Access only by NETBIOS\user

federico.ballarini · November 22, 2018, 2:46pm

I’m testing the tool… I have a question for you… when I upgrade a server with Nethserver 6 (Domain controller with Netbios name) I configure a local AD to use it in Nethserver 7.
SMB access on NS7 is possible only with NETBIOS\user or also with user@DOMAIN.EXT?

Because if I install a clear NS7 with local AD I can access also with @DOMAIN.EXT, but if I migrate a machine I can access only by NETBIOS\user…

Thank you for help.

davidep · November 22, 2018, 2:54pm

it sounds strange: I don’t have this limitation on my NethServer 7 …and it has been upgraded from NethServer 6!

Anyway the in-place upgrade does the same of the other upgrade paths. Apart from possible bugs, the final result must be the same.

federico.ballarini · November 22, 2018, 3:11pm

Yes, but for my final users prefer to use their email… I can retry to update the machine.
Netbios name can be different form domain name?

davidep · November 22, 2018, 3:45pm

You can change the netbios domain name in ns6, but not in ns7.

Also in ns6, if you run a PDC you have to re-join all the domain clients if you change the domain name.

That’s not necessarily an email. That is the userPrincipalName value: NethServer set it to the user name + the server domain name (which could be different from the AD domain).

For instance:

NethServer FQDN: ns1.example.com
AD DNS domain/ realm: ad.example.com
Netbios domain: EXAMPLE (or whatever)

User names

EXAMPLE\username1
username1@example.com

AD should allow also username1@ad.example.com (but should be verified)

See also

http://docs.nethserver.org/en/v7/accounts.html#credentials-for-services

federico.ballarini · November 22, 2018, 3:55pm

Ok. I will retry to migrate my machine (it’s a virtual machine) and I will update you. Thank you.

federico.ballarini · November 22, 2018, 5:51pm

I’ve migrated the machine.

If i try login with NETBIOS\user it’s all ok. In /var/log/messages

Nov 22 18:50:36 mailold systemd: Created slice User Slice of user@domain.ext.
Nov 22 18:50:36 mailold systemd: Starting User Slice of user@domain.ext.
Nov 22 18:50:36 mailold systemd: Started Session c1 of user user@domain.ext.
Nov 22 18:50:36 mailold systemd-logind: New session c1 of user user@domain.ext.
Nov 22 18:50:36 mailold systemd: Starting Session c1 of user user@domain.ext.

If I try login with user@domain.ext it doesn’t work and in /var/log/messages I obtain

Nov 22 18:48:26 mailold smbd[20596]: domain_client_validate: unable to validate password for user user@domain.ext in domain to Domain controller NSDC-MAILOLD.AD.DOMAIN.EXT. Error was NT_STATUS_NO_SUCH_USER.

davidep · November 22, 2018, 6:41pm

It seems samba cannot map the domain suffix correctly. Could you try with smbclient?

 smbclient -U user@domain.ext //host/share
 smbclient -U user@ad.domain.ext //host/share
 smbclient -U NETBIOS\\user //host/share

federico.ballarini · November 22, 2018, 8:14pm

tree connect failed: NT_STATUS_ACCESS_DENIED
It works
session setup failed: NT_STATUS_NO_LOGON_SERVERS

But if I try with this mode (third mode) in Windows smb it works

davidep · November 22, 2018, 8:53pm

I’m going by memory now: maybe it never worked… Anyway there can be good news with ns 7.6 soon /cc @nrauso

Double check the command bash syntax: if it works from Windows I’d expect the same with smbclient

I was probably wrong here… Let me verify it!

Can anybody confirm?

federico.ballarini · November 22, 2018, 8:59pm

On another server, clean installation of NS7 users can access with user@domain.ext

davidep · November 22, 2018, 9:07pm

I suspect this issue can be related to this bug , even if we are still with 7.5 here… /cc @giacomo @dz00te

If you aren’t in hurry we could find a fix soon

federico.ballarini · November 22, 2018, 9:52pm

Downgrade samba version can be a solution?

davidep · November 22, 2018, 10:09pm

What is your current samba version?

federico.ballarini · November 22, 2018, 11:12pm

4.7.1
It’s the same that I have on the other server, that it’s working…

davidep · November 23, 2018, 9:00am

Please check if there’s a duplicated SID; run this command:

 net getdomainsid

Check if the two lines have the same SID number. If so run the following commands, replacing X-Y-(Z+1) with your numbers:

net setlocalsid S-1-5-21-X-Y-(Z+1)

Set a new unique SID number: you can increment by one (Z+1). For instance if the local sid was S-1-5-21-1000-2000-3000 run

net setlocalsid S-1-5-21-1000-2000-3001

Then

net cache flush
systemctl restart smbd

I re-read the docs again:

http://docs.nethserver.org/en/v7/shared_folder.html#network-access

It does not say the user@domain is allowed to access a samba share. I think this limitation is caused by a bug or a wrong configuration. As said this bug can be fixed in NethServer 7.6: we’re working on that.

federico.ballarini · November 23, 2018, 10:06am

Yes, SIDs were duplicated. I’ve changed the local SID number, but I can’t access already with user@domain.ext. It’s not possible to add the domain.ext as alias of ad.domain.ext?

davidep · November 23, 2018, 10:11am

net cache flush
systemctl restart smbd

Did you run them?

I’m working on the fix for 7.6. Probably it will not be backported, but I verified your issue is solved there.

@dz00te, we could add “access as user@domain.ext and user@ad.domain.ext” to our tests list!

federico.ballarini · November 23, 2018, 10:22am

Yes, I run them. It doesn’t works.

There is no solution for that without upgrading at 7.6? I can’t undestrand why on another server (7.5 NS) works…
What can I verify again?