Samba Shares with NethServer release 7.6.1810

joseoliveira · June 20, 2020, 3:44pm

NethServer Version: NethServer release 7.6.1810
Module: Shared Folders / SAMBA 4.x

Dear Forum,

I had a very good experience with Nethserver 6.x and SAMBA 3.x.

It is the second time that I’m trying out Nethserver 7.x but SAMBA results makes me look elsewhere…
I believe I’m not the first one asking for help in this forum. I already read 5 or 6 topics. None helped me.

I’m used to deploy Windows Servers so deploying Nethserver is easy.
The problem is: shared folders!

I have a mix of Windows 10 Home and Linux workstations and I’m getting the same results on both:
I created jose@local.lan belonging to domain_users@local.lan

Name: Share
Owning group: domain_users@local.lan
Allow write permissions to owning group
[ ] Allow read permissions to everyone

Guest access
None
[ ] Read Only
[ ] Read and write
Browseable
Network recycle bin
Keep copies of files with the same name

On Linux authentication fails: smb://v-nethserver-1/share
On Linux: mbclient -d 3 -U jose@local.lan //v-nethserver-1.local.lan/share
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section “[global]”
WARNING: The “syslog” option is deprecated
added interface eno1 ip=192.168.111.XXX bcast=192.168.111.255 netmask=255.255.255.0
Client started (version 4.7.6-Ubuntu).
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_hosts: Attempting host lookup for name v-nethserver-1.local.lan<0x20>
Connecting to 192.168.111.XX at port 445
got OID=1.2.840.48018.1.2.2
Enter jose@local.lan’s password:
Kinit for jose@local.lan to access v-nethserver-1.local.lan failed: Cannot contact any KDC for requested realm
GENSEC backend ‘gssapi_spnego’ registered
GENSEC backend ‘gssapi_krb5’ registered
GENSEC backend ‘gssapi_krb5_sasl’ registered
GENSEC backend ‘spnego’ registered
GENSEC backend ‘schannel’ registered
GENSEC backend ‘naclrpc_as_system’ registered
GENSEC backend ‘sasl-EXTERNAL’ registered
GENSEC backend ‘ntlmssp’ registered
GENSEC backend ‘ntlmssp_resume_ccache’ registered
GENSEC backend ‘http_basic’ registered
GENSEC backend ‘http_ntlm’ registered
GENSEC backend ‘krb5’ registered
GENSEC backend ‘fake_gssapi_krb5’ registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
Try “help” to get a list of possible commands.
smb: >

$ nslookup v-nethserver-1
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: v-nethserver-1.local.lan
Address: 192.168.111.XX

$ nslookup v-nethserver-1.local.lan
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
Name: v-nethserver-1.local.lan
Address: 192.168.111.XX

On Windows authentication fails: \v-nethserver-1\share

net use * /d
There are no entries in the list.

net use z: \v-nethserver-1\share /User:jose@local.lan
System error 85 has occurred.

The local device name is already in use.

nslookup v-nethserver-1
Server: v-nethserver-1.local.lan
Address: 192.168.111.XX

Name: v-nethserver-1.local.lan
Address: 192.168.111.XX

nslookup v-nethserver-1.local.lan
Server: v-nethserver-1.local.lan
Address: 192.168.111.XX

Name: v-nethserver-1.local.lan
Address: 192.168.111.XX

But if I enable guest access:

Name: Share
Owning group: domain_users@local.lan
Allow write permissions to owning group
[ ] Allow read permissions to everyone

Guest access
[ ] None
[ ] Read Only
Read and write

Browseable
Network recycle bin
Keep copies of files with the same name

On both systems I can read and write on share without any authentication! What I can see here is either SAMBA works with computers on the domain or without authentication! I’m looking for workgroup authentication here.

Please, any help?

Thank you in advance.

Kind regards,
J.

Andy_Wismer · June 20, 2020, 6:13pm

@joseoliveira

Hi

Even Microsoft doesn’t really provide support for Workgroup Authentification.
The times of Windows 95 / 98 are long past…
Everyone else uses AD or Public sharing.

What IS then the problem using the NethServer AD?
This works very well and stable - for 25-30 Clients and at my home.

If you REALLY need Workgroup Authentification, maybe you can find an old copy of
Windows 98 SE on eBay or whereever. However: Win10 can’t connect to a Win98SE Share…

If you want to use NethServer AD Domain, NethServer should be your DNS and DHCP Server.
It also helps to add in the AD domain as such in your DNS Server, pointing to the IP of your AD:
ad.yourdomain.com (Or .local if using .local…).
Also add in the FQDN of the NethServer in DNS, with the IP of your NethServer

My 2 cents
Andy

EddieA · June 20, 2020, 9:33pm

Isn’t this just down to the choice of LDAP as the account provider, which doesn’t provide any authentication of users, as stated in the Shared Folders section of the manual.

Cheers.

Andy_Wismer · June 20, 2020, 10:16pm

@EddieA

Hi

As far as I understand this guy, he’s explicitly not lookung for "public* shares.

And Workgroup Authentification is AFAIK deprecated even by Microsoft. (Replaced by “Home” Network?).

My 2 cents
Andy

joseoliveira · June 21, 2020, 4:51pm

Hi All,

I thank you all for your posts. I tried OpenLDAP but it isn’t what I was looking for. Basically OpenLDAP doesn’t provide me any share authentication at all.

OK. Let me put things this way: On a Windows Server on a Domain I can access a file share of that server with a Windows on a workgroup or a Linux computer logging in with a certain AD user credentials.

The problem is when I try to do that with a Nethserver, authentication doesn’t work. Server asks me for authentication but I cannot access that share. I’m typing the right username and password but authentication fails all the time.

Nethserver is the primary DNS and DHCP server on the network and I can resolve server’s name and server’s FQDN name as shown on my 1st post.

Andy_Wismer · June 21, 2020, 5:03pm

@joseoliveira

Hello

I assume you are aware that the AD in NethServer has (must) a different IP from the Nethserver itself?
This below looks like your NethServer (judging from the name, not from the IP, shown as XX).

My home NethServer is called AWR7-Nethserver and has the IP ending in .20, my AD is called ad.r7.mydomain.ch and uses the IP 11.

The AD is known by it’s generated Name: NSDC-AWR7-5CD25 in my case.

Bildschirmfoto 2020-06-21 um 18.58.55

It’s not a bad idea to at least add in the AD name (mine is ad.r7.mydomain.ch) in the Nethserver DNS, and point that to the IP of your AD.
You can also use both IPs (NethServer and AD) as DNS, this also helps.

I also do not use OpenLDAP, as for all my clients and at home I NEED authenticated shares, not public.
OpenLDAP is a good idea, say if your Nethserver is a hosted server (at some Provider) and no shares are really used. Mail, NextCloud and other stuff, but no shares needed.
Or if you’re using a second NethServer just as a firewall…

My 2 cents
Andy

mrmarkuz · June 21, 2020, 5:25pm

Did you try to connect to \\IP\sharename with DOMAIN\username as regards Windows?

I recommend to update to 7.8.2003.

Andy_Wismer · June 21, 2020, 5:27pm

Is this a typo?

\v-nethserver-1\share

correct would be:

\\v-nethserver-1\share
(two backslashes in front…)

This platform seems to “eat” one backslash…

Andy

joseoliveira · June 21, 2020, 6:39pm

Hi All,

Thank you for your help and updates.

Sorry, yes it is a typo. I did used double back slash: \v-nethserver-1\share

ad.local.lan has 192.168.111.28 ip address
v-nethserver-1 has 192.168.111.29 ip address

I’m obtaining same results with \v-nethserver-1\share or \192.168.111.29\share:

C:\Users\Jose>nslookup v-nethserver-1
Server: v-nethserver-1.local.lan
Address: 192.168.111.29

*** v-nethserver-1.local.lan can’t find v-nethserver-1: Non-existent domain

C:\Users\Jose>nslookup v-nethserver-1.local.lan
Server: v-nethserver-1.local.lan
Address: 192.168.111.29

Name: v-nethserver-1.local.lan
Address: 192.168.111.29

C:\Users\Jose>nslookup ad.local.lan
Server: v-nethserver-1.local.lan
Address: 192.168.111.29

Name: ad.local.lan
Address: 192.168.111.28

C:\Users\Jose>net use \v-nethserver-1\share /user:jose@local.lan Oliveiraj2020!
System error 5 has occurred.

Access is denied.

C:\Users\Jose>net use \192.168.111.29\share /user:jose@local.lan Oliveiraj2020!
System error 5 has occurred.

Access is denied.

C:\Users\Jose>net use \192.168.111.29\share /user:jose@local.lan
The password is invalid for \192.168.111.29\share.

Enter the password for ‘jose@local.lan’ to connect to ‘192.168.111.29’:
System error 5 has occurred.

Access is denied.

C:\Users\Jose>net use \v-nethserver-1\share /user:jose@local.lan
The password is invalid for \v-nethserver-1\share.

Enter the password for ‘jose@local.lan’ to connect to ‘v-nethserver-1’:
System error 5 has occurred.

Access is denied.

Kind regards,
J.

Andy_Wismer · June 21, 2020, 7:27pm

@joseoliveira

Hi

I also noticed that the Forum here swallows a backslash, if you want two backslashes, you need to put in three (It’s also an Escape symbol…) .

Is the AD pingable from a client?
Is the AD resolveable (from a client) by name?

Did you try updating, as Markus suggested, to the latest 7.8.2003? (That’s what I’m running at home). AD is working.

Andy

joseoliveira · June 21, 2020, 7:37pm

Hi All,

I am really, really impressed with this community!
Thank you for your interest and your help.

Now, the good news:

I can see some work in progress…
I upgraded as suggested to release 7.8.2003.

Now I can logon as expected and map a drive:

C:\Users\Jose>net use z: \v-nethserver-1.local.lan\share /user:jose@local.lan Oliveiraj2020!
The command completed successfully.

Status Local Remote Network

OK Z: \v-nethserver-1.local.lan\share
Microsoft Windows Network
The command completed successfully.

Now, this works IF (important detail here) share’s ACL has Domain Users group with read and write permissions.
If share’s owning group, for example, another group like “domain_users@local.lan” - jose@local.lan belongs to that group - and ACL read and write permissions are only set to domain_users@local.lan group (no rights for Domain Users) I can login, I can map network share BUT I can’t access network share.

I can confirm that this behavior happens after restarting nmb and smb and after a server restart as well.

I’m posting this to help development team. I can live with Domain Users ACL always on.

Again, thank you very much for everybody’s help and comments,

J.

Andy_Wismer · June 21, 2020, 7:56pm

@joseoliveira

Hi

Is the group mentionned ( domain_users@local.lan ) an AD group?
or some other group?

Andy

joseoliveira · June 21, 2020, 9:46pm

Hi Andy,

Group was created this way:
Management \ Users and Groups
I selected Group’s Tab and created that group:

Under group name:

domain admins@local.lan
domain_users@local.lan

Hope this helps.

Kind regards,
J.