Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Map to Guest not working
592 views
Skip to first unread message
Brian C. Huffman
Apr 19, 2015, 5:28:23 PM4/19/15
to
All,
I've migrated a share from an older samba server (3.0.33) running on a
Sun Solaris box to a newer samba server (3.6.23) running on a RedHat
Linux 6 box.
For the most part I've tried to keep the configuration the same (simply
to make the migration easier since I'm not an expert on Samba config
options).
I got the authentication working (security=domain) but now I'm finding
that users that don't have an account on the samba server can not get
access to the share. This was not the case on the old server.
It appears that the following option should allow that to happen but it
doesn't seem to be working on the new server:
guest account = nobody
map to guest = Bad Uid
I see this in the logs when the user tries to login:
Trying _Get_Pwnam(), username as given is DS\bhuffman
[2015/04/19 16:07:38.221277, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DS\BHUFFMAN
[2015/04/19 16:07:38.221334, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in ds\bhuffman
[2015/04/19 16:07:38.221375, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DS\bhuffman]!
[2015/04/19 16:07:38.221415, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user bhuffman
[2015/04/19 16:07:38.221454, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is bhuffman
[2015/04/19 16:07:38.221545, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is BHUFFMAN
[2015/04/19 16:07:38.221612, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in bhuffman
[2015/04/19 16:07:38.221653, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [bhuffman]!
[2015/04/19 16:07:38.221701, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user bhuffman
[2015/04/19 16:07:38.221741, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is bhuffman
[2015/04/19 16:07:38.221796, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is BHUFFMAN
[2015/04/19 16:07:38.221853, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in bhuffman
[2015/04/19 16:07:38.221893, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [bhuffman]!
[2015/04/19 16:07:38.221932, 3] auth/auth_util.c:1073(check_account)
Failed to find authenticated user DS\bhuffman via getpwnam(), denying
access.
[2015/04/19 16:07:38.222590, 5] auth/auth.c:281(check_ntlm_password)
check_ntlm_password: winbind authentication for user [bhuffman]
FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/19 16:07:38.222650, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [bhuffman] ->
[bhuffman] FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/19 16:07:38.222701, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Here is my full smb.conf:
[global]
workgroup = XY
server string = File Server
netbios name = SERVER01
security = domain
encrypt passwords = Yes
password server = a.b.c.d
guest account = nobody
map to guest = Bad Uid
wins server = a.b.c.d
load printers = no
cups options = raw
[share]
comment = Data
path = /data/share
public = yes
writable = no
printable = no
Thanks,
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've migrated a share from an older samba server (3.0.33) running on a
Sun Solaris box to a newer samba server (3.6.23) running on a RedHat
Linux 6 box.
For the most part I've tried to keep the configuration the same (simply
to make the migration easier since I'm not an expert on Samba config
options).
I got the authentication working (security=domain) but now I'm finding
that users that don't have an account on the samba server can not get
access to the share. This was not the case on the old server.
It appears that the following option should allow that to happen but it
doesn't seem to be working on the new server:
guest account = nobody
map to guest = Bad Uid
I see this in the logs when the user tries to login:
Trying _Get_Pwnam(), username as given is DS\bhuffman
[2015/04/19 16:07:38.221277, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DS\BHUFFMAN
[2015/04/19 16:07:38.221334, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in ds\bhuffman
[2015/04/19 16:07:38.221375, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DS\bhuffman]!
[2015/04/19 16:07:38.221415, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user bhuffman
[2015/04/19 16:07:38.221454, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is bhuffman
[2015/04/19 16:07:38.221545, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is BHUFFMAN
[2015/04/19 16:07:38.221612, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in bhuffman
[2015/04/19 16:07:38.221653, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [bhuffman]!
[2015/04/19 16:07:38.221701, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user bhuffman
[2015/04/19 16:07:38.221741, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is bhuffman
[2015/04/19 16:07:38.221796, 5] lib/username.c:134(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is BHUFFMAN
[2015/04/19 16:07:38.221853, 5] lib/username.c:143(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in bhuffman
[2015/04/19 16:07:38.221893, 5] lib/username.c:149(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [bhuffman]!
[2015/04/19 16:07:38.221932, 3] auth/auth_util.c:1073(check_account)
Failed to find authenticated user DS\bhuffman via getpwnam(), denying
access.
[2015/04/19 16:07:38.222590, 5] auth/auth.c:281(check_ntlm_password)
check_ntlm_password: winbind authentication for user [bhuffman]
FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/19 16:07:38.222650, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [bhuffman] ->
[bhuffman] FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/19 16:07:38.222701, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Here is my full smb.conf:
[global]
workgroup = XY
server string = File Server
netbios name = SERVER01
security = domain
encrypt passwords = Yes
password server = a.b.c.d
guest account = nobody
map to guest = Bad Uid
wins server = a.b.c.d
load printers = no
cups options = raw
[share]
comment = Data
path = /data/share
public = yes
writable = no
printable = no
Thanks,
Brian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrey Repin
Apr 19, 2015, 6:37:33 PM4/19/15
to
Greetings, Brian C. Huffman!
It seems Samba unable to find the user in first place.
In which case, "bad uid" is unlikely to work, I guess, as it gets no UID
whatsoever.
You will need to review your configuration link to the domain.
> Here is my full smb.conf:
> [global]
> workgroup = XY
> server string = File Server
> netbios name = SERVER01
> security = domain
> encrypt passwords = Yes
> password server = a.b.c.d
> guest account = nobody
> map to guest = Bad Uid
> wins server = a.b.c.d
> load printers = no
> cups options = raw
> [share]
> comment = Data
> path = /data/share
> public = yes
> writable = no
> printable = no
First, I don't see "guest ok = yes" on your share.
Second, try with "map to guest = bad user", if you don't want to fix the link
to your domain proper.
--
With best regards,
Andrey Repin
Monday, April 20, 2015 01:16:56
Sorry for my terrible english...
In which case, "bad uid" is unlikely to work, I guess, as it gets no UID
whatsoever.
You will need to review your configuration link to the domain.
> Here is my full smb.conf:
> [global]
> workgroup = XY
> server string = File Server
> netbios name = SERVER01
> security = domain
> encrypt passwords = Yes
> password server = a.b.c.d
> guest account = nobody
> map to guest = Bad Uid
> wins server = a.b.c.d
> load printers = no
> cups options = raw
> [share]
> comment = Data
> path = /data/share
> public = yes
> writable = no
> printable = no
Second, try with "map to guest = bad user", if you don't want to fix the link
to your domain proper.
--
With best regards,
Andrey Repin
Monday, April 20, 2015 01:16:56
Sorry for my terrible english...
Rowland Penny
Apr 20, 2015, 5:03:10 AM4/20/15
to
On 19/04/15 22:02, Brian C. Huffman wrote:
> All,
> Brian
Try 'map to guest = Bad User'
Rowland
> All,
> Here is my full smb.conf:
> [global]
> workgroup = XY
> server string = File Server
> netbios name = SERVER01
>
> security = domain
> encrypt passwords = Yes
> password server = a.b.c.d
>
> guest account = nobody
> map to guest = Bad Uid
>
> wins server = a.b.c.d
> load printers = no
> cups options = raw
>
>
> [share]
> comment = Data
> path = /data/share
> public = yes
> writable = no
> printable = no
>
> Thanks,
> [global]
> workgroup = XY
> server string = File Server
> netbios name = SERVER01
>
> security = domain
> encrypt passwords = Yes
> password server = a.b.c.d
>
> guest account = nobody
> map to guest = Bad Uid
>
> wins server = a.b.c.d
> load printers = no
> cups options = raw
>
>
> [share]
> comment = Data
> path = /data/share
> public = yes
> writable = no
> printable = no
>
> Brian
Try 'map to guest = Bad User'
Rowland
Klaus Hartnegg
Apr 20, 2015, 6:15:52 AM4/20/15
to
Am 20.04.2015 um 00:24 schrieb Andrey Repin:
> First, I don't see "guest ok = yes" on your share.
> Second, try with "map to guest = bad user", if you don't want to fix the link
> to your domain proper.
And probably you must also make sure that the user specified at "map to
> First, I don't see "guest ok = yes" on your share.
> Second, try with "map to guest = bad user", if you don't want to fix the link
> to your domain proper.
guest" actually exists, and has read permission in the shared directory.
However even with everything configured correct, it can still feel like
behaving erratic, asking for password when it should not.
I think this is because two effects interact: Windows always first tries
to log you on with your windows userid, and Samba always accepts local
users in addition to guests - but then the passwort must be correct!
If you have the same username on your local machine as on the server,
but with different passwords, then it will always fail.
Workaround: insist that is tries to use a non-existing userid:
net use n: \\server\share /user:notexit
This works fine, without asking for a password, and immediately connects
as guest.
A nicer solution would be map to guest = invalid password, but this has
other disadvantages (described in the man page).
The best solution would be if these options could be set per share,
instead of only globally. Then one could make a share specifically for
guests, that always just works, no matter what.
Andrey Repin
Apr 20, 2015, 3:09:08 PM4/20/15
to
Greetings, Klaus Hartnegg!
> Workaround: insist that is tries to use a non-existing userid:
> net use n: \\server\share /user:notexit
Note: If you do not need to map share to a disk (and I strongly suggest to NOT
map, as this creates additional easy vector of attack for various malware),
you can just
net use \\server\share /user:notexit
or
net use \\server\IPC$ /user:notexit
to open access to RPC share and subsequently to all other services on the
host.
> This works fine, without asking for a password, and immediately connects
> as guest.
> A nicer solution would be map to guest = invalid password, but this has
> other disadvantages (described in the man page).
> The best solution would be if these options could be set per share,
> instead of only globally. Then one could make a share specifically for
> guests, that always just works, no matter what.
The best solution is to fix domain link already.
--
With best regards,
Andrey Repin
Monday, April 20, 2015 21:51:54
Sorry for my terrible english...
> Workaround: insist that is tries to use a non-existing userid:
> net use n: \\server\share /user:notexit
map, as this creates additional easy vector of attack for various malware),
you can just
net use \\server\share /user:notexit
or
net use \\server\IPC$ /user:notexit
to open access to RPC share and subsequently to all other services on the
host.
> This works fine, without asking for a password, and immediately connects
> as guest.
> A nicer solution would be map to guest = invalid password, but this has
> other disadvantages (described in the man page).
> The best solution would be if these options could be set per share,
> instead of only globally. Then one could make a share specifically for
> guests, that always just works, no matter what.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
L.P.H. van Belle
Apr 21, 2015, 10:43:27 AM4/21/15
to
Virussus and mailware these days dont bother about looking for a mapped drive..
They just follow the "recently opened .... " (fill in the dots.. documents/network locations , etc etc. )
and i know, i tested against cryptovirus..
And i'm asuming everybody knows :
http://www.computerworld.com/article/2485214/microsoft-windows/cryptolocker-how-to-avoid-getting-infected-and-what-to-do-if-you-are.html?page=2
;-)
a nice one to read..
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: hart...@uni-freiburg.de
>[mailto:samba-...@lists.samba.org] Namens Klaus Hartnegg
>Verzonden: dinsdag 21 april 2015 15:28
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Map to Guest not working
>
>Am 20.04.2015 um 20:56 schrieb Andrey Repin:
>> Note: If you do not need to map share to a disk (and I
>strongly suggest to NOT
>> map, as this creates additional easy vector of attack for
>various malware),
>> you can just
>
>I found scripts to run more than 10 times slower when this is done.
>Am 20.04.2015 um 20:56 schrieb Andrey Repin:
>> Note: If you do not need to map share to a disk (and I
>strongly suggest to NOT
>> map, as this creates additional easy vector of attack for
>various malware),
>> you can just
>
Andrey Repin
Apr 21, 2015, 10:43:29 AM4/21/15
to
Greetings, Klaus Hartnegg!
> Am 20.04.2015 um 20:56 schrieb Andrey Repin:
>> Note: If you do not need to map share to a disk (and I strongly suggest to NOT
>> map, as this creates additional easy vector of attack for various malware),
>> you can just
> I found scripts to run more than 10 times slower when this is done.
I would like to see an example of such a script.
--
With best regards,
Andrey Repin
Tuesday, April 21, 2015 16:53:09
Sorry for my terrible english...
> Am 20.04.2015 um 20:56 schrieb Andrey Repin:
>> Note: If you do not need to map share to a disk (and I strongly suggest to NOT
>> map, as this creates additional easy vector of attack for various malware),
>> you can just
> I found scripts to run more than 10 times slower when this is done.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Klaus Hartnegg
Apr 21, 2015, 11:23:22 AM4/21/15
to
Am 20.04.2015 um 20:56 schrieb Andrey Repin:
> Note: If you do not need to map share to a disk (and I strongly suggest to NOT
> map, as this creates additional easy vector of attack for various malware),
> you can just
I found scripts to run more than 10 times slower when this is done.
> Note: If you do not need to map share to a disk (and I strongly suggest to NOT
> map, as this creates additional easy vector of attack for various malware),
> you can just
I found scripts to run more than 10 times slower when this is done.
0 new messages