Access only by NETBIOS\user

I’m testing the tool… I have a question for you… when I upgrade a server with Nethserver 6 (Domain controller with Netbios name) I configure a local AD to use it in Nethserver 7.
SMB access on NS7 is possible only with NETBIOS\user or also with user@DOMAIN.EXT?

Because if I install a clear NS7 with local AD I can access also with @DOMAIN.EXT, but if I migrate a machine I can access only by NETBIOS\user…

Thank you for help.

:thinking: it sounds strange: I don’t have this limitation on my NethServer 7 …and it has been upgraded from NethServer 6!

Anyway the in-place upgrade does the same of the other upgrade paths. Apart from possible bugs, the final result must be the same.

Yes, but for my final users prefer to use their email… I can retry to update the machine.
Netbios name can be different form domain name?

You can change the netbios domain name in ns6, but not in ns7.

Also in ns6, if you run a PDC you have to re-join all the domain clients if you change the domain name.

That’s not necessarily an email. That is the userPrincipalName value: NethServer set it to the user name + the server domain name (which could be different from the AD domain).

For instance:

User names

AD should allow also username1@ad.example.com (but should be verified)

See also

http://docs.nethserver.org/en/v7/accounts.html#credentials-for-services

Ok. I will retry to migrate my machine (it’s a virtual machine) and I will update you. Thank you.

1 Like

I’ve migrated the machine.

If i try login with NETBIOS\user it’s all ok. In /var/log/messages

Nov 22 18:50:36 mailold systemd: Created slice User Slice of user@domain.ext.
Nov 22 18:50:36 mailold systemd: Starting User Slice of user@domain.ext.
Nov 22 18:50:36 mailold systemd: Started Session c1 of user user@domain.ext.
Nov 22 18:50:36 mailold systemd-logind: New session c1 of user user@domain.ext.
Nov 22 18:50:36 mailold systemd: Starting Session c1 of user user@domain.ext.

If I try login with user@domain.ext it doesn’t work and in /var/log/messages I obtain

Nov 22 18:48:26 mailold smbd[20596]: domain_client_validate: unable to validate password for user user@domain.ext in domain to Domain controller NSDC-MAILOLD.AD.DOMAIN.EXT. Error was NT_STATUS_NO_SUCH_USER.

It seems samba cannot map the domain suffix correctly. Could you try with smbclient?

 smbclient -U user@domain.ext //host/share
 smbclient -U user@ad.domain.ext //host/share
 smbclient -U NETBIOS\\user //host/share
  1. tree connect failed: NT_STATUS_ACCESS_DENIED

  2. It works

  3. session setup failed: NT_STATUS_NO_LOGON_SERVERS

But if I try with this mode (third mode) in Windows smb it works

I’m going by memory now: maybe it never worked… Anyway there can be good news with ns 7.6 soon /cc @nrauso

Double check the command bash syntax: if it works from Windows I’d expect the same with smbclient

I was probably wrong here… Let me verify it!

Can anybody confirm?

On another server, clean installation of NS7 users can access with user@domain.ext

I suspect this issue can be related to this bug , even if we are still with 7.5 here… /cc @giacomo @dz00te

If you aren’t in hurry we could find a fix soon

2 Likes

Downgrade samba version can be a solution?

What is your current samba version?

4.7.1
It’s the same that I have on the other server, that it’s working…

Please check if there’s a duplicated SID; run this command:

 net getdomainsid

Check if the two lines have the same SID number. If so run the following commands, replacing X-Y-(Z+1) with your numbers:

net setlocalsid S-1-5-21-X-Y-(Z+1)

Set a new unique SID number: you can increment by one (Z+1). For instance if the local sid was S-1-5-21-1000-2000-3000 run

net setlocalsid S-1-5-21-1000-2000-3001

Then

net cache flush
systemctl restart smbd

I re-read the docs again:

http://docs.nethserver.org/en/v7/shared_folder.html#network-access

It does not say the user@domain is allowed to access a samba share. I think this limitation is caused by a bug or a wrong configuration. As said this bug can be fixed in NethServer 7.6: we’re working on that.

2 Likes

Yes, SIDs were duplicated. I’ve changed the local SID number, but I can’t access already with user@domain.ext. It’s not possible to add the domain.ext as alias of ad.domain.ext?

net cache flush
systemctl restart smbd

Did you run them?

I’m working on the fix for 7.6. Probably it will not be backported, but I verified your issue is solved there.

@dz00te, we could add “access as user@domain.ext and user@ad.domain.ext” to our tests list!

1 Like

Yes, I run them. It doesn’t works.

There is no solution for that without upgrading at 7.6? I can’t undestrand why on another server (7.5 NS) works…
What can I verify again?