Re: [Samba] Upgraded samba, mostly still works, but have one issue

Mon, 12 Dec 2011 10:23:22 -0800 

On 12/12/2011 10:14 AM, Mark Casey wrote:

Hello list,
I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which took the installed version of samba from version 3.0.28a to version 3.4.7. The server is an AD member using idmap-rid. I have updated the idmap directives in the config and it mostly worked (winbind works, Windows users can get to their shares with their correct permissions, etc.). The only thing that got broken is the ability of our IP security cameras to store data directly to the server through samba. I believe this may have been caused by a change to a default setting, such as the allowed authentication methods or possibly something like 'allow trusted domains', since these cameras are not capable of actually joining the domain. I've looked at some of the in-between release notes but no changes have jumped out at me.
The cameras are configured to connect to the given smb/cifs server and share (which exists and can be mapped from Windows if you use the right user). The share ('camshare') has share-level permissions set such that DOMAIN\camera should have full access. I have winbind set to use the default domain so the cameras are configured to connect as 'camera' instead of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I have checked the password on the 'camera' account repeatedly.
However you can see that something isn't right when the cameras try to mount the share: 
root@server:~# tail -f /var/log/samba/log.smbd | grep camera
check_ntlm_password: Authentication for user [camera] -> [camera] FAILED with error NT_STATUS_NO_SUCH_USER check_ntlm_password: Authentication for user [camera] -> [camera] FAILED with error NT_STATUS_NO_SUCH_USER check_ntlm_password: Authentication for user [camera] -> [camera] FAILED with error NT_STATUS_NO_SUCH_USER
If I use that username with the password when mapping the share from Win7, it works and the correct permissions are there. 

Here is the smb.conf:

[global]
        server string = File Server
        workgroup = DOMAIN
        realm = DOMAIN.COM
        security = ADS
        password server = *
        #password server = dc1.domain.com
        username map = /etc/samba/smbusers
        obey pam restrictions = Yes
        enable privileges = Yes
        map to guest = Bad User
        client NTLMv2 auth = Yes
        log level = 2, vfs:1
        syslog = 0
        max log size = 0
        load printers = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        disable netbios = yes
        ldap ssl = no
        host msdfs = No
        template shell = /bin/false
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes

        idmap backend = tdb
        idmap uid = 100000-199999
        idmap gid = 100000-199999
        idmap config DOMAIN:backend = rid
        idmap config DOMAIN:range = 100000 - 500000
        idmap config DOMAIN:default = yes
hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0 10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0 10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0 
        map acl inherit = No
        hide special files = Yes
        map archive = No
        map readonly = No
        map system = No
        map hidden = No
        force create mode = 707
        force directory mode = 707
        ea support = No
        store dos attributes = No
        wide links = No
        follow symlinks = No
        dos filemode = No
        add share command=/etc/samba/command.pl
        delete share command=/etc/samba/command.pl
        change share command=/etc/samba/command.pl

[camshare]
        comment = Camera data share
        path = /home/camshare
        read only = No
        writeable = Yes
        inherit owner = Yes
        guest ok = No

[mainshare]
        comment = Main Fileshare
        path = /home/mainshare
        read only = No
        writeable = Yes
        inherit owner = Yes
        guest ok = Yes

        vfs objects = recycle extd_audit
        recycle:repository = Recycle Bin
        recycle:directory_mode = 707
        recycle:keeptree = yes
        recycle:versions = no
        recycle:touch = yes
        recycle:touch_mtime = no
        recycle:maxsize = 209715200
        recycle:exclude = *.tmp *.temp ~$* *.~??


I've left off some other shares that don't seem relevant.
I can provide other info and or more logs if needed. Thanks in advance for any assistance you may be able to provide. 

Thank you,
Mark



Mark,

Try adding the parameter "map untrusted to domain = Yes"


     map untrusted to domain (G)

   If a client connects to smbd using an untrusted domain name, such as
   BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
   attempting to authenticate that user. In the case where smbd is
   acting as a PDC this will be DOMAIN\user. In the case where smbd is
   acting as a domain member server or a standalone server this will be
   WORKSTATION\user.

   In previous versions of Samba (pre 3.4), if smbd was acting as a
   domain member server, the BOGUS domain name would instead be
   replaced by the primary domain which smbd was a member of. In this
   case authentication would be deferred off to a DC using the
   credentials DOMAIN\user.

   When this parameter is set to |yes| smbd provides the legacy
   behavior of mapping untrusted domain names to the primary domain.
   When smbd is not acting as a domain member server, this parameter
   has no effect.

   Default: //|map untrusted to domain|/ = |no| /


Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to