Shares on non-domain network devices

thorsten · July 25, 2018, 1:13pm

Ok I will try that. Thank you.

But in this case nethserver itself ist not the DNS but the IP of the AD container, correct?

planet_jeroen · July 25, 2018, 1:37pm

Correct. As soon as you enable the AD module on Nethserver, you should use the DNS provided by i for at least domain clients. You should configure the upstream DNS server on the Networking page, and the rest will manage itself.

Any custom DNS records should be made using the mmc DNS snapin, not on the Nethserver DNS page. You will not see the changes there either, as it is a separate DNS server.

pike · July 30, 2018, 10:14am

OK, ~~lasts~~ more alternatives (which could be fine also without changing network structure/settings as @planet_jeroen suggested)
%NethServerIpAddress%\%username%
or
%username%@%NethServerIpAddress%

(CamelCase is wrote only for better reading, “%” should not be considerate litterally)

Suggestion made by @planet_jeroen are fine if you want to use NethServer as a network service provider for DHCP, DNS server and other nice things, even if you want to use NethServer as network gateway.
But sometimes people only want to add/change the piece they already have without change other things…

thorsten · August 12, 2018, 7:42pm

Hi,

no change: none of the suggested ideas help. I do not get why I can access the shares when open to public but not if passwords / user / groups are set.

THX for further ideas…

Thorsten

thorsten · September 3, 2018, 9:52pm

Gave up - without solution.

mrmarkuz · September 3, 2018, 10:01pm

Did you try a software/firmware update of your TV?

Maybe “old sharing style” works:

dnutan · September 3, 2018, 10:22pm

or ntlm issue

mrmarkuz · September 3, 2018, 10:49pm

WARNING! Changing samba auth/protocols is BAD for security.

Add ntlm auth = yes to the global section of /var/lib/machines/nsdc/etc/samba/smb.conf.
Restart the samba server to apply the config with systemctl -M nsdc restart samba

Maybe wrong smb protocol version is the problem:

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERMAXPROTOCOL

thorsten · September 4, 2018, 5:01am

Of course, latest version, but it is still old (2015)

Create users on the command line? mmmm … Not happy about it. It was not necessary on Zentyal 3.2 which had Samba4 / AD (early adoption) implemented either.

did that without success (and returned). Question:

systemctl -M nsdc restart samba

was unexpected fast (less < 1 second without errors or other output). Are you sure this command is enough to restart complete file sharing structure? I mean it should restart complete sambe (not only the nsdc section), correct? Maybe some more agressive, e.g. reboot?

Where do I add something like

server max protocol = LANMAN1

is it the [global] section?

TIA
Thorsten

mrmarkuz · September 4, 2018, 10:15am

It only restarts samba in the nsdc.

I don’t know if it makes sense to put it to local /etc/samba/smb.conf and restart with systemctl restart smb too.

Yes.

thorsten · September 4, 2018, 7:53pm

No change, non of the purposed solutions work. Is there no log-file which could give a hint?

mrmarkuz · September 4, 2018, 7:59pm

You may check /var/log/samba/* and /var/lib/machines/nsdc/var/log/samba/*

thorsten · September 4, 2018, 8:06pm

OK, screening of logfile for TV IP results in two errors within /var/log/samba/log.172.17.0.53
[2018/09/04 21:14:31.545299, 0] ../source3/auth/auth_domain.c:122(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was : NT_STATUS_NETWORK_ACCESS_DENIED. [2018/09/04 21:14:31.611424, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user GUEST in domain WORKGROUP to Domain controller NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was NT_STATUS_NO_SUCH_USER.

Second error is related to a guest user as this is the default setting on the Panasonic TV. This does occur in 99 of 100 caes.
The first error is something I can not assign. There was just one error of this type.

I also found errors in message.log:
Sep 4 22:09:15 ebb-s01 smbd[18920]: domain_client_validate: unable to validate password for user SONOS in domain NODOMAIN to Domain controller NSDC-EBB-S01.AD.MYNAME.TLD. Error was NT_STATUS_NO_SUCH_USER.

thorsten · September 19, 2018, 1:28pm

Still no connect to samba shares …

m.traeumner · September 20, 2018, 6:49am

@support_team Some more ideas?

flatspin · September 20, 2018, 8:04am

Maybe your TV needs SMBV1. Not really advisible, because of “wanna cry” and so on…
But some month ago, I had a WinXP-client to connect an had to reanable SMBV1.
Not sure, but look at
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING
Did you try server min protocol = LANMAN1

mark_nl · September 20, 2018, 8:08am

Active Directory is not my expertise that’s why i did not join this discussion.

IMHO it boils down to 2 questions:

Has the device (TV) joined the domain or (at-least) does it show up in the AD with some policy’s attached to it?
Can a user connect to a access-controlled SMB share from a device unknown by the AD?

IIUC: answer to (2) is No.
If the kerebos(ticket) metrology is not in place and the (time) clocks are not synced it’s impossible to authenticate against AD.

I would suggest to take the device (TV) out of the equation and try to connect to a access-controlled (ACL’s) SMB share from a computer not jointed to the domain. If this is possible, connecting the device (TV) may be possible.

A bit of cross posting…

Maybe this was possible with the deprecated NT4 style PDC…

thorsten · September 21, 2018, 5:57am

Hi,

just some notes on this item:
The TV does see the shares. It I can even connect / read media files if guest (aka “all”) access is open. For “must have” purposes I set up this configuration for some training videos. This is something I do not want to do: This would me to open those shares to the public of my network.

Also, other none domain “IPs” (aka Computers) can connect to the shares using the “sonos” user account and credentials:

Linux Ubuntu Desktop PC (still on my old domain and behaves as a guest in a foreign network)
The Sonos devices itself (I think this is some rasberry or android linux, but I am not firm with it).

TIA
Thorsten

thorsten · September 21, 2018, 6:09am

Yes - > nope

Is this maybe a time problem?

During tests on the linux ubuntu Destop PC I opend the shares via Network → Windows → Myserver → share. Each douple-click on a folder took approx. 2 min to connect. Sonos connect app and Windows domain PCs are very much faster. I also connected directly via smb://nethserver-IP/share, too. I took also some time, but it was OK. I noticed that his requested the password several times. But when a pressed the cancel button, the share was available. I tracked this back to multiple clicks related to impatience … but maybe this is some kind of auth issue? I will check on the weekend

In contrast to this, the TV is very much faster and says “no connection please check server”

TIA
Thorsten

mark_nl · September 21, 2018, 10:05am

Hi Thorsten,

Again, have to emphasize a’m not a AD / SMB specialist

However: Seems to me the direction of the solution pursued is “degrading” (the authentication) to legacy NTLMv(?) / SMB(1?) protocols.
If this are global / system wide settings a golden rule learned from experience in many technical filed applies: Changing a global setting / property for a local problem always results in a suboptimal solution. You need to decide if solution justify the drawbacks.

I opted to create a local storage for the multimedia streaming service i’m running outside the domain and share it as an regular old-fashioned smb shareprovided by a local smb-samba server.
On the bottom of my todo-list is to explore if it is possible to mount this “multimedia share” on the instance running the AD to make it directly accessible to domain users without giving the multimedia service/daemon access to the domain.