Cannot login to SMB Server/Authentication denied

UNIX Solaris
1

Hello,

I have problems seting up SMB server in Solaris 11.3.
I had SMB working previously on Solaris 11 (updated to 11.3), but a bad harddisk crash forced me to install Solaris again from scratch and I cannot get it working properly.

I have imported the previous zfs pool with share.smb set to on for the applicable file systems.

I have tried following the instructions in the Oracle documentation "Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.3" to setup the SMB server service (not SAMBA).

This is a home server so I do not use a AD or LDAP server and have tried setting it up using workgroups.

The steps I have taken are:

Enabled mapping by using Identity Management

# svccfg -s svc:/system/idmap setprop config/directory_based_mapping = astring: idmu

Enabled the SMB service

# svcadm enable -r smb/server

Added " password required pam_smb_passwd.so.1 nowarn " to /etc/pam.d/other

Reset password to populate /var/smb/smbpasswd

# passwd username

# smbadm join -w myworkgroup

The server shows up in the "Network places" and at one point I could log in to it using root, but I have not been able to open any shares using my normal user or root.
I have tried setting winnames in idmap aswell without success. Restarted the service and computer a couple of times but to no use.
At the moment the server shows up but I cannot log in to it in any way via SMB.

I have tried looking in /var/adm/messages and the most helpful error message I have seen is "access denied: guest disabled".

Enabling guest for the shares in zfs enabled me to open one of the shares but no files where then visible, so I turned the guest option off again.

Please help me get to the bottom of this. I feel like I have missed some mundane detail but I cannot figure out what.

Added/Changed CODE tags.

2

Reading your post you seem to have done everything correctly AFAIK.

This may be a dumb question but have you enabled/restarted the service since you populated 'smbpasswd' for the smb users?

# svcadm enable network/smb

 or
   
# svcadm restart network/smb

This may require more thought.

1 Like
3

First, sorry for forgetting code tags. Will try to remember those in the future.

Just to make sure. I tried to restart the service. I have also restarted the computer earlier after trying to make things work.

Still not working. :frowning:

I tried to log in to the machine from my windows computer and then looked in /var/adm/messages and had these entries:

Oct 30 22:52:27 Solaris smbd[3704]: [ID 702911 daemon.notice] service shutting down
Oct 30 22:52:27 Solaris smbd[3704]: [ID 702911 daemon.notice] service terminated
Oct 30 22:52:27 Solaris smbd[4057]: [ID 702911 daemon.notice] dyndns: failed to get domainname
Oct 30 22:52:27 Solaris smbd[4057]: [ID 702911 daemon.notice] service initialized
Oct 30 22:52:55 Solaris smbd[4057]: [ID 812811 daemon.notice] logon[windowscomputer\username]: LOGON_FAILURE
Oct 30 22:52:56 Solaris last message repeated 1 time
Oct 30 22:55:17 Solaris gdm-simple-greeter[3795]: [ID 702911 daemon.warning] atk-bridge-WARNING: AT_SPI_REGISTRY was not started at session startup.
Oct 30 22:57:28 Solaris smbd[4057]: [ID 812811 daemon.notice] logon[windowscomputer\username]: LOGON_FAILURE

I have substituted the computer and username.

4

I've been thinking about this more.
I note the "LOGON_FAILURE" error.

Firstly, can your smb users login to Solaris as normal users with the credentials they are using?

Secondly, but without a Solaris 11 machine here to try it on, I would give this as an example:

# zpool create mypool c3t1d0
# zfs create -o casesensitivity=mixed -o nbmand=on mypool/fs1
# zfs set share=name=fs1,path=/mypool,prot=smb mypool
# zfs set sharesmb=on mypool/fs1
# svcadm enable -r smb/server
# svcadm enable network/smb
# REM Now reset passwords of smb users to populate smbpasswd

Perhaps give (some of) that a go creating a new smb share and see what happens. Return to the share(s) you've already tried to configure if it works.

1 Like
5

Hello again and thank you for trying to help me :slight_smile:

I can login to Solaris both thru desktop/GNOME and ssh with my user. Using that same user without elevation of root I can access and view the folder shares locally aswell so it should not be a access problem, but you never know.

I tried creating a new filesystem as you suggested (tank/smbtest) including the following steps with setting up sharing over smb but that did unfortunately not change anything.

I tried in a stroke of desperation to login thru my android surfpad, and it would show all the shares unlike my windows computer, but it would not login. So I tried in my windows computer to enter the path to the newly created share and a music share with 774 but could not login.
I even tried entering the music share in my sonos but it would not have it either. :stuck_out_tongue:

last entries in /var/adm/messages after my tries as follows

Oct 31 20:58:28 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [NT Authority\Anonymous]: tank_smbtest access denied: IPC only
Oct 31 20:58:28 Ugglan last message repeated 1 time
Oct 31 21:04:08 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [UGGLAN\guest]: Audio access denied: guest disabled
Oct 31 21:04:09 Ugglan last message repeated 7 times
Oct 31 21:04:09 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [NT Authority\Anonymous]: Audio access denied: IPC only
Oct 31 21:04:09 Ugglan last message repeated 1 time
Oct 31 21:04:09 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [UGGLAN\guest]: Audio access denied: guest disabled
Oct 31 21:04:09 Ugglan last message repeated 3 times
Oct 31 21:04:24 Ugglan smbd[4057]: [ID 812811 daemon.notice] logon[UGGLAN\user1]: LOGON_FAILURE
Oct 31 21:04:24 Ugglan last message repeated 4 times
Oct 31 21:04:24 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [NT Authority\Anonymous]: Audio access denied: IPC only
Oct 31 21:04:24 Ugglan last message repeated 1 time
Oct 31 21:04:24 Ugglan smbsrv: [ID 421734 kern.notice] NOTICE: [UGGLAN\guest]: Audio access denied: guest disabled
Oct 31 21:04:24 Ugglan last message repeated 3 times
Oct 31 21:35:38 Ugglan smbd[4057]: [ID 812811 daemon.notice] logon[Wombat\user1]: LOGON_FAILURE

Ugglan is the name of the Solaris server, Wombat is the windows laptop. Username changed to user1 as I'm not sure how safe it is to include usernames in an open forum like this.

The different behaviour of the surfpad led me to think if it might have anything to do with me having the same username on the windows computer and in solaris? On the other hand, it did work fine with same usernames in both computers before the reinstall.

Can I have messed something up in my initial setup of the SMB server? Can I somehow start over from scratch and try again from a clean slate?

Do the SMB server itself have any logs to look in or am I stuck with looking in messages?

Please tell me if there are any log or any information that I can try to provide to find a solution to this mystery.

6

This is the Oracle documentation about troubleshooting SMB connectivity but I assume that you've already gone through that?

Troubleshooting the SMB Service - Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1

1 Like
7

I tried following a similar troubleshooting guide in the document mentioned in my first post but I will go through the one you provided as well when I get home.

Just to make sure I haven't set everything up with wrong assumptions, what would be the best "mode" for smb to run in?

As mentioned earlier this is a home server connected to a normal home router. For smb, it is mainly serving a windows computer, some music players and the occasional surfpad or mobile phone. I do not have or use any AD server or LDAP. So the Solaris machine is very much a stand alone server.
I have assumed that I should run smb in workgroup mode and use idmu.
Is this correct or should my approach be different?
How should I go about/what strategy should I have configuring smb in my use case?

Skickat fr�n min D5803 via Tapatalk

---------- Post updated at 09:19 PM ---------- Previous update was at 09:13 PM ----------

SOLVED! :slight_smile:

directory_based_mapping shall NOT be set to idmu, but to none for my usecase as a stand alone server.

I set it using:

# svccfg -s svc:/system/idmap setprop config/directory_based_mapping = astring: none

and then restarted idmap and smb and everything worked as it should immediately.

For reference to others:
I compared the smb manifest and method files against a backup of the previous installation and they were as far as I could tell an exact match.
That together with the problem seeming to revolve around credentials got me to start reading up on how smb handles logins, samba security modes and identity mapping and found a quite good samba manual/guide in the docs section at samba.org that mentioned that idmap was not relevant when running a stand alone server using workgroups.

And after that things worked itself out relatively quickly. :slight_smile:

Thanks for the help and things to try, it really helped me look for the right clues leading up to the solution!

1 Like
8

That's a good result!!

I notice that despite joining this forum over 3 years ago these were your first posts. A belated welcome to the forums.

It's much easier for us to work with someone who is willing to run their own investigation rather than just expect "the answer on a plate". So very well done.

Thank you very much for posting the solution. As you say, it will help future readers and probably stop this question being asked again (assuming people follow the rules and search the forum for their problem first).

1 Like