Forgot to cc list. Sorry Sent via mobile
Begin forwarded message: > From: Mark Casey <ma...@unifiedgroup.com> > Date: December 12, 2011 1:25:34 PM CST > To: Dale Schroeder <d...@briannassaladdressing.com> > Subject: Re: [Samba] Upgraded samba, mostly still works, but have one issue > > Dale, > > That fixed it. Thanks very much for your time in looking at this issue! That > leads to another question though. I don't get why 'winbind use default > domain' did not cover the issue, since I have it set to yes. I assumed I > could leave off the "DOMAIN\" portion and it would add it for me...but more > specifically, even using DOMAIN\camera wouldn't work. I should clarify though > that nowhere in my config am I actually typing "DOMAIN\"; I'm only swapping > that in on the mailing list as a redaction. When I tried the fully > qualified user account in the IP camera's config the domain matched the one > that this samba server is joined to. > > I did note this part in smb.conf's man page about 'winbind use default > domain': > "While this does not benifit Windows users, it makes SSH, FTP and e-mail > function in a way much closer to the way they would in a native unix system." > > This would all make more sense if that line means that 'winbind use default > domain' excludes not only Windows users but all smb/cifs authentication > attempts. Then, it wouldn't apply the the IP cameras at all. However even if > that were the case I still can't explain the failure when I tried the user > DOMAIN\camera. > > Would you (or anyone) be able to provide any insight? Regardless, thanks > again for your help thus far as I can now get this out of the urgent section > of my list! > > Thank you, > Mark > > > On 12/12/2011 12:23 PM, Dale Schroeder wrote: >> >> On 12/12/2011 10:14 AM, Mark Casey wrote: >>> >>> Hello list, >>> >>> I recently upgraded an Ubuntu 8.04 LTS samba server to 10.04 LTS which took >>> the installed version of samba from version 3.0.28a to version 3.4.7. The >>> server is an AD member using idmap-rid. I have updated the idmap directives >>> in the config and it mostly worked (winbind works, Windows users can get to >>> their shares with their correct permissions, etc.). The only thing that got >>> broken is the ability of our IP security cameras to store data directly to >>> the server through samba. I believe this may have been caused by a change >>> to a default setting, such as the allowed authentication methods or >>> possibly something like 'allow trusted domains', since these cameras are >>> not capable of actually joining the domain. I've looked at some of the >>> in-between release notes but no changes have jumped out at me. >>> >>> The cameras are configured to connect to the given smb/cifs server and >>> share (which exists and can be mapped from Windows if you use the right >>> user). The share ('camshare') has share-level permissions set such that >>> DOMAIN\camera should have full access. I have winbind set to use the >>> default domain so the cameras are configured to connect as 'camera' instead >>> of 'DOMAIN\camera' (but I've tried both anyway, to no avail). I have >>> checked the password on the 'camera' account repeatedly. >>> >>> However you can see that something isn't right when the cameras try to >>> mount the share: >>>> root@server:~# tail -f /var/log/samba/log.smbd | grep camera >>>> check_ntlm_password: Authentication for user [camera] -> [camera] >>>> FAILED with error NT_STATUS_NO_SUCH_USER >>>> check_ntlm_password: Authentication for user [camera] -> [camera] >>>> FAILED with error NT_STATUS_NO_SUCH_USER >>>> check_ntlm_password: Authentication for user [camera] -> [camera] >>>> FAILED with error NT_STATUS_NO_SUCH_USER >>> >>> If I use that username with the password when mapping the share >>> from Win7, it works and the correct permissions are there. >>> >>> Here is the smb.conf: >>>> [global] >>>> server string = File Server >>>> workgroup = DOMAIN >>>> realm = DOMAIN.COM >>>> security = ADS >>>> password server = * >>>> #password server = dc1.domain.com >>>> username map = /etc/samba/smbusers >>>> obey pam restrictions = Yes >>>> enable privileges = Yes >>>> map to guest = Bad User >>>> client NTLMv2 auth = Yes >>>> log level = 2, vfs:1 >>>> syslog = 0 >>>> max log size = 0 >>>> load printers = No >>>> preferred master = No >>>> local master = No >>>> domain master = No >>>> dns proxy = No >>>> disable netbios = yes >>>> ldap ssl = no >>>> host msdfs = No >>>> template shell = /bin/false >>>> winbind enum users = Yes >>>> winbind enum groups = Yes >>>> winbind use default domain = Yes >>>> winbind refresh tickets = Yes >>>> >>>> idmap backend = tdb >>>> idmap uid = 100000-199999 >>>> idmap gid = 100000-199999 >>>> idmap config DOMAIN:backend = rid >>>> idmap config DOMAIN:range = 100000 - 500000 >>>> idmap config DOMAIN:default = yes >>>> >>>> hosts allow = 10.0.1.0/255.255.255.0 10.1.1.0/255.255.255.0 >>>> 10.2.0.0/255.255.255.0 10.0.8.0/255.255.255.0 10.1.8.0/255.255.255.0 >>>> 10.2.8.0/255.255.255.0 172.10.0.0/255.255.255.0 172.11.0.0/255.255.255.0 >>>> map acl inherit = No >>>> hide special files = Yes >>>> map archive = No >>>> map readonly = No >>>> map system = No >>>> map hidden = No >>>> force create mode = 707 >>>> force directory mode = 707 >>>> ea support = No >>>> store dos attributes = No >>>> wide links = No >>>> follow symlinks = No >>>> dos filemode = No >>>> add share command=/etc/samba/command.pl >>>> delete share command=/etc/samba/command.pl >>>> change share command=/etc/samba/command.pl >>>> >>>> [camshare] >>>> comment = Camera data share >>>> path = /home/camshare >>>> read only = No >>>> writeable = Yes >>>> inherit owner = Yes >>>> guest ok = No >>>> >>>> [mainshare] >>>> comment = Main Fileshare >>>> path = /home/mainshare >>>> read only = No >>>> writeable = Yes >>>> inherit owner = Yes >>>> guest ok = Yes >>>> >>>> vfs objects = recycle extd_audit >>>> recycle:repository = Recycle Bin >>>> recycle:directory_mode = 707 >>>> recycle:keeptree = yes >>>> recycle:versions = no >>>> recycle:touch = yes >>>> recycle:touch_mtime = no >>>> recycle:maxsize = 209715200 >>>> recycle:exclude = *.tmp *.temp ~$* *.~?? >>> >>> I've left off some other shares that don't seem relevant. >>> >>> I can provide other info and or more logs if needed. Thanks in advance for >>> any assistance you may be able to provide. >>> >>> Thank you, >>> Mark >> >> >> Mark, >> >> Try adding the parameter "map untrusted to domain = Yes" >> >> map untrusted to domain (G) >> >> If a client connects to smbd using an untrusted domain name, such as >> BOGUS\user, smbd replaces the BOGUS domain with it's SAM name before >> attempting to authenticate that user. In the case where smbd is acting as a >> PDC this will be DOMAIN\user. In the case where smbd is acting as a domain >> member server or a standalone server this will be WORKSTATION\user. >> >> In previous versions of Samba (pre 3.4), if smbd was acting as a domain >> member server, the BOGUS domain name would instead be replaced by the >> primary domain which smbd was a member of. In this case authentication would >> be deferred off to a DC using the credentials DOMAIN\user. >> >> When this parameter is set to yes smbd provides the legacy behavior of >> mapping untrusted domain names to the primary domain. When >> smbd is not acting as a domain member server, this parameter has no effect. >> >> Default: map untrusted to domain = no >> >> >> Dale > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba