Re: [OmniOS-discuss] cifs anonymous troubles

2016-04-17 Thread Natxo Asenjo 
hi Gordon,

On Sun, Apr 17, 2016 at 5:38 PM, Gordon Ross 
wrote:

> Hi Dan,
>
> So with that bug fixed, one can logon as "guest" only if:
> (1) you actually ask for guest in your logon request,
> (2) a local Unix account named "guest" exists, and
> (3) the guest account is enabled for SMB
>
> Therefore, if you were using guest access before 1122 was fixed,
> (and were depending on accidental guest access working),
> you'll need to do the following to re-enable guest access:
>
> useradd (options] guest
> smbadm enable-user guest


I confirm this works. Thanks!
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] cifs anonymous troubles

2016-04-17 Thread Gordon Ross 
Hi Dan,

I can take a guess what this might be about.

There were several bugs fixed as part of the "extended security" work:
1122 smbsrv should use SPNEGO (inbound authentication)

One of those was that we used to give a client a "guest" logon
if they tried to logon to SMB with _any_ unrecognized account.
No, that was never a good idea. Not only was it questionable
for security, but it confused issues about failed logon.  Example:
Windows user does NOT get the expected pop-up dialog asking
for new credentials when they try to connect to a share using
an invalid user name.  Instead, they would get connected,
but would fail to have access to anything in the share.

So with that bug fixed, one can logon as "guest" only if:
(1) you actually ask for guest in your logon request,
(2) a local Unix account named "guest" exists, and
(3) the guest account is enabled for SMB

Therefore, if you were using guest access before 1122 was fixed,
(and were depending on accidental guest access working),
you'll need to do the following to re-enable guest access:

useradd (options] guest
smbadm enable-user guest

The guest account password is ignored by SMB, so
all that matters to SMB is whether that account is
marked as enabled in /var/smb/smbpasswd

To keep Unix users from using guest for login, you can
set the Unix password hash to something invalid, etc.

On Fri, Apr 15, 2016 at 4:05 PM, Natxo Asenjo  wrote:
> hi,
>
> trying to set up an anonymous share on workgroup mode  I do not get it
> working.
>
> I have a dataset tank/test with these sharesmb properties:
>
> zfs get sharesmb tank/testshare
> NAMEPROPERTY  VALUE   SOURCE
> tank/testshare  sharesmb  name=test,guestok=true  local
>
> These are the permissions on that path:
>
> # /usr/bin/ls -Vd /tank/testshare/
> drwxrwxrwx+ 14 root root  14 Sep 11  2015 /tank/testshare/
>   everyone@:rwxpdDaARWcCos:fd-:allow
>
> Both using a windows client (win 2012r2) as a linux smbclient (fedora 23),
> both quite modern, I cannot access the share:
>
> Linux smbclient:
> $ smbclient -U " " -L //192.168.0.172 -N
> Anonymous login successful
> Domain=[WORKGROUP] OS=[SunOS 5.11 omnios-r151018-ae314] Server=[Native SMB
> service]
>
> Sharename   Type  Comment
> -     ---
> c$  Disk  Default Share
>
> testDisk
> Connection to 192.168.0.172 failed (Error NT_STATUS_CONNECTION_REFUSED)
> NetBIOS over TCP disabled -- no workgroup available
>
>
> Windows client:
> C:\Users\Administrator>net view \\192.168.0.172
> System error 5 has occurred.
>
> Access is denied.
>
>
> Using a local user works, with smb2 ;-)
>
> Any one success with guestok=true and cifs?
>
> --
> Groeten,
> natxo
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] cifs anonymous troubles

2016-04-15 Thread Jeff Berkembrock 
Hello,

I wanted to chime in and say I also experienced this. Guest smb access
seems broken both when I upgrade to 18 as well as when I perform a fresh
install and create new pool & share.

Best Regards,

Jeff Berkembrock
On Apr 15, 2016 1:06 PM, "Natxo Asenjo"  wrote:

> hi,
>
> trying to set up an anonymous share on workgroup mode  I do not get it
> working.
>
> I have a dataset tank/test with these sharesmb properties:
>
> zfs get sharesmb tank/testshare
> NAMEPROPERTY  VALUE   SOURCE
> tank/testshare  sharesmb  name=test,guestok=true  local
>
> These are the permissions on that path:
>
> # /usr/bin/ls -Vd /tank/testshare/
> drwxrwxrwx+ 14 root root  14 Sep 11  2015 /tank/testshare/
>   everyone@:rwxpdDaARWcCos:fd-:allow
>
> Both using a windows client (win 2012r2) as a linux smbclient (fedora 23),
> both quite modern, I cannot access the share:
>
> Linux smbclient:
> $ smbclient -U " " -L //192.168.0.172 -N
> Anonymous login successful
> Domain=[WORKGROUP] OS=[SunOS 5.11 omnios-r151018-ae314] Server=[Native SMB
> service]
>
> Sharename   Type  Comment
> -     ---
> c$  Disk  Default Share
>
> testDisk
> Connection to 192.168.0.172 failed (Error NT_STATUS_CONNECTION_REFUSED)
> NetBIOS over TCP disabled -- no workgroup available
>
>
> Windows client:
> C:\Users\Administrator>net view \\192.168.0.172
> System error 5 has occurred.
>
> Access is denied.
>
>
> Using a local user works, with smb2 ;-)
>
> Any one success with guestok=true and cifs?
>
> --
> Groeten,
> natxo
>
> ___
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
>
>
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

[OmniOS-discuss] cifs anonymous troubles

2016-04-15 Thread Natxo Asenjo 
hi,

trying to set up an anonymous share on workgroup mode  I do not get it
working.

I have a dataset tank/test with these sharesmb properties:

zfs get sharesmb tank/testshare
NAMEPROPERTY  VALUE   SOURCE
tank/testshare  sharesmb  name=test,guestok=true  local

These are the permissions on that path:

# /usr/bin/ls -Vd /tank/testshare/
drwxrwxrwx+ 14 root root  14 Sep 11  2015 /tank/testshare/
  everyone@:rwxpdDaARWcCos:fd-:allow

Both using a windows client (win 2012r2) as a linux smbclient (fedora 23),
both quite modern, I cannot access the share:

Linux smbclient:
$ smbclient -U " " -L //192.168.0.172 -N
Anonymous login successful
Domain=[WORKGROUP] OS=[SunOS 5.11 omnios-r151018-ae314] Server=[Native SMB
service]

Sharename   Type  Comment
-     ---
c$  Disk  Default Share

testDisk
Connection to 192.168.0.172 failed (Error NT_STATUS_CONNECTION_REFUSED)
NetBIOS over TCP disabled -- no workgroup available


Windows client:
C:\Users\Administrator>net view \\192.168.0.172
System error 5 has occurred.

Access is denied.


Using a local user works, with smb2 ;-)

Any one success with guestok=true and cifs?

--
Groeten,
natxo
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss