Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Cannot share folders access denid PDC+LDAP.
18 views
Skip to first unread message
Alberto Moreno
Jun 2, 2016, 9:10:03 PM6/2/16
to
Hi, is time to get help.
I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
I have even 2 Linux Centos 5.x in my domain x64
Now, I have add 1 Centos 6.x x64 updated.
Samba 3.6.23-35.el6_8
I had setup LDAP client on this server to get users/groups and add to my
domain with net rpc join, no issue.
I can see the server on my domain no issue, the problem start went I setup
my shares folders and some users.
Public folders no problem, the problem are went I use usernames where have
'Uppercase' the firs letter.
For some strange reason cannot talk very well with my ldap server.
Case 1: upper and lower case.
SERVER GOOD:
[root@servera ~]# id Test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
[root@aervera ~]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root@servera ~]#
Test or test return info.
Now let test the SERVER-BAD
[root@mbx-server2 opt]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root@mbx-server2 opt]# id Test
id: Test: No such user
[root@mbx-server2 opt]#
test is diff than Test.
Now, what happen on my domain?
I have some users that appear like this on windows:
Notadmin.
I setup my share:
[nasa]
path = /opt/it
writeable = Yes
public = No
guest ok = No
valid users = test, Notadmin, dflores
create mode = 0770
directory mode = 0770
force group = itmbx
force create mode = 0770
force directory mode = 0770
admin users = root Notadmin
The user Notadmin cannot access this share.
I had check settings but I use the same us the other servers, some new
flags but nothing that took my attention:
[global]
workgroup = MYDOMAIN
netbios name = mbx-server2
hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.
hosts deny = 0.0.0.0
smb ports = 139 445
lanman auth = Yes
client lanman auth = Yes
security = DOMAIN
encrypt passwords = yes
syslog = 1
log level = 1
log file = /var/log/samba/%m.%U.log
max log size = 2048
socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
name resolve order = wins bcast hosts lmhost
username map = /etc/samba/usermap
domain logons = No
domain master = No
local master = No
preferred master = No
wins server = 192.168.2.24
idmap config * : backend = ldap
idmap config * : range = 10000-20000
logon path =
logon home =
display charset = LOCALE
unix charset = UTF-8
dos charset = CP850
client ipc signing = auto
map to guest = Bad User
load printers = No
show add printer wizard = No
use sendfile = Yes
map readonly = no
case sensitive = No
dns proxy = No
winbind separator = +
What SAMBA-BAD say on logs:
[2016/05/31 09:24:48.856147, 3]
../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
len2=288
[2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
[2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
[2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
denying access.
[2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
Any recomendation about I will appreciated, thanks!!!
--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have a DOMAIN with samba3.6.23-9.el5_11 Centos 5.11 x64
Windows XP/Win7/Win8.1 domain no issues.(x32/x64)
I have even 2 Linux Centos 5.x in my domain x64
Now, I have add 1 Centos 6.x x64 updated.
Samba 3.6.23-35.el6_8
I had setup LDAP client on this server to get users/groups and add to my
domain with net rpc join, no issue.
I can see the server on my domain no issue, the problem start went I setup
my shares folders and some users.
Public folders no problem, the problem are went I use usernames where have
'Uppercase' the firs letter.
For some strange reason cannot talk very well with my ldap server.
Case 1: upper and lower case.
SERVER GOOD:
[root@servera ~]# id Test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users)
[root@aervera ~]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root@servera ~]#
Test or test return info.
Now let test the SERVER-BAD
[root@mbx-server2 opt]# id test
uid=1062(test) gid=513(Domain Users) groups=513(Domain Users),10001(pvsw)
[root@mbx-server2 opt]# id Test
id: Test: No such user
[root@mbx-server2 opt]#
test is diff than Test.
Now, what happen on my domain?
I have some users that appear like this on windows:
Notadmin.
I setup my share:
[nasa]
path = /opt/it
writeable = Yes
public = No
guest ok = No
valid users = test, Notadmin, dflores
create mode = 0770
directory mode = 0770
force group = itmbx
force create mode = 0770
force directory mode = 0770
admin users = root Notadmin
The user Notadmin cannot access this share.
I had check settings but I use the same us the other servers, some new
flags but nothing that took my attention:
[global]
workgroup = MYDOMAIN
netbios name = mbx-server2
hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.
hosts deny = 0.0.0.0
smb ports = 139 445
lanman auth = Yes
client lanman auth = Yes
security = DOMAIN
encrypt passwords = yes
syslog = 1
log level = 1
log file = /var/log/samba/%m.%U.log
max log size = 2048
socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384
name resolve order = wins bcast hosts lmhost
username map = /etc/samba/usermap
domain logons = No
domain master = No
local master = No
preferred master = No
wins server = 192.168.2.24
idmap config * : backend = ldap
idmap config * : range = 10000-20000
logon path =
logon home =
display charset = LOCALE
unix charset = UTF-8
dos charset = CP850
client ipc signing = auto
map to guest = Bad User
load printers = No
show add printer wizard = No
use sendfile = Yes
map readonly = no
case sensitive = No
dns proxy = No
winbind separator = +
What SAMBA-BAD say on logs:
[2016/05/31 09:24:48.856147, 3]
../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
Got user=[Notadmin] domain=[MYDOMAIN] workstation=[MBX-WIN8R1PM] len1=24
len2=288
[2016/05/31 09:24:48.856641, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN\[Notadmin]@[MBX-WIN8R1PM] with the new password interface
[2016/05/31 09:24:48.856751, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[Notadmin]@[MBX-WIN8R1PM]
[2016/05/31 09:24:48.864733, 3] auth/auth_util.c:1087(check_account)
Failed to find authenticated user MYDOMAIN\Notadmin via getpwnam(),
denying access.
[2016/05/31 09:24:48.864888, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [Notadmin] -> [Notadmin]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/05/31 09:24:48.864935, 3] smbd/sesssetup.c:63(do_map_to_guest)
Any recomendation about I will appreciated, thanks!!!
--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
Jun 6, 2016, 8:40:03 AM6/6/16
to
Hi Alberto,
No idea about your issue as I'm playing with Samba to build AD only, I can
only tell you that I did tested on my Samba AD DC and I can use upper,
lower or mixed case in user names:
dc108:/opt/initial_setup# id mtest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id mTest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id MTEST
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup#
I'm using recent version of Samba, the latest in fact. Perhaps you could
try with more recent version of the product to see if you still get this
error.
There is also that option in smb.conf manpage:
username level (G)
This option helps Samba to try and 'guess' at the real UNIX
username, as many DOS clients send an all-uppercase username.
By default Samba tries all lowercase, followed by the username
with the first letter capitalized, and fails if the username is not found
on the UNIX machine.
If this parameter is set to non-zero the behavior changes. This
parameter is a number that specifies the number of uppercase combinations
to try while trying to determine the UNIX user name. The higher the number
the more combinations will be tried, but the slower the discovery of
usernames will be. Use this parameter when you have strange usernames on
your UNIX machine, such as AstrangeUser .
This parameter is needed only on UNIX systems that have case
sensitive usernames.
Default: username level = 0
Example: username level = 5
Some others tests I did after reading "This parameter is needed only on
UNIX systems that have case sensitive usernames."
dc108:/opt/initial_setup# id ROOT
id: ROOT : utilisateur inexistant
dc108:/opt/initial_setup# id rOOt
id: rOOt : utilisateur inexistant
dc108:/opt/initial_setup# id root
uid=0(root) gid=0(root) groupes=0(root)
dc108:/opt/initial_setup#
So my UNIX system is case sensitive regarding user names but not when it
comes to AD users.
Using testparm -v and grep:
testparm -v | grep "username level"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
username level = 0
dc108:/opt/initial_setup#
So "username level" is the default: 0 on the system which case sensitive
for non-AD usernames and non-case-sensitive ofr AD users.
Hoping this helps...
mathias
No idea about your issue as I'm playing with Samba to build AD only, I can
only tell you that I did tested on my Samba AD DC and I can use upper,
lower or mixed case in user names:
dc108:/opt/initial_setup# id mtest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id mTest
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup# id MTEST
uid=3000017(AD\mtest) gid=3000018(AD\not_system_users)
groupes=3000018(AD\not_system_users),3000017(AD\mtest)
dc108:/opt/initial_setup#
I'm using recent version of Samba, the latest in fact. Perhaps you could
try with more recent version of the product to see if you still get this
error.
There is also that option in smb.conf manpage:
username level (G)
This option helps Samba to try and 'guess' at the real UNIX
username, as many DOS clients send an all-uppercase username.
By default Samba tries all lowercase, followed by the username
with the first letter capitalized, and fails if the username is not found
on the UNIX machine.
If this parameter is set to non-zero the behavior changes. This
parameter is a number that specifies the number of uppercase combinations
to try while trying to determine the UNIX user name. The higher the number
the more combinations will be tried, but the slower the discovery of
usernames will be. Use this parameter when you have strange usernames on
your UNIX machine, such as AstrangeUser .
This parameter is needed only on UNIX systems that have case
sensitive usernames.
Default: username level = 0
Example: username level = 5
Some others tests I did after reading "This parameter is needed only on
UNIX systems that have case sensitive usernames."
dc108:/opt/initial_setup# id ROOT
id: ROOT : utilisateur inexistant
dc108:/opt/initial_setup# id rOOt
id: rOOt : utilisateur inexistant
dc108:/opt/initial_setup# id root
uid=0(root) gid=0(root) groupes=0(root)
dc108:/opt/initial_setup#
So my UNIX system is case sensitive regarding user names but not when it
comes to AD users.
Using testparm -v and grep:
testparm -v | grep "username level"
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
username level = 0
dc108:/opt/initial_setup#
So "username level" is the default: 0 on the system which case sensitive
for non-AD usernames and non-case-sensitive ofr AD users.
Hoping this helps...
mathias
Alberto Moreno
Jun 6, 2016, 3:00:04 PM6/6/16
to
Hi mathias, thanks for taking time to see this issue.
In my case is not a AD, is still a NT4 style.
I will try the option, thanks.
On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infra...@gmail.com>
wrote:
In my case is not a AD, is still a NT4 style.
I will try the option, thanks.
On Mon, Jun 6, 2016 at 5:31 AM, mathias dufresne <infra...@gmail.com>
wrote:
Alberto Moreno
Jun 7, 2016, 7:00:04 PM6/7/16
to
mathias, that flag help me, is now working, thanks!!!
mathias dufresne
Jun 8, 2016, 4:30:03 AM6/8/16
to
Hey! I'm glad to read that to begin my day ;)
0 new messages