SAMBA: Account 'guest' can log in from Linux, but not from MacOS?

[tobiasbp]

Hello there...

I have a SAMBA share on Freenas11.2-U2 with guest access enabled:

Code:

root@ultraman:~ # testparm -s
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /usr/local/etc/smb4.conf
Processing section "[FRUITTEST]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

# Global parameters
[global]
    deadtime = 15
    disable spoolss = Yes
    dns proxy = No
    domain logons = Yes
    dos charset = CP437
    hostname lookups = Yes
    kernel change notify = No
    ldap admin dn = ****
    ldap passwd sync = yes
    ldap suffix = dc=example,dc=com
    lm announce = Yes
    load printers = No
    local master = No
    logging = file
    max log size = 51200
    max open files = 6603833
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    obey pam restrictions = Yes
    panic action = /usr/local/libexec/samba/samba-backtrace
    passdb backend = ldapsam:ldap://ldap.example.com
    printcap name = /dev/null
    security = USER
    server min protocol = SMB2_02
    server role = member server
    server string = FreeNAS Server
    winbind nested groups = No
    workgroup = ZFS_ULTRAMAN
    idmap config zfs_ultraman: range = 10000-90000000
    idmap config zfs_ultraman: backend = ldap
    ldapsam:trusted = yes
    idmap config *: range = 90000001-100000000
    idmap config * : backend = tdb
    acl allow execute always = Yes
    create mask = 0666
    directory mask = 0777
    directory name cache size = 0
    dos filemode = Yes
    strict locking = No


[FRUITTEST]
    browseable = No
    guest only = Yes
    path = "/mnt/ultraman/FRUITTEST"
    read only = No
    veto files = /.snapshot/.windows/.mac/.zfs/
    vfs objects = zfs_space zfsacl fruit streams_xattr
    zfsacl:acesort = dontcare
    nfs4:chown = true
    nfs4:acedup = merge
    nfs4:mode = special
    fruit:resource = stream
    fruit:metadata = stream

From my Linux machine, I can log in as guest:

Code:

tbp@Marie:~/git/gitlab-runner-plugin$ smbclient \\\\172.22.33.17\\FRUITTEST -U GUEST
WARNING: The "syslog" option is deprecated
Enter GUEST's password:
Anonymous login successful
Domain=[ZFS_ULTRAMAN] OS=[] Server=[]
smb: \>

FreeNAS says:

Code:

[2019/02/27 13:03:04.524981,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ZFS_ULTRAMAN))]
[2019/02/27 13:03:04.532830,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/27 13:03:04.561799,  0] ../source3/lib/util_sock.c:875(matchname)
  matchname: host name/name mismatch: 172.22.33.185 != (NULL)
[2019/02/27 13:03:04.561902,  0] ../source3/lib/util_sock.c:1054(get_remote_hostname)
  matchname failed on 172.22.33.185
[2019/02/27 13:03:04.571684,  2] ../source3/param/loadparm.c:2807(lp_do_section)
  Processing section "[FRUITTEST]"
[2019/02/27 13:03:04.582565,  2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [GUEST] -> [GUEST] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/02/27 13:03:04.582709,  2] ../auth/auth_log.c:476(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [WORKGROUP]\[GUEST] at [Wed, 27 Feb 2019 13:03:04.582673 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MARIE] remote host [ipv4:172.22.33.185:48916] mapped to [WORKGROUP]\[GUEST]. local host [ipv4:172.22.33.17:445] 
[2019/02/27 13:03:04.583174,  2] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
  JSON Authentication: {"timestamp": "2019-02-27T13:03:04.582957+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:172.22.33.17:445", "remoteAddress": "ipv4:172.22.33.185:48916", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "WORKGROUP", "clientAccount": "GUEST", "workstation": "MARIE", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "GUEST", "mappedDomain": "WORKGROUP", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 13745}}
[2019/02/27 13:03:04.589794,  2] ../source3/param/loadparm.c:2807(lp_do_section)
  Processing section "[FRUITTEST]"
[2019/02/27 13:03:04.618015,  2] ../source3/smbd/service.c:849(make_connection_snum)
  marie (ipv4:172.22.33.185:48916) connect to service FRUITTEST initially as user nobody (uid=65534, gid=65534) (pid 24796)

When logging in using a Macintosh, and choosing "Guest" in the GUI, I can not login. FreeNAS says:

Code:

Kan ikke logge ind fa MacOS med guest (I GUI):
[2019/02/27 13:00:37.096916,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ZFS_ULTRAMAN))]
[2019/02/27 13:00:37.105410,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/27 13:00:37.134206,  0] ../source3/lib/util_sock.c:875(matchname)
  matchname: host name/name mismatch: 172.22.33.128 != (NULL)
[2019/02/27 13:00:37.134267,  0] ../source3/lib/util_sock.c:1054(get_remote_hostname)
  matchname failed on 172.22.33.128
[2019/02/27 13:00:38.098339,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ZFS_ULTRAMAN))]
[2019/02/27 13:00:38.105896,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/27 13:00:38.120023,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=ZFS_ULTRAMAN))]
[2019/02/27 13:00:38.127048,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/27 13:00:38.131977,  0] ../source3/lib/util_sock.c:875(matchname)
  matchname: host name/name mismatch: 172.22.33.128 != (NULL)
[2019/02/27 13:00:38.132047,  0] ../source3/lib/util_sock.c:1054(get_remote_hostname)
  matchname failed on 172.22.33.128
[2019/02/27 13:00:38.153558,  0] ../source3/lib/util_sock.c:875(matchname)
  matchname: host name/name mismatch: 172.22.33.128 != (NULL)
[2019/02/27 13:00:38.153616,  0] ../source3/lib/util_sock.c:1054(get_remote_hostname)
  matchname failed on 172.22.33.128
[2019/02/27 13:00:40.785874,  2] ../source3/param/loadparm.c:2807(lp_do_section)
  Processing section "[FRUITTEST]"
[2019/02/27 13:00:40.790561,  2] ../source3/auth/auth.c:334(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [GUEST] -> [GUEST] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2019/02/27 13:00:40.790687,  2] ../auth/auth_log.c:476(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user []\[GUEST] at [Wed, 27 Feb 2019 13:00:40.790654 CET] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [MACBOOKPRO-F8FF] remote host [ipv4:172.22.33.128:49277] mapped to []\[GUEST]. local host [ipv4:172.22.33.17:445]
[2019/02/27 13:00:40.791091,  2] ../lib/audit_logging/audit_logging.c:141(audit_log_json)
  JSON Authentication: {"timestamp": "2019-02-27T13:00:40.790911+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:172.22.33.17:445", "remoteAddress": "ipv4:172.22.33.128:49277", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "GUEST", "workstation": "MACBOOKPRO-F8FF", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "GUEST", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 9446}}
 
  

I have noticed, that the Mac log says "mappedDomain": "" while the linux log says "clientDomain": "WORKGROUP". I don't know if it makes a difference or not?

 

[tobiasbp]

Something weird seems to be going in /usr/local/etc/smb4.conf:

My share had this in /usr/local/etc/smb4.conf:
guest ok = no
guest only = yes

Remove /usr/local/etc/smb4.conf. FreeNAS recreates when starting service.

/usr/local/etc/smb4.conf is now sane:
[FRUITTEST]
path = "/mnt/ultraman/FRUITTEST"
printable = no
veto files = /.snapshot/.windows/.mac/.zfs/
writeable = yes
browseable = yes
access based share enum = no
vfs objects = zfs_space zfsacl streams_xattr
hide dot files = yes
guest ok = no
nfs4:mode = special
nfs4:acedup = merge
nfs4:chown = true
zfsacl:acesort = dontcare

Want to turn on guest. Go to GUI. I See this (twice):
Only Allow Guest Access []
Only Allow Guest Access []

No option to turn on guest access?

This id FreeNAS11.2-U2

 

[dlavigne]

Were you able to resolve this?

 

[tobiasbp]

Were you able to resolve this?

Yes, by manual intervention.

There seems to be an error in the GUI: On SAMBA shares, the option "Only Allow Guest Access" appears twice. One of the should be something like "Allow guests"

 

[dlavigne]

That UI error has been fixed for U3.