I've been setting up a samba share on a Redhat box, and am able to connect to it from the local machine. From an XP machine however, I'm only able to successfully connect to the root of the share (e.g. "\machine"). Connecting to the actual shared folders (e.g. "\machine\share") generates an error.
The full error message is:
\machine\share is not accessible.
You might not have permission to use
this network resource. Contact the
administrator of this server to find
out if you have access permissions.
Incorrect function.
Looking at the properties on the windows side, I see "everyone", "root (Unix Group\root)", and "root (Unix User\root") listed with no permissions.
I'm using share authentication, and the user I've designated for the guest account has read/write access to the shared folder.
Has anyone run into a similar issue before? Thanks in advance for any assistance.
It looks like the windows machine was caching authentication information, and not updating it as the samba server's authentication mode was changed. This meant that once I'd failed to connect to the samba server (due to bad settings on the server side), connections would continue to fail even when the server settings were corrected. Rebooting the XP machine resolved the issue.
Related
I have a Windows Server 2019 installation with an LDAP instance (nfsmappingstore) for nfs mapping. I created this with the powershell cmdlet Install-NfsMappingStore.
To illustrate, here is a list of the users in that store, and a test of one user:
I have an NFS Share setup as illustrated here:
When I turn on the option circled called "Enable unmapped user access", with the sub-option "Allow unmapped user Unix access (by UID/GID)", then I can go to my uBuntu 18.04 machine and mount that successfully with the command:
sudo mount -t nfs server:/AutoProv mnt
I can then see the files and folders in the share.
However, when I turn that option off, wishing to actually use the mapped user functionality, I get the error:
root#br-dv-ss-l01:/home/steve# mount -vvvv -t nfs server:/AutoProv mnt
mount.nfs: timeout set for Fri Apr 2 18:28:11 2021
mount.nfs: trying text-based options 'vers=4.2,addr=10.200.225.1,clientaddr=10.200.225.104'
mount.nfs: mount(2): Protocol not supported
mount.nfs: trying text-based options 'vers=4.1,addr=10.200.225.1,clientaddr=10.200.225.104'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting server:/AutoProv
root#br-dv-ss-l01:/home/steve#
I think this means that the uid/gid was not really sent or interpreted by Windows Server 2019. Looking at the event logs on the server, it seems to indicate that it is happy and reading the LDAP instance OK, and the Test cmdlet gives no errors.
The one possible altered thing I could think to do that seemed to cause a very slightly different effect was to add the "-o nfsvers=3" to the mount command. When I did that, the share did actually mount, but the NFS server refused to let me see anything inside of the share:
Can someone guide me as to how to investigate this issue further? At this time I do not know how to verify what the Windows Server is getting as far as UID/GID, so I really don't know which side of this the issue is on.
Thank you!
Incidentally, we never got any answer on this. LDAP option appears not to work at all. However, the passwd, group file mapping option works great, and we switched to that.
The files have to be named 'group' and 'passwd' lowercase with no extension. They have to be placed in 'C:\Windows\System32\drivers\etc'. Syntax for 'group':
machinename\PodGroup:x:2501:2500,3500
machinename\MyLocalWindowsGroup:x:2502,3500
domain\ACLname:x:2503:0,2500
or generally:
groupname:x:GID:UID1,UID2,etc....
Essentially this is the same mapping that Linux uses as described here: https://www.thegeekdiary.com/etcgroup-file-explained/
So you define a local group on your Windows Server that is running NFS and reference that in the first entry of the line, or use a domain ACL group there. Each 'column' of each line is separated by colons. The second entry 'x' is a description field I think and not used. Third is the GID you want the windows group to be mapped to.
For passwd:
domain\stevesims:x:0:0:Root User,,,:c:\users\stevesims
domain\johndoe:x:2500:2501:Pod User,,,:c:\users\johndoe
domain\janedoe:x:3500:2501:Pod User,,,:C:\users\janedoe
or generally:
username:x:UID:GID:desc,,,:WindowsPathToItsProfile
Once these files are in place on the NFS Server you must restart the NFS Server service or it will not reread the file.
After it is restarted, it will read the file, and if a Linux machine writes a file to the NFS Server, it will be treated as if it has the permissions of the matching Windows account or group from these files.
For the context : I'm a student and I must do a project with some other people of my class. My role is to prepare them a web server that each one can use and access from anywhere. I plan to host everything on a dedicated server that I already have to avoid additional cost and give to each people a subdomain that will be redirected with VirtualHosts. They will be able to send files to the server with a SFTP server (openssh), they will get an account per person and it will be chrooted to their virtualhost directory.
My main problem : Will this be secure ? I mean, if one of the user set an easy password or just do anything risky, can someone access the other's people virtualhost or even the host dedicated machine ? I already thought about .htaccess and they will be deactivated. Is there another way to get out of an apache virtualhost ?
Things to note : they will have apache, php and an access to a mysql (or maybe mariadb, I don't know for now) database. So, they may be able to upload some old, unsecure code. Some of these users are not very educated to cybersecurity.
The server is a Ubuntu 16.04 LTS.
Thanks for the advices,
If you limit their access to only their own home directory, that's a good start.
A good layer of security would also be to implement 2FA, check out Duo Mobile, you can implement it for SSH logins (or need more details, eg. what options do they have to login into the server?)
If the users are not very educated in cybersecurity as you mentioned, it will be difficult for them to escape the virtual host they have access to.
Although i need more details such as each virtual host will have a separate database or it will be talking to a central database? also, for a paranoid measure, consider where the server is hosted. There are lots of variables that can be affirmed from what you described, but it is best to keep the server on its own network with nothing critical in the same subnet. Just in case.
We installed a OpenLDAP 2.4.31 solution on debian; and several machines in the site are using it. Though the local authentication is not disabled on the machines.
One of the machines has some problems; and its developers asked us to disable central authentication for it. Due to policy, we are not able to change anything on the machine itself; and only can configure our LDAP server. How can we disable one specific machine to use our LDAP server?
You can remove the address of the machines from the LDAP servers; but make sure the machine doesn't get locked out!
I followed this
http://blogs.technet.com/b/keithmayer/archive/2013/04/17/step-by-step-build-a-free-sharepoint-2013-lab-in-the-cloud-with-windows-azure-31-days-of-servers-in-the-cloud-part-7-of-31.aspx#.UX_iF7XvvQI
I created a VM using the datacentre Image it created successfully and the status shows Its running. I am trying to RDP It says
Remote Desktop cant connect to the remote computer for one of these reasons:
1) Remote access to the server is not enabled
2) The remote computer is turned off
3) The remote computer is not available on the network
make sure the remote computer is turned on and conencted to the network and that remote access is enabled.
I did check the endpoints the public port is open and also 3389 private port is open too. I did try with different release one with latest patch and the other with the second latest OS patch but I am still not able to RDP.
Thanks
Yeah I already figured out firewall in my organization is blocking it. I did update the answer but it did not show up I am trying again :)
Make sure your VM has reached the "Running" status. If it's still in one of its pre-running statuses (such as Provisioning), you won't be able to RDP.
Also: Be sure you don't try logging in with 'Administrator' (the default in the rdp login box). Choose localhost\yourusername.
I had a similar problem the other day. It was solved by going to the Azure Portal, selecting the VM Dashboard, then clicking "Connect" in the grey toolbar at the bottom. This will download an RDP file that contains the correct connection settings. You can then send that rdp file to others who you would like to give access to.
I just opened one of the files used to connect, and it looks like the only real difference is the port used.
full address:s:[vm name].cloudapp.net:62808
username:s:Administrator
prompt for credentials:i:1
I am not sure if all Azure VM's use 62808, but the default RDP port is 3389 so just copying the DNS from the Dashboard into the RDP address will NOT work without adding the correct port.
One more thing folks should check when having trouble connecting is password length.
I thought I would be all secure by using a guid for a password. RDP worked fine from home (on older XP RDP client), but not from office. At first I thought it was a firewall issue. After verifying with the IT guys that I had full outbound access, I looked a little closer at the RDP error message.
It was saying my credentials were rejected. Finally, I created a second account on the VM and gave it RDP access. I was able to log in fine. The only difference between the two users was this time I didn't bother with a long password.
So I shortened the password on my main account and got in with no problem. I'm not sure what the limit is, but it seems to be less than 32.
I'm supposed to access a server, but when I use WinSCP with FTP protocol to log in, I just get a warning that
The requested name is valid, but no data of the requested type was found.
Connection failed.
I really have very little experience with working remotely on servers, or even logging into them. What are my alternatives?
This is the WSANO_DATA. error Quoting Microsoft documentation:
The usual example for this is a host name-to-address translation attempt ... which uses the DNS (Domain Name Server). An MX record is returned but no A record—indicating the host itself exists, but is not directly reachable.
(This can possibly happen for newly registered domain names that are no fully setup yet.)
See:
https://learn.microsoft.com/en-us/windows/win32/winsock/windows-sockets-error-codes-2#WSANO_DATA or
https://winscp.net/eng/docs/message_name_no_data
It could have been a temporary issue. Also make sure you specify your hostname without the leading ftp:// (though the latest version of WinSCP will strip it automatically).
You can find a very nice discussion on the same issue with WinSCP here
You can also try FileZilla or Putty
If you are typing your address like ftp://ftp.domain.com or things like that, remove the first part and just keep ftp.domain.com in your host address box.
You might want to consider PuTTY, which comes with a number of tools including a ssh client and a secure copy tool like WinSCP called pscp. Possibly even more valuable is the psftp client, which allows secure ftp to remote servers. PuTTY can be run from a usb drive, making it easy to carry with you to any computer, allowing you to remote into your server from all over the world.
You're probably using WinSCP to send or get files from/to the server, right? You might want to state that in your question. For that, you're probably better off with FileZilla. (You need the FileZilla client, not the Server)