Forgot to cc list. Sorry
Sent via mobile
Begin forwarded message:
> From: Mark Casey <ma...@unifiedgroup.com>
> Date: December 12, 2011 1:25:34 PM CST
> To: Dale Schroeder <d...@briannassaladdressing.com>
> Subject: Re: [Samba] Upgraded samba, mostly still works, but have one issue
>
> Dale,
>
> That fixed it. Thanks very much for your time in looking at this issue! That
> leads to another question though. I don't get why 'winbind use default
> domain' did not cover the issue, since I have it set to yes. I assumed I
> could leave off the "DOMAIN\" portion and it would add it for me...but more
> specifically, even using DOMAIN\camera wouldn't work. I should clarify though
> that nowhere in my config am I actually typing "DOMAIN\"; I'm only swapping
> that in on the mailing list as a redaction. When I tried the fully
> qualified user account in the IP camera's config the domain matched the one
> that this samba server is joined to.
>
> I did note this part in smb.conf's man page about 'winbind use default
> domain':
> "While this does not benifit Windows users, it makes SSH, FTP and e-mail
> function in a way much closer to the way they would in a native unix system."
>
> This would all make more sense if that line means that 'winbind use default
> domain' excludes not only Windows users but all smb/cifs authentication
> attempts. Then, it wouldn't apply the the IP cameras at all. However even if
> that were the case I still can't explain the failure when I tried the user
> DOMAIN\camera.
>
> Would you (or anyone) be able to provide any insight? Regardless, thanks
> again for your help thus far as I can now get this out of the urgent section
> of my list!
>
> Thank you,
> Mark
>
>
> On 12/12/2011 12:23 PM, Dale Schroeder wrote:
>>
>> On 12/12/2011 10:14 AM, Mark Casey wrote:
>>>
>>> Hello list,
>>>
>>> I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which took
>>> the installed version of samba from version 3.0.28a to version 3.4.7. The
>>> server is an AD member using idmap-rid. I have updated the idmap directives
>>> in the config and it mostly worked (winbind works, Windows users can get to
>>> their shares with their correct permissions, etc.). The only thing that got
>>> broken is the ability of our IP security cameras to store data directly to
>>> the server through samba. I believe this may have been caused by a change
>>> to a default setting, such as the allowed authentication methods or
>>> possibly something like 'allow trusted domains', since these cameras are
>>> not capable of actually joining the domain. I've looked at some of the
>>> in-between release notes but no changes have jumped out at me.
>>>
>>> The cameras are configured to connect to the given smb/cifs server and
>>> share (which exists and can be mapped from Windows if you use the right
>>> user). The share ('camshare') has share-level permissions set such that
>>> DOMAIN\camera should have full access. I have winbind set to use the
>>> default domain so the cameras are configured to connect as 'camera' instead
>>> of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I have
>>> checked the password on the 'camera' account repeatedly.
>>>
>>> However you can see that something isn't right when the cameras try to
>>> mount the share:
>>>> root@server:~# tail -f /var/log/samba/log.smbd | grep camera
>>>> check_ntlm_password: Authentication for user [camera] -> [camera]
>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>> check_ntlm_password: Authentication for user [camera] -> [camera]
>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>> check_ntlm_password: Authentication for user [camera] -> [camera]
>>>> FAILED with error NT_STATUS_NO_SUCH_USER
>>>
>>> If I use that username with the password when mapping the share
>>> from Win7, it works and the correct permissions are there.
>>>
>>> Here is the smb.conf:
>>>> [global]
>>>> server string = File Server
>>>> workgroup = DOMAIN
>>>> realm = DOMAIN.COM
>>>> security = ADS
>>>> password server = *
>>>> #password server = dc1.domain.com
>>>> username map = /etc/samba/smbusers
>>>> obey pam restrictions = Yes
>>>> enable privileges = Yes
>>>> map to guest = Bad User
>>>> client NTLMv2 auth = Yes
>>>> log level = 2, vfs:1
>>>> syslog = 0
>>>> max log size = 0
>>>> load printers = No
>>>> preferred master = No
>>>> local master = No
>>>> domain master = No
>>>> dns proxy = No
>>>> disable netbios = yes
>>>> ldap ssl = no
>>>> host msdfs = No
>>>> template shell = /bin/false
>>>> winbind enum users = Yes
>>>> winbind enum groups = Yes
>>>> winbind use default domain = Yes
>>>> winbind refresh tickets = Yes
>>>>
>>>> idmap backend = tdb
>>>> idmap uid = 100000-199999
>>>> idmap gid = 100000-199999
>>>> idmap config DOMAIN:backend = rid
>>>> idmap config DOMAIN:range = 100000 - 500000
>>>> idmap config DOMAIN:default = yes
>>>>
>>>> hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0
>>>> 10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0
>>>> 10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0
>>>> map acl inherit = No
>>>> hide special files = Yes
>>>> map archive = No
>>>> map readonly = No
>>>> map system = No
>>>> map hidden = No
>>>> force create mode = 707
>>>> force directory mode = 707
>>>> ea support = No
>>>> store dos attributes = No
>>>> wide links = No
>>>> follow symlinks = No
>>>> dos filemode = No
>>>> add share command=/etc/samba/command.pl
>>>> delete share command=/etc/samba/command.pl
>>>> change share command=/etc/samba/command.pl
>>>>
>>>> [camshare]
>>>> comment = Camera data share
>>>> path = /home/camshare
>>>> read only = No
>>>> writeable = Yes
>>>> inherit owner = Yes
>>>> guest ok = No
>>>>
>>>> [mainshare]
>>>> comment = Main Fileshare
>>>> path = /home/mainshare
>>>> read only = No
>>>> writeable = Yes
>>>> inherit owner = Yes
>>>> guest ok = Yes
>>>>
>>>> vfs objects = recycle extd_audit
>>>> recycle:repository = Recycle Bin
>>>> recycle:directory_mode = 707
>>>> recycle:keeptree = yes
>>>> recycle:versions = no
>>>> recycle:touch = yes
>>>> recycle:touch_mtime = no
>>>> recycle:maxsize = 209715200
>>>> recycle:exclude = *.tmp *.temp ~$* *.~??
>>>
>>> I've left off some other shares that don't seem relevant.
>>>
>>> I can provide other info and or more logs if needed. Thanks in advance for
>>> any assistance you may be able to provide.
>>>
>>> Thank you,
>>> Mark
>>
>>
>> Mark,
>>
>> Try adding the parameter "map untrusted to domain = Yes"
>>
>> map untrusted to domain (G)
>>
>> If a client connects to smbd using an untrusted domain name, such as
>> BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before
>> attempting to authenticate that user. In the case where smbd is acting as a
>> PDC this will be DOMAIN\user. In the case where smbd is acting as a domain
>> member server or a standalone server this will be WORKSTATION\user.
>>
>> In previous versions of Samba (pre 3.4), if smbd was acting as a domain
>> member server, the BOGUS domain name would instead be replaced by the
>> primary domain which smbd was a member of. In this case authentication would
>> be deferred off to a DC using the credentials DOMAIN\user.
>>
>> When this parameter is set to yes smbd provides the legacy behavior of
>> mapping untrusted domain names to the primary domain. When
>> smbd is not acting as a domain member server, this parameter has no effect.
>>
>> Default: map untrusted to domain = no
>>
>>
>> Dale
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
