WARNING! Changing samba auth/protocols is BAD for security.
Add ntlm auth = yes to the global section of /var/lib/machines/nsdc/etc/samba/smb.conf.
Restart the samba server to apply the config with systemctl -M nsdc restart samba
Of course, latest version, but it is still old (2015)
Create users on the command line? mmmm … Not happy about it. It was not necessary on Zentyal 3.2 which had Samba4 / AD (early adoption) implemented either.
did that without success (and returned). Question:
systemctl -M nsdc restart samba
was unexpected fast (less < 1 second without errors or other output). Are you sure this command is enough to restart complete file sharing structure? I mean it should restart complete sambe (not only the nsdc section), correct? Maybe some more agressive, e.g. reboot?
OK, screening of logfile for TV IP results in two errors within /var/log/samba/log.172.17.0.53 [2018/09/04 21:14:31.545299, 0] ../source3/auth/auth_domain.c:122(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was : NT_STATUS_NETWORK_ACCESS_DENIED. [2018/09/04 21:14:31.611424, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user GUEST in domain WORKGROUP to Domain controller NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was NT_STATUS_NO_SUCH_USER.
Second error is related to a guest user as this is the default setting on the Panasonic TV. This does occur in 99 of 100 caes.
The first error is something I can not assign. There was just one error of this type.
I also found errors in message.log: Sep 4 22:09:15 ebb-s01 smbd[18920]: domain_client_validate: unable to validate password for user SONOS in domain NODOMAIN to Domain controller NSDC-EBB-S01.AD.MYNAME.TLD. Error was NT_STATUS_NO_SUCH_USER.
Active Directory is not my expertise that’s why i did not join this discussion.
IMHO it boils down to 2 questions:
Has the device (TV) joined the domain or (at-least) does it show up in the AD with some policy’s attached to it?
Can a user connect to a access-controlled SMB share from a device unknown by the AD?
IIUC: answer to (2) is No.
If the kerebos(ticket) metrology is not in place and the (time) clocks are not synced it’s impossible to authenticate against AD.
I would suggest to take the device (TV) out of the equation and try to connect to a access-controlled (ACL’s) SMB share from a computer not jointed to the domain. If this is possible, connecting the device (TV) may be possible.
A bit of cross posting…
Maybe this was possible with the deprecated NT4 style PDC…
just some notes on this item:
The TV does see the shares. It I can even connect / read media files if guest (aka “all”) access is open. For “must have” purposes I set up this configuration for some training videos. This is something I do not want to do: This would me to open those shares to the public of my network.
Also, other none domain “IPs” (aka Computers) can connect to the shares using the “sonos” user account and credentials:
Linux Ubuntu Desktop PC (still on my old domain and behaves as a guest in a foreign network)
The Sonos devices itself (I think this is some rasberry or android linux, but I am not firm with it).
During tests on the linux ubuntu Destop PC I opend the shares via Network → Windows → Myserver → share. Each douple-click on a folder took approx. 2 min to connect. Sonos connect app and Windows domain PCs are very much faster. I also connected directly via smb://nethserver-IP/share, too. I took also some time, but it was OK. I noticed that his requested the password several times. But when a pressed the cancel button, the share was available. I tracked this back to multiple clicks related to impatience … but maybe this is some kind of auth issue? I will check on the weekend
In contrast to this, the TV is very much faster and says “no connection please check server”
Again, have to emphasize a’m not a AD / SMB specialist
However: Seems to me the direction of the solution pursued is “degrading” (the authentication) to legacy NTLMv(?) / SMB(1?) protocols.
If this are global / system wide settings a golden rule learned from experience in many technical filed applies: Changing a global setting / property for a local problem always results in a suboptimal solution. You need to decide if solution justify the drawbacks.
I opted to create a local storage for the multimedia streaming service i’m running outside the domain and share it as an regular old-fashioned smb shareprovided by a local smb-samba server.
On the bottom of my todo-list is to explore if it is possible to mount this “multimedia share” on the instance running the AD to make it directly accessible to domain users without giving the multimedia service/daemon access to the domain.
thank you for jumping in, too. I do not understand all of your questions, so I need to come back with counter-questions. Sorry about that.
It is quite difficult to find a log file / the correct entry, but maybe you can help me to understand which log file I might search for which string. From the TV, I do know the IP, the hostname and the user name. However the user name “sonos” accesses the same share “musik” from different devices - it is a simple read only dummy account.
I do not know much about organisational units OU. I just created some groups within nethserver. In this case the group “multimedia” is the owning group of “musik”, the user “sonos” is a member of this group.
At least, I can see the share on the TV, but is is marked as locked. I got another share “video” with the same ALC settings. However I added “read only” guest acces for this share on the general tab. This share “video” is accessible from the TV.
So, when you enter your username and password on the TV, and try to open the share, what does the log say at that time for user ‘sonos’ ? (just search for ‘sonos’ from the Log Viewer, it will pull up the relevant logs)
Edit: verify a stupid character set issue on the TV by using a test account with a real simple password, like pass123
I have seen issues with characters being cut off, and thus passwords never being correct when longer then x characters, and issues with character sets when symbols are used … these are long shots tho, log is best bet.
Edit2: how does it know where to find the domain controller ? Is the DC the DNS server ?