Shares on non-domain network devices

WARNING! Changing samba auth/protocols is BAD for security.

Add ntlm auth = yes to the global section of /var/lib/machines/nsdc/etc/samba/smb.conf.
Restart the samba server to apply the config with systemctl -M nsdc restart samba

Maybe wrong smb protocol version is the problem:

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERMAXPROTOCOL

Of course, latest version, but it is still old (2015)

Create users on the command line? mmmm … Not happy about it. It was not necessary on Zentyal 3.2 which had Samba4 / AD (early adoption) implemented either.

did that without success (and returned). Question:

systemctl -M nsdc restart samba

was unexpected fast (less < 1 second without errors or other output). Are you sure this command is enough to restart complete file sharing structure? I mean it should restart complete sambe (not only the nsdc section), correct? Maybe some more agressive, e.g. reboot?

Where do I add something like

server max protocol = LANMAN1

is it the [global] section?

TIA
Thorsten

It only restarts samba in the nsdc.

I don’t know if it makes sense to put it to local /etc/samba/smb.conf and restart with systemctl restart smb too.

Yes.

No change, non of the purposed solutions work. Is there no log-file which could give a hint?

You may check /var/log/samba/* and /var/lib/machines/nsdc/var/log/samba/*

OK, screening of logfile for TV IP results in two errors within /var/log/samba/log.172.17.0.53
[2018/09/04 21:14:31.545299, 0] ../source3/auth/auth_domain.c:122(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was : NT_STATUS_NETWORK_ACCESS_DENIED. [2018/09/04 21:14:31.611424, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user GUEST in domain WORKGROUP to Domain controller NSDC-EBB-S01.AD.EBBINGHAUS.WORLD. Error was NT_STATUS_NO_SUCH_USER.

Second error is related to a guest user as this is the default setting on the Panasonic TV. This does occur in 99 of 100 caes.
The first error is something I can not assign. There was just one error of this type.

I also found errors in message.log:
Sep 4 22:09:15 ebb-s01 smbd[18920]: domain_client_validate: unable to validate password for user SONOS in domain NODOMAIN to Domain controller NSDC-EBB-S01.AD.MYNAME.TLD. Error was NT_STATUS_NO_SUCH_USER.

Still no connect to samba shares …

@support_team Some more ideas?

Maybe your TV needs SMBV1. Not really advisible, because of “wanna cry” and so on…
But some month ago, I had a WinXP-client to connect an had to reanable SMBV1.
Not sure, but look at
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSIGNING
Did you try server min protocol = LANMAN1

Active Directory is not my expertise that’s why i did not join this discussion.

IMHO it boils down to 2 questions:

  1. Has the device (TV) joined the domain or (at-least) does it show up in the AD with some policy’s attached to it?

  2. Can a user connect to a access-controlled SMB share from a device unknown by the AD?

IIUC: answer to (2) is No.
If the kerebos(ticket) metrology is not in place and the (time) clocks are not synced it’s impossible to authenticate against AD.

I would suggest to take the device (TV) out of the equation and try to connect to a access-controlled (ACL’s) SMB share from a computer not jointed to the domain. If this is possible, connecting the device (TV) may be possible.

A bit of cross posting…

Maybe this was possible with the deprecated NT4 style PDC…

Hi,

just some notes on this item:
The TV does see the shares. It I can even connect / read media files if guest (aka “all”) access is open. For “must have” purposes I set up this configuration for some training videos. This is something I do not want to do: This would me to open those shares to the public of my network.

Also, other none domain “IPs” (aka Computers) can connect to the shares using the “sonos” user account and credentials:

  • Linux Ubuntu Desktop PC (still on my old domain and behaves as a guest in a foreign network)
  • The Sonos devices itself (I think this is some rasberry or android linux, but I am not firm with it).

TIA
Thorsten

Yes - > nope

Is this maybe a time problem?

During tests on the linux ubuntu Destop PC I opend the shares via Network -> Windows -> Myserver -> share. Each douple-click on a folder took approx. 2 min to connect. Sonos connect app and Windows domain PCs are very much faster. I also connected directly via smb://nethserver-IP/share, too. I took also some time, but it was OK. I noticed that his requested the password several times. But when a pressed the cancel button, the share was available. I tracked this back to multiple clicks related to impatience … but maybe this is some kind of auth issue? I will check on the weekend

In contrast to this, the TV is very much faster and says “no connection please check server”

TIA
Thorsten

Hi Thorsten,

Again, have to emphasize a’m not a AD / SMB specialist :disappointed_relieved:

However: Seems to me the direction of the solution pursued is “degrading” (the authentication) to legacy NTLMv(?) / SMB(1?) protocols.
If this are global / system wide settings a golden rule learned from experience in many technical filed applies: Changing a global setting / property for a local problem always results in a suboptimal solution. You need to decide if solution justify the drawbacks.

I opted to create a local storage for the multimedia streaming service i’m running outside the domain and share it as an regular old-fashioned smb shareprovided by a local smb-samba server.
On the bottom of my todo-list is to explore if it is possible to mount this “multimedia share” on the instance running the AD to make it directly accessible to domain users without giving the multimedia service/daemon access to the domain.

On a phone so reading up on the whole topic isn’t really doable right now… Sorry.

Few questions if I may…

  1. What does the log say when you try to access the share with credentials? I see two log messages…
  2. What OU are your users in?
  3. Can you access the shares like you expect from a windows machine?

Dear Jeroen,

thank you for jumping in, too. I do not understand all of your questions, so I need to come back with counter-questions. Sorry about that.

It is quite difficult to find a log file / the correct entry, but maybe you can help me to understand which log file I might search for which string. From the TV, I do know the IP, the hostname and the user name. However the user name “sonos” accesses the same share “musik” from different devices - it is a simple read only dummy account.

I do not know much about organisational units OU. I just created some groups within nethserver. In this case the group “multimedia” is the owning group of “musik”, the user “sonos” is a member of this group.

At least, I can see the share on the TV, but is is marked as locked. I got another share “video” with the same ALC settings. However I added “read only” guest acces for this share on the general tab. This share “video” is accessible from the TV.

TIA
Thorsten

So, when you enter your username and password on the TV, and try to open the share, what does the log say at that time for user ‘sonos’ ? (just search for ‘sonos’ from the Log Viewer, it will pull up the relevant logs)

Edit: verify a stupid character set issue on the TV by using a test account with a real simple password, like pass123

I have seen issues with characters being cut off, and thus passwords never being correct when longer then x characters, and issues with character sets when symbols are used … these are long shots tho, log is best bet.

Edit2: how does it know where to find the domain controller ? Is the DC the DNS server ?

1 Like

Damn! You hacked my password for sonos user !!! How did you guess that?? I need to change it immediatly.

Edit:
I was aware of that problem - the TV does not accept much special characters and I tried something extremly simple to avoid such problems.

3 Likes

Also, which TV and model is this, so I can get a feel for what you are looking at (through the manual) :wink:

It is a Panasonic TX58AXW804 with current firmware.

What about the security policy of the installation?
The complexity criteria for users password has been removed?