VigneshDhanraj G
2019-Sep-25 12:17 UTC
[Samba] In mac guest user is not working when AD connected - samba 4.9.3
Hi Andrew, If I give register user as vignesh/guest, its working fine. While selecting the Guest radio button, guest user is not working. Guest user is working fine without AD connection. Kindly do the needful. Thanks, Vignesh. On Wed, Sep 25, 2019 at 4:28 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Wed, 2019-09-25 at 16:24 +0530, VigneshDhanraj G via samba wrote: > > Hi Team, > > > > I have configured server signing as mandatory in smb.conf. After > > configured, guest user is not working when AD is connected. > > > > In mac while connecting to samba if i give register user as > vignesh/guest, > > guest user is working. But if I click Guest radio button, guest user is > not > > working. > > server signing as mandetory makes no sense with a guest connection, > where there is no password with which to secure the session. > > You need to decide on one or the other. > > I hope this clarifies things, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > >
Rowland penny
2019-Sep-25 13:26 UTC
[Samba] In mac guest user is not working when AD connected - samba 4.9.3
On 25/09/2019 13:17, VigneshDhanraj G via samba wrote:> Hi Andrew, > > If I give register user as vignesh/guest, its working fine. While selecting > the Guest radio button, guest user is not working. > > Guest user is working fine without AD connection.Andrew said: server signing as mandatory makes no sense with a guest connection, where there is no password with which to secure the session. Which is okay as far as it goes. Your client seems to be using SMBv2: [2019/09/25 15:01:46.695622, 5]../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)? signed SMB2 message And 'man smb.conf' has this to say about 'server signing': This controls whether the client is allowed or required to use SMB1 and SMB2 signing. Possible values are default, auto, mandatory and disabled. By default, and when smb signing is set to default, smb signing is required when server role is active directory domain controller and disabled otherwise. For the SMB2 protocol, by design, signing cannot be disabled. In the case where SMB2 is negotiated, if this parameter is set to disabled, it will be treated as auto. Setting it to mandatory will still require SMB2 clients to use signing. Default: server signing = default So, for SMBv2 you can only use 'default', 'auto' or 'mandatory' As your computer is not a DC, 'default' means 'disabled' and, as you are using SMBv2, if 'server signing' is set to 'default', it will be treated as 'auto', so really, you can only use 'auto' or Mandatory. 'auto' will attempt to use signing and 'mandatory' will insist on using signing. So, from my point of view, it doesn't seem to matter what you set it to, your client is trying to use it, so Samba will attempt to use it. I actually think that you do not fully understand how guest access on Samba works ;-) You have this line in smb.conf: map to guest= Bad User What this means is that any unknown user is mapped to the Samba guest user (typically the user 'nobody'), you are connecting as 'vignesh/guest' and as your workgroup is 'GHANA' this user will be unknown to Samba and will be mapped to the guest user before it gets anywhere near any shares (which, incidentally, you haven't shown us) and if you have 'guest ok = yes' set in a share, then the guest user will be allowed access. You seem to think you can connect as the user 'vignesh/guest' and be allowed access as the same user, this will never work. Your smb.conf seems to be set up using a mixture of the old ways of doing things and the current way of doing things, can I suggest you use this smb.conf: [Global] Workgroup= GNANA realm= GNANA.COM security= ADS netbios name= px4-400d server string= Test idmap config * : backend= tdb idmap config * : range = 5000-9999999 idmap config GNANA : backend= rid idmap config GNANA : range= 10000000-19999999 dns proxy= no inherit acls= yes winbind separator= \\ winbind offline logon= true template shell= /bin/sh kerberos method= secrets and keytab map to guest= Bad User printcap name= lpstat ntlm auth= Yes Rowland
VigneshDhanraj G
2019-Sep-26 09:21 UTC
[Samba] In mac guest user is not working when AD connected - samba 4.9.3
Hi, Thanks for your reply. Is there any way to avoid singing only for AD guest user ? Thanks, Rajalakshmi S. On Wed, Sep 25, 2019 at 6:57 PM Rowland penny via samba < samba at lists.samba.org> wrote:> On 25/09/2019 13:17, VigneshDhanraj G via samba wrote: > > Hi Andrew, > > > > If I give register user as vignesh/guest, its working fine. While > selecting > > the Guest radio button, guest user is not working. > > > > Guest user is working fine without AD connection. > > Andrew said: > > server signing as mandatory makes no sense with a guest connection, > where there is no password with which to secure the session. > > Which is okay as far as it goes. > > Your client seems to be using SMBv2: > > [2019/09/25 15:01:46.695622, > 5]../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu) signed SMB2 > message > > And 'man smb.conf' has this to say about 'server signing': > > This controls whether the client is allowed or required to use SMB1 and > SMB2 signing. Possible values are default, auto, mandatory and disabled. > > By default, and when smb signing is set to default, smb signing is > required when server role is active directory domain controller and > disabled otherwise. > > For the SMB2 protocol, by design, signing cannot be disabled. In the > case where SMB2 is negotiated, if this parameter is set to disabled, it > will be treated as auto. Setting it to mandatory will still require SMB2 > clients to use signing. > > Default: server signing = default > > So, for SMBv2 you can only use 'default', 'auto' or 'mandatory' > > As your computer is not a DC, 'default' means 'disabled' and, as you are > using SMBv2, if 'server signing' is set to 'default', it will be treated > as 'auto', so really, you can only use 'auto' or Mandatory. > > 'auto' will attempt to use signing and 'mandatory' will insist on using > signing. > > So, from my point of view, it doesn't seem to matter what you set it to, > your client is trying to use it, so Samba will attempt to use it. > > I actually think that you do not fully understand how guest access on > Samba works ;-) > > You have this line in smb.conf: > > map to guest= Bad User > > What this means is that any unknown user is mapped to the Samba guest > user (typically the user 'nobody'), you are connecting as > 'vignesh/guest' and as your workgroup is 'GHANA' this user will be > unknown to Samba and will be mapped to the guest user before it gets > anywhere near any shares (which, incidentally, you haven't shown us) and > if you have 'guest ok = yes' set in a share, then the guest user will be > allowed access. > > You seem to think you can connect as the user 'vignesh/guest' and be > allowed access as the same user, this will never work. > > Your smb.conf seems to be set up using a mixture of the old ways of > doing things and the current way of doing things, can I suggest you use > this smb.conf: > > [Global] > Workgroup= GNANA > realm= GNANA.COM > security= ADS > netbios name= px4-400d > server string= Test > > idmap config * : backend= tdb > idmap config * : range = 5000-9999999 > idmap config GNANA : backend= rid > idmap config GNANA : range= 10000000-19999999 > > dns proxy= no > inherit acls= yes > > winbind separator= \\ > winbind offline logon= true > template shell= /bin/sh > kerberos method= secrets and keytab > map to guest= Bad User > printcap name= lpstat > > ntlm auth= Yes > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- In mac guest user is not working when AD connected - samba 4.9.3
- In mac guest user is not working when AD connected - samba 4.9.3
- In mac guest user is not working when AD connected - samba 4.9.3
- Not Able to access cifs when AD connected to different network
- Not Able to access cifs when AD connected to different network