Samba username mapping

Bruce Payne

Cadet
Joined
Jul 21, 2016
Messages
2
Hi@all!

I have a problem with Samba's username mapping feature when accessing user home shares.

My home network contains some Windows 10 machines.
The user account naming pattern on these machines is "Firstname Lastname" (eg. "John Doe") as detailed in the following sample:
Code:
C:\Users\John Doe>ver

Microsoft Windows [Version 10.0.10586]


Each of these users also has a user account on my FreeNas box - the naming pattern here is simply "firstname", eg. "john".
To match usernames I created an additional file "smbusers", added a line for each user mapping Unix to Windows usernames and updated the Samba configuration to read this file.
Below an overview of a sample system:
Code:
[root@server] ~# uname -a
FreeBSD server.intranet.mydomain.tld 10.3-STABLE FreeBSD 10.3-STABLE #0 455d13d(9.10-STABLE): Sun Jun 26 22:47:03 PDT 2016     root@build.ixsystems.com:/tank/home/nightlies/build-freenas9/_BE/objs/tank/home/nightlies/build-freenas9/_BE/trueos/sys/FreeNAS.amd64  amd64

Code:
[root@server] ~# groups john
john
[root@server] ~# ls -la /mnt/pool/homes/
total 10
drwxrwxr-x+ 3 root      wheel      4 Jul 19 09:47 ./
drwxr-xr-x  3 root      wheel      3 Jul 19 09:44 ../
-rw-r--r--  1 root      wheel      0 Jul 19 09:44 .windows
drwxrwxr-x+ 2 john      john      11 Jul 19 09:48 john/

Code:
[root@server] ~# ls -la smbusers
-rw-r--r--  1 root  wheel  31 Jul 14 14:29 smbusers
[root@server] ~# cat smbusers
john = "John Doe"

Code:
[root@server] ~# cat /usr/local/etc/smb4.conf
[global]
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 586316
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = FreeNAS Server
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    hostname lookups = yes
    time server = yes
    acl allow execute always = false
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = standalone
    netbios name = WINTERMUTE
    workgroup = WORKGROUP
    security = user
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 10
    username map = /root/smbusers


[homes]
    valid users = %U
    path = /mnt/pool/homes/%U
    comment = Home Directories
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    vfs objects = zfs_space zfsacl aio_pthread streams_xattr recycle
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


Now when a user tries to access his/her home share by his/her Windows username, he/she gets an error stating that shares path could not be found.
(BTW: Does anybody know if there's a way to switch cmd temporarily to en-EN or en-US?)
Code:
C:\Users\John Doe>net view \\SERVER
Freigegebene Ressourcen auf \\SERVER

FreeNAS Server

Freigabename  Typ     Verwendet als  Kommentar

-------------------------------------------------------------------------------
homes         Platte                 Home Directories
john          Platte                 Home Directories
Der Befehl wurde erfolgreich ausgeführt.


C:\Users\John Doe>net use X: \\SERVER\john /user:"John Doe" P@ssw0rd
Systemfehler 53 aufgetreten.

Der Netzwerkpfad wurde nicht gefunden.


Regarding the following excerpt from /var/log/samba4/log.smbd (output of connection attempt above) I assume that the username mapping feature itself seems to work (see lines 1f., 57f., 69-80, 91-95 ), but there's obviously a problem setting the correct homepath (share name resembles Windows-like username in all lowercase instead of expected Unix-type, see lines eg. 113f., 147f.):
Code:
[2016/07/21 11:47:15.941069,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:15.941445,  3] ../source3/smbd/oplock.c:1309(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/21 11:47:15.941630,  3] ../source3/smbd/process.c:1880(process_smb)
  Transaction 0 of length 159 (0 toread)
[2016/07/21 11:47:15.941706,  3] ../source3/smbd/process.c:1490(switch_message)
  switch message SMBnegprot (pid 11766) conn 0x0
[2016/07/21 11:47:15.944199,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2016/07/21 11:47:15.944281,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LANMAN1.0]
[2016/07/21 11:47:15.944338,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [Windows for Workgroups 3.1a]
[2016/07/21 11:47:15.944393,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LM1.2X002]
[2016/07/21 11:47:15.944441,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LANMAN2.1]
[2016/07/21 11:47:15.944490,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [NT LM 0.12]
[2016/07/21 11:47:15.944543,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [SMB 2.002]
[2016/07/21 11:47:15.944592,  3] ../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [SMB 2.???]
[2016/07/21 11:47:15.945130,  3] ../source3/smbd/smb2_negprot.c:269(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2016/07/21 11:47:15.946788,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2016/07/21 11:47:15.946864,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2016/07/21 11:47:15.946914,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2016/07/21 11:47:15.946964,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'spnego' registered
[2016/07/21 11:47:15.947013,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'schannel' registered
[2016/07/21 11:47:15.947062,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2016/07/21 11:47:15.947113,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2016/07/21 11:47:15.947162,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2016/07/21 11:47:15.947210,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_basic' registered
[2016/07/21 11:47:15.947259,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2016/07/21 11:47:15.947308,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'krb5' registered
[2016/07/21 11:47:15.947356,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2016/07/21 11:47:15.947709,  3] ../source3/smbd/negprot.c:683(reply_negprot)
  Selected protocol SMB 2.???
[2016/07/21 11:47:15.950033,  3] ../source3/smbd/smb2_negprot.c:269(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2016/07/21 11:47:15.953974,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2016/07/21 11:47:15.956393,  3] ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
  Got user=[John Doe] domain=[] workstation=[CLIENT] len1=24 len2=324
[2016/07/21 11:47:15.956486,  3] ../source3/param/loadparm.c:3730(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/21 11:47:15.956737,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/21 11:47:15.957116,  3] ../source3/param/loadparm.c:2659(lp_do_section)
  Processing section "[global]"
[2016/07/21 11:47:15.959270,  2] ../source3/param/loadparm.c:2676(lp_do_section)
  Processing section "[homes]"
[2016/07/21 11:47:15.960874,  3] ../source3/param/loadparm.c:1576(lp_add_ipc)
  adding IPC service
[2016/07/21 11:47:15.960996,  3] ../source3/auth/user_util.c:403(map_username)
  Mapped user John Doe to john
[2016/07/21 11:47:15.961081,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user []\[John Doe]@[CLIENT] with the new password interface
[2016/07/21 11:47:15.961144,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SERVER]\[john]@[CLIENT]
[2016/07/21 11:47:15.961698,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:15.962698,  3] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: sam authentication for user [John Doe] succeeded
[2016/07/21 11:47:15.972750,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [John Doe] -> [john] -> [john] succeeded
[2016/07/21 11:47:15.972858,  3] ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/07/21 11:47:15.972906,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088215
[2016/07/21 11:47:15.973353,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:15.974687,  3] ../source3/auth/token_util.c:547(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/07/21 11:47:15.974813,  3] ../source3/auth/token_util.c:579(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/07/21 11:47:15.975485,  3] ../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'john' using home directory: '/mnt/pool/homes/john'
[2016/07/21 11:47:15.975671,  3] ../source3/param/loadparm.c:1527(lp_add_home)
  adding home's share [john] for user 'john' at '/mnt/pool/homes/%U'
[2016/07/21 11:47:15.987285,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:15.987560,  3] ../source3/smbd/service.c:614(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]
[2016/07/21 11:47:15.987680,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2016/07/21 11:47:15.987743,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2016/07/21 11:47:15.988196,  3] ../source3/smbd/service.c:864(make_connection_snum)
  client (ipv4:192.168.1.2:58150) connect to service IPC$ initially as user john (uid=1101, gid=1102) (pid 11766)
[2016/07/21 11:47:15.990497,  3] ../source3/smbd/msdfs.c:993(get_referred_path)
  get_referred_path: |john| in dfs path \SERVER\john is not a dfs root.
[2016/07/21 11:47:15.994427,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:15.994522,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:15.994822,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:15.995210,  3] ../source3/smbd/service.c:614(make_connection_snum)
  Connect path is '/mnt/pool/homes/john doe' for service [john]
[2016/07/21 11:47:15.995296,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:15.995578,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:15.995850,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2016/07/21 11:47:15.995912,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2016/07/21 11:47:15.995963,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [recycle]
[2016/07/21 11:47:15.996611,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'recycle' loaded
[2016/07/21 11:47:15.996689,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [streams_xattr]
[2016/07/21 11:47:15.997214,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'streams_xattr' loaded
[2016/07/21 11:47:15.997282,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [aio_pthread]
[2016/07/21 11:47:15.997666,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'aio_pthread' loaded
[2016/07/21 11:47:15.997733,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfsacl]
[2016/07/21 11:47:15.998836,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'zfsacl' loaded
[2016/07/21 11:47:15.998908,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfs_space]
[2016/07/21 11:47:16.027946,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'zfs_space' loaded
[2016/07/21 11:47:16.028250,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.028575,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.029099,  0] ../source3/smbd/service.c:800(make_connection_snum)
  canonicalize_connect_path failed for service john, path /mnt/pool/homes/john doe
[2016/07/21 11:47:16.031050,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:16.031151,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.031443,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.031805,  3] ../source3/smbd/service.c:614(make_connection_snum)
  Connect path is '/mnt/pool/homes/john doe' for service [john]
[2016/07/21 11:47:16.031889,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.032161,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.032418,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2016/07/21 11:47:16.032478,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2016/07/21 11:47:16.032530,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [recycle]
[2016/07/21 11:47:16.032578,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [streams_xattr]
[2016/07/21 11:47:16.032625,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [aio_pthread]
[2016/07/21 11:47:16.032672,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfsacl]
[2016/07/21 11:47:16.032719,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfs_space]
[2016/07/21 11:47:16.032866,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.033154,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.033645,  0] ../source3/smbd/service.c:800(make_connection_snum)
  canonicalize_connect_path failed for service john, path /mnt/pool/homes/john doe
[2016/07/21 11:47:16.035597,  3] ../source3/smbd/service.c:1140(close_cnum)
  client (ipv4:192.168.1.2:58150) closed connection to service IPC$
[2016/07/21 11:47:16.042251,  3] ../source3/smbd/server_exit.c:252(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2016/07/21 11:47:16.048289,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:16.048597,  3] ../source3/smbd/oplock.c:1309(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/21 11:47:16.048770,  3] ../source3/smbd/process.c:1880(process_smb)
  Transaction 0 of length 178 (0 toread)
[2016/07/21 11:47:16.049071,  3] ../source3/smbd/smb2_negprot.c:269(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_11
[2016/07/21 11:47:16.051154,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2016/07/21 11:47:16.051234,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2016/07/21 11:47:16.051284,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2016/07/21 11:47:16.051333,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'spnego' registered
[2016/07/21 11:47:16.051386,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'schannel' registered
[2016/07/21 11:47:16.051434,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2016/07/21 11:47:16.051482,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2016/07/21 11:47:16.051530,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2016/07/21 11:47:16.051578,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_basic' registered
[2016/07/21 11:47:16.051626,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2016/07/21 11:47:16.051674,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'krb5' registered
[2016/07/21 11:47:16.051721,  3] ../auth/gensec/gensec_start.c:899(gensec_register)
  GENSEC backend 'fake_gssapi_krb5' registered
[2016/07/21 11:47:16.055424,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2016/07/21 11:47:16.057906,  3] ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
  Got user=[John Doe] domain=[] workstation=[CLIENT] len1=24 len2=324
[2016/07/21 11:47:16.057999,  3] ../source3/param/loadparm.c:3730(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/21 11:47:16.058247,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/21 11:47:16.058628,  3] ../source3/param/loadparm.c:2659(lp_do_section)
  Processing section "[global]"
[2016/07/21 11:47:16.060778,  2] ../source3/param/loadparm.c:2676(lp_do_section)
  Processing section "[homes]"
[2016/07/21 11:47:16.062383,  3] ../source3/param/loadparm.c:1576(lp_add_ipc)
  adding IPC service
[2016/07/21 11:47:16.062501,  3] ../source3/auth/user_util.c:403(map_username)
  Mapped user John Doe to john
[2016/07/21 11:47:16.062584,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user []\[John Doe]@[CLIENT] with the new password interface
[2016/07/21 11:47:16.062651,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SERVER]\[john]@[CLIENT]
[2016/07/21 11:47:16.063177,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.064166,  3] ../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: sam authentication for user [John Doe] succeeded
[2016/07/21 11:47:16.073886,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [John Doe] -> [john] -> [john] succeeded
[2016/07/21 11:47:16.073994,  3] ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/07/21 11:47:16.074041,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088215
[2016/07/21 11:47:16.074485,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.075817,  3] ../source3/auth/token_util.c:547(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/07/21 11:47:16.075944,  3] ../source3/auth/token_util.c:579(finalize_local_nt_token)
  Failed to fetch domain sid for WORKGROUP
[2016/07/21 11:47:16.076642,  3] ../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'john' using home directory: '/mnt/pool/homes/john'
[2016/07/21 11:47:16.076829,  3] ../source3/param/loadparm.c:1527(lp_add_home)
  adding home's share [john] for user 'john' at '/mnt/pool/homes/%U'
[2016/07/21 11:47:16.087693,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from client.fritz.box (192.168.1.2)
[2016/07/21 11:47:16.087764,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.087958,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.088206,  3] ../source3/smbd/service.c:614(make_connection_snum)
  Connect path is '/mnt/pool/homes/john doe' for service [john]
[2016/07/21 11:47:16.088259,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.088433,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.088595,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2016/07/21 11:47:16.088638,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2016/07/21 11:47:16.088670,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [recycle]
[2016/07/21 11:47:16.089060,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'recycle' loaded
[2016/07/21 11:47:16.089108,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [streams_xattr]
[2016/07/21 11:47:16.089432,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'streams_xattr' loaded
[2016/07/21 11:47:16.089474,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [aio_pthread]
[2016/07/21 11:47:16.089700,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'aio_pthread' loaded
[2016/07/21 11:47:16.089741,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfsacl]
[2016/07/21 11:47:16.090400,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'zfsacl' loaded
[2016/07/21 11:47:16.090447,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfs_space]
[2016/07/21 11:47:16.107968,  2] ../lib/util/modules.c:196(do_smb_load_module)
  Module 'zfs_space' loaded
[2016/07/21 11:47:16.108227,  3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID john is not in a valid format
[2016/07/21 11:47:16.108425,  3] ../source3/passdb/lookup_sid.c:1645(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for john
[2016/07/21 11:47:16.108740,  0] ../source3/smbd/service.c:800(make_connection_snum)
  canonicalize_connect_path failed for service john, path /mnt/pool/homes/john doe
[2016/07/21 11:47:26.665107,  3] ../source3/smbd/server_exit.c:252(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


I can prevent error messages by creating symlinks, but I don't think this is the proper way to do things:
Code:
ln -s /mnt/pool/homes/john /mnt/pool/homes/john\ doe


To sum it up: I did a lot of forum and web search, read and learned a lot, fiddled around with settings and parameters but after all I still have no clue how to fix the basic problem. So any help is greatly appreciated.
Please apologize if I missed something.

Best regards,
dP

EDIT: re-formatted using CODE blocks for better readibility
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
You shouldn't need to fiddle with smbusers. Add your users via the FreeNAS webgui. Log in with your users. If your windows account is "john smith" and for some reason you want to authenticate with the user "john", create "john" via the webgui, add credentials for "john" in Windows "Credential Manager", and call it a day.
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
@anodos pretty much said it all. Only thing to add when mapping a drive, there is a check box that says "Authenticate using different credentials", tick it, enter the creds and away you go.
 

Bruce Payne

Cadet
Joined
Jul 21, 2016
Messages
2
@anodos
@m0nkey_

Thanks a lot, your help is greatly appreciated.

Just to be sure to get you right: Your recommandation is to solve the problem on the client side, right?

If possible I would like to face this problem server-side and from what I know, Samba's username mapping should to the trick?!? Is it a bug or (as I tend to believe) simply misconfiguration? Any hints in that direction?

You most certainly have noticed it, but to point it out explicitly: All of the above is obfuscated sample data (i.e. real-life usernames with more than 16 chars etc. pp.)!

Best regards,
dP
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
Ideally, usernames should not contain spaces or special characters (excluding . - _) as FreeNAS will not allow it. You should also only manage users in the FreeNAS GUI and not mess with user mappings in the Samba configuration. If your client workstation has a space in the username, just tell Windows to use alternative credentials when mapping the share.
 

pzi123

Cadet
Joined
May 29, 2014
Messages
6
So what about the setups that enable active directory authentication and map windows users to UNIX users? This is the most common authentication setup beside the small home labs. Windows user 'John Smith' needs to be mapped to UNIX user jsm using samba files in /usr/local/etc
smb4.conf:
username map = /usr/local/etc/smbusers
smbusers:
jsm = my_domain\jsm
Unfortunately the freenas 11.7 removes smbusers file if created and remove 'username map' from smb4.conf. Basically CLI configuration of 11.7 is not possible.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
This was an old thread from before I started working for iX. We already generate a username map for "Microsoft Account" functionality. If you really need to do this, then in 11.3 you can modify the template for the file we use by editing usr/local/lib/python3.7/site-packages/middlewared/etc_files/local/smbusername.map
Example
Code:
#
# SMB.CONF(5)           The configuration file for the Samba suite
#
<%
    """
    The username map is required for proper support of microsoft accounts
    that are also email addresses. See SMB.CONF(5) for more details.
    """
    users = middleware.call_sync('user.query', [
        ('microsoft_account', '=', True),
        ('email', '!=', None),
        ('email', '!=', ''),
    ])

%>
jsm = my_domain\jsm
% if users:
% for user in users:
    ${user['username']} = ${user['email']}
% endfor
% endif
 
Last edited:

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
The above example shows your jsm = my_domain\jsm example to our default file. This will persist across reboots, but not upgrades. I don't anticipate any changes to this particular file so you can just keep a backup copy on your data pool to replace it when you need to.
 

pzi123

Cadet
Joined
May 29, 2014
Messages
6
11.3 is a pre-release. I am on 11.2u7 (stable) and I don't see this smbusername.map file. I don't think I will risk putting my data on that.
Also for me the use case of having a NAS share access using both NFS and CIFS is #1. User mapping from windows to UNIX is critical.
I guess I have to roll back to older releases and wait with the upgrades until NFS/CIFS access is fully implemented.
Thanks Anodos for a workaround.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
11.3 is a pre-release. I am on 11.2u7 (stable) and I don't see this smbusername.map file.
I had a typo in the path. The username map is generated in /usr/local/libexec/nas/generate_smb4_conf.py in 11.2. It is less straightforward to manually edit.
I don't think I will risk putting my data on that.
Also for me the use case of having a NAS share access using both NFS and CIFS is #1. User mapping from windows to UNIX is critical.
This is generally the role of idmap backends in winbind. How are you providing IDs in your environment? Just a pre-generated list? NIS? LDAP?
I guess I have to roll back to older releases and wait with the upgrades until NFS/CIFS access is fully implemented.
What upgrades?
 

pzi123

Cadet
Joined
May 29, 2014
Messages
6
What upgrades? 10.x to 11.x. Freenas 10.x did not hide samba user mapping and allowed for CIFS access to use UNIX ids. We don't need winbind for that. We don't use NAS as a UNIX server. All we need it to do is serve NAS shares with flexible user authentication.
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
What upgrades? 10.x to 11.x. Freenas 10.x did not hide samba user mapping and allowed for CIFS access to use UNIX ids. We don't need winbind for that. We don't use NAS as a UNIX server. All we need it to do is serve NAS shares with flexible user authentication.
FreeNAS 10? As in Corral?
 

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,545
Belly button lint??
Perhaps I was a bit too short. Corral was before my time and so familiarity is limited. I looked at the Corral Samba source. Corral implemented a custom winbindd idmap backend that allocated IDs making calls to its middleware dispatcher. In the big picture, the purpose of an idmap backend is to provide a mechanism to seamlessly integrate with other Unix computers in an AD environment (every client and server has the same IDs for the same Windows users, groups, and computer accounts). By rolling their own, they basically ensured that they were compatible with nothing else. It's a fundamental design flaw. I haven't looked at the ID allocation strategy in Corral and probably won't.

Your best bet is look at how your IDs are allocated compared to SIDs in your environment. If the IDs and SIDs increment identically, then you can probably switch to idmap_rid and adjust the low-range to the one used by default by Corral.
 
Top