seem to be much point to this because all the shares
> have this: 'guest ok = no'
>
>
> Got it.
>
> As is, your users need to exist, but if they don't, they get
> mapped to nobody and can see the shares, but because 'guest ok =
> no' is set on the shares, they cannot do anything.
>
>
> Ah. Ok, I think I understand, sort of. However I'm still required to
> authenticate using the user's Samba password (set via smbpasswd) in
> order to view the shares. Is that consistent with the user being
> mapped to nobody?
yes', restart samba, then as root run 'smbpasswd -a <username>' this
should set the users password for the samba and local unix user, this
user should then be able to connect to the shares.
rowland
Itamar Gal
Apr 20, 2015, 5:10:03 AM4/20/15
to
Home Directory: \\files\userid
Profile Path: \\files\userid \profile
3. I reset the user's password:
echo -e "password\npassword\n" | passwordsudo smbpasswd -s
Then I tried to connect to the Samba server as the user:
smbclient //fileserver/domain -U userid
Unfortunately I was unable to authenticate; I get the following error
message:
Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
tree connect failed: NT_STATUS_ACCESS_DENIED
4. I checked to see if there was in fact a Unix account for the user, and
there wasn't, so I added one, and set the UNIX password to match the
password set with smbpasswd. Then I tried again to connect to the Samba
server, but was still unable to connect.
Can anyone shed any light on this? Help!
Profile Path: \\files\userid \profile
3. I reset the user's password:
echo -e "password\npassword\n" | passwordsudo smbpasswd -s
Then I tried to connect to the Samba server as the user:
smbclient //fileserver/domain -U userid
Unfortunately I was unable to authenticate; I get the following error
message:
Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
tree connect failed: NT_STATUS_ACCESS_DENIED
4. I checked to see if there was in fact a Unix account for the user, and
there wasn't, so I added one, and set the UNIX password to match the
password set with smbpasswd. Then I tried again to connect to the Samba
server, but was still unable to connect.
Can anyone shed any light on this? Help!
Thanks in advance for your time and consideration.
Harry Jede
Apr 20, 2015, 9:30:03 AM4/20/15
to
On 15:14:40 wrote Itamar Gal:
No problem
1. DO NOT CREATE USERS WITH A TRAILING SPACE !!!
2. Use the same name in DN and UID !!!
dn: uid=userid,ou=people,o=org
uid:: c2tkNjg0IA==
uid here is base64 encoded, because of the trailing space.
# echo -n c2tkNjg0IA== |base64 -d
"skd684 "
The dn is build with "uid=userid", but
"uid=skd684 "
>
> Thanks in advance for your time and consideration.
>
> Cheers,
> Itamar
--
Regards
Harry Jede
1. DO NOT CREATE USERS WITH A TRAILING SPACE !!!
2. Use the same name in DN and UID !!!
dn: uid=userid,ou=people,o=org
uid:: c2tkNjg0IA==
uid here is base64 encoded, because of the trailing space.
# echo -n c2tkNjg0IA== |base64 -d
"skd684 "
The dn is build with "uid=userid", but
"uid=skd684 "
>
> Thanks in advance for your time and consideration.
>
> Cheers,
> Itamar
--
Harry Jede
Itamar Gal
Apr 20, 2015, 11:10:03 AM4/20/15
to
Hey Harry,
Thank you for your input! Ultimately I resolved the issue (following
Rowland's advice) by manually removing the user from our LDAP server and
then rerunning the user creation script (which, if I understand it
correctly, queries an external LDAP server and then synchronizes it with
our LDAP and Samba databases).
However I was still confused as to why some attributes of this specific
user were encoded where as the corresponding attributes for other users
were not. Thank you for clearing that up for me!
Cheers,
Itamar
Thank you for your input! Ultimately I resolved the issue (following
Rowland's advice) by manually removing the user from our LDAP server and
then rerunning the user creation script (which, if I understand it
correctly, queries an external LDAP server and then synchronizes it with
our LDAP and Samba databases).
However I was still confused as to why some attributes of this specific
user were encoded where as the corresponding attributes for other users
were not. Thank you for clearing that up for me!
Cheers,
Itamar
0 new messages