Created attachment 18472 [details] created with: testparm -v /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt In a built from source install of samba 4.21.0 configured with load printers = Yes; using net view \\server from windows FAILS, with a logged error (by smbd) of: [2024/10/13 14:31:47.580921, 0, pid=23271] ../../source3/auth/auth_util.c:1441(make_new_session_info_guest) create_local_token failed: NT_STATUS_NO_SUCH_USER [2024/10/13 14:31:47.581060, 0, pid=23271] ../../source3/rpc_server/rpc_host.c:2905(main) main: init_guest_session_info failed Windows reports: C:\TEMP\tmp> net view \\su System error 53 has occurred. The network path was not found. The workaround seems to be to add the guest user (in my case sys-smb-guest) to the smbpasswd file with: smbpasswd -n -a sys-smb-guest (then all is well, so I am do not need a fix - but you might want to check the code). Notes: Exact same configuration and build options of samba 4.20.5 (and older) does not show this issue. sys-smb-guest is already in the LOCAL /etc/passwd file. I have found this issue on both a domain attached install, and a stand-alone install. If you have any other reports of this issue, have them try adding the defined guest user to the smbpasswd file.
(In reply to Paul FM from comment #0) But you are not using any guest user, after wading through your extensive supplied smb.conf (please note, do not post the output of 'testparm -v', it gives EVERYTHING, please use 'testparm -s') I find that you have 'map to guest = Never' set, this is the default and means that guest is never used and if you were using guest, then Samba uses a Unix user, as stated in 'man smb.conf': Sections may be designated guest services, in which case no password is required to access them. A specified UNIX guest account is used to define access privileges in this case. So, this isn't a bug, it is mis-configuration. There are lots of mis-configurations in your smb.conf, for instance, you do not use 'idmap config' lines on a standalone server.
Created attachment 18476 [details] Updated settings, using: testparm -s /links/samba/etc/smbd.conf 2> pfm1.smbd.testparm.txt > pfm1.smbd.settings.txt I was already connect to the server, as an authenticated user. smbd uses the guest account for operations that are not authenticated (for instance - for maintaining browse lists). And yes, those parameters aren't used for a stand-alone installation (so they do nothing), and there are a coupld of depreciated settings; and, I am probably one of the few who use the "guest account =" parameter. As I pointed out, the EXACT same configuration with 4.20.5 (and many older versions) works without this issue. For guest mapping, I am also using: username map script = /links/samba/etc/bin.smbd/username-remap.pl However, the issue persists without this setting (with no logging of NT_STATUS_NO_SUCH_USER); however, I still don't get a browse list. And again, 4.20.5 works fine with that setting removed (and no sys-smb-guest user in the smbpasswd file). Possibly, this is just some change that is not documented in the change log (nor the man pages). That is - that all users used by smbd, must exist in the smbpasswd file, or in the Domain (in the past, any user with a unix account could be used, and would be assumed to exist in smbpasswd with "NO PASSWORD"). If this is just a change - it just could use some additional documentation. Thanks.
(In reply to Paul FM from comment #2) The 'guest account is used when 'guest ok' is set, from 'man smb.conf: guest account (G) This is a username which will be used for access to services which are specified as guest ok (see below). Whatever privileges this user has will be available to any client connecting to the guest service. This user must exist in the password file, but does not require a valid login. The user account "ftp" is often a good choice for this parameter. guest ok (S) If this parameter is yes for a service, then no password is required to connect to the service. Privileges will be those of the guest account. However, they both rely on 'map to guest' not being set to 'never' (the default), which, as you don't have it in your revised smb.conf it is, so there is no guest access. The default guest user is 'nobody', which is a standard Unix user and is in /etc/passwd (aka the password file), so if you replace the default guest user with another one, that user must be in /etc/passwd, it has been that way for more years than I care to remember. The other problem is that Windows has deprecated guest access and you have to turn it back on if you require it on most enterprise versions. As for the browse list, this is a SMBv1 thing and Samba is working hard to remove SMBv1 (Windows has deprecated it as well), so you would do well to stop relying on it. I suggest you remove all the un-required (and probably unused) lines from your smb.conf and use Samba as a standalone server.
Let me be clear. This is NOT about the unix account sys-smb-guest. I don't want samba to map any user to guest for the purpose of connecting to the server (those users should be denied access); the exception is public shares (which can be connected to as the windows NULL user) However, a defined and authorized user should be able list the shares available on the server (which windows does by invoking a NULL user connection - requiring smbd to operate as the defined guest account). I don't use the user nobody, as there are potential security issues with network access processes running as nobody. This is a change since the last version of samba (it may be intentional; but, it isn't properly documented). The sys-smb-guest account is defined in Unix properly at all times in my tests. The failure happens when it is NOT in the smbpasswd file. I have to add it with: smbpasswd -n -a sys-smb-guest Then - all is well. Since, I already have a solution - I am sharing it so it can be added to the documentation. That is: All accounts used by samba MUST now exist in BOTH the Unix users (or in the automatically created samba virtual unix account databases), and in the defined users that SAMBA works with (like AD, or the local smbpasswd file/db). I tested if setting the guest account to nobody (the default), exhibits the same issue. I set: guest account = nobody map to guest = bad user And still have the same issue (including the same error messages). I then ran (without restarting samba): smbpasswd -n -a nobody And the problem was cured. (removing nobody from the smbpasswd file, immediately broke it again - no restart of samba). So, this is even a problem with the default setting for "guest user". I should add, that all this seems to be connected to using the parameter: username map script = /links/samba/etc/bin.smbd/username-remap.pl Note, if I simply use username map script = /bin/echo I have the same issue (with the other two settings set as above). Again - fixed with: smbpasswd -n -a nobody So, this is some change in the code for when "username map script" is defined. I would guess it is a change either in: source3/auth/auth_util.c Or (more likely): source3/auth/user_util.c However, the function "map_username" in that file is not well documented, so I find it rather hard to follow (it seems to be the function directly affected by the "username map script" parameter). Thanks.
(In reply to Paul FM from comment #4) I think you are talking about 'anonymous access' as used by smbclient: smbclient -NL localhost Anonymous login successful Sharename Type Comment --------- ---- ------- sysvol Disk netlogon Disk Demo Disk IPC$ IPC IPC Service (Samba 4.20.4-Debian-4.20.4+dfsg-1~bpo12+1) SMB1 disabled -- no workgroup available If this is the case, then this still relies on the 'guest user' setting in smb.conf. by default, if the 'guest user' isn't in /etc/passwd on a standalone server then you would get this: smbclient -NL localhost Anonymous login successful Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available No shares. I thought it was common knowledge that for Samba to know authenticated users on a standalone server they must exist as local users in /etc/passwd and be created in Samba by running 'smbpasswd -a $USERNAME' as root. I also thought it was known that if you changed the guest user in smb.conf, the user used must be in /etc/passwd, indeed, in 'man smb.conf', under 'guest account (G)' there is this line: This user must exist in the password file, but does not require a valid login.
It is common knowledge - yes, the "guest user" must be in the local password (or exist as a Unix user). The guest user (including the default "nobody"), never needed to be in the smbpasswd file or database before (which is not the /etc/passwd file). On 2024-10-20 5:37 AM, samba-bugs@samba.org wrote: > https://bugzilla.samba.org/show_bug.cgi?id=15736 > > --- Comment #5 from Rowland Penny <rpenny@samba.org> --- > (In reply to Paul FM from comment #4) > > I think you are talking about 'anonymous access' as used by smbclient: > > smbclient -NL localhost > Anonymous login successful > > Sharename Type Comment > --------- ---- ------- > sysvol Disk > netlogon Disk > Demo Disk > IPC$ IPC IPC Service (Samba > 4.20.4-Debian-4.20.4+dfsg-1~bpo12+1) > SMB1 disabled -- no workgroup available > > If this is the case, then this still relies on the 'guest user' setting in > smb.conf. > by default, if the 'guest user' isn't in /etc/passwd on a standalone server > then you would get this: > > smbclient -NL localhost > Anonymous login successful > > Sharename Type Comment > --------- ---- ------- > SMB1 disabled -- no workgroup available > > No shares. > > I thought it was common knowledge that for Samba to know authenticated users on > a standalone server they must exist as local users in /etc/passwd and be > created in Samba by running 'smbpasswd -a $USERNAME' as root. I also thought it > was known that if you changed the guest user in smb.conf, the user used must be > in /etc/passwd, indeed, in 'man smb.conf', under 'guest account (G)' there is > this line: > > This user must exist in the password file, but does not require a valid login. >
Now even with useless fullquotes. Can you please move such a chatty discussion like thois to the samba mailing list and not do that in a bugzilla?
Yes, I forgot to remove the quoted text on my last reply (not enough coffee). There should be more than enough information in this ticket to replicate the issue (and test the work-around). I do not understand why there are repeated suggestions that I do not have the defined "guest account" in the /etc/passwd file, as I have clearly stated that in every single test, that user is always in the /etc/passwd file (both sys-smb-guest, and nobody are in the /etc/passwd in every test). The documentation for "guest account" in the smb.conf man page, clearly states that the user must exist in the passwd file (and has for the entire 28 years that I have been working with samba, my first installation was on SunOS for Windows clients - mainly for printing). And - I am also suggesting that if this is an accidental change (starting with 6.21.0), that you should consider making it a permanent change (just document it, and make the error messages clearer). As it is a good thing to require every Unix user that samba becomes, to be defined in either AD information, or the local smbpasswd file (a double check to certain configuration errors). However, someone should check the code involved (when there is time), to make sure there wasn't some other more serious bug introduced with this change. Please leave this ticket public (if possible) as the ticket itself should have enough information to help anyone else running into this same issue. I would consider this a very LOW priority issue, since there is a clear work-around. Thanks.
(In reply to Paul FM from comment #8) I am closing this, there is nothing to fix, Samba has always required that the guest user be in the password file (which is typically /etc/passwd).
Please re-read carefully what the bugreporter wrote. :)