<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:310797045;
mso-list-template-ids:1409191348;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:windowtext">This may be the root of your issue. There is a registry/gpo edit that might be of assistance.<o:p></o:p></span></a></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"></span><a href="https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/"><span style="mso-bookmark:_MailEndCompose">https://blogs.technet.microsoft.com/askpfeplat/2018/05/07/credssp-rdp-and-raven/</span><span style="mso-bookmark:_MailEndCompose"></span></a><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext"><o:p> </o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext"><o:p> </o:p></span></span></p>
<div>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext">Richard Jahnel<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext">Backups Team<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext">2201 Lakeside Blvd, Richardson, Tx 75007<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext">Office: (972) 810-2527<o:p></o:p></span></span></p>
</div>
<p class="MsoNormal"><span style="mso-bookmark:_MailEndCompose"><span style="color:windowtext"><o:p> </o:p></span></span></p>
<span style="mso-bookmark:_MailEndCompose"></span>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:windowtext">From:</span></b><span style="color:windowtext"> OmniOS-discuss [mailto:omnios-discuss-bounces@lists.omniti.com]
<b>On Behalf Of </b>Piotr Kaminski<br>
<b>Sent:</b> Saturday, May 26, 2018 12:57 PM<br>
<b>To:</b> omnios-discuss@lists.omniti.com<br>
<b>Subject:</b> [OmniOS-discuss] CIFS access denied to some users from AD<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>Hi Everybody,<o:p></o:p></p>
<p><o:p> </o:p></p>
<p>My OmniOSce CIFS server is joined to AD domain (based on Samba 4 from Ubuntu). A few days ago some client computers where updated to Win 10 1803 and two users started complaining they cannot access the CIFS share. I have checked everything and cannot find
the problem.<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
There is ACL rule for a "employees" AD group allowing access for the members,<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
there are about 20 members and only 2 of them have problem,<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
the two accounts CAN connect to another Windows machine via RDP and are authorized by AD DC (I even changed passwords to check and still can connect with the new passwords),<o:p></o:p></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
the two accounts cannot access the CIFS share from OmniIOSce server.<o:p></o:p></li></ul>
<p>When I try to access the server from Ubuntu machine I get the following with "good_user":<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre># smbclient -U good_user -L //omnios<o:p></o:p></pre>
<pre>Enter test11's password: <o:p></o:p></pre>
<pre>Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-673c5] Server=[Native SMB service]<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> Sharename Type Comment<o:p></o:p></pre>
<pre> --------- ---- -------<o:p></o:p></pre>
<pre> public Disk <o:p></o:p></pre>
<pre> c$ Disk Default Share<o:p></o:p></pre>
<pre> test1 Disk <o:p></o:p></pre>
<pre> test2 Disk <o:p></o:p></pre>
<pre> ipc$ IPC Remote IPC<o:p></o:p></pre>
<pre> test Disk <o:p></o:p></pre>
<pre>Domain=[DOMAIN_NAME] OS=[SunOS 5.11 omnios-r151026-673c5] Server=[Native SMB service]<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> Server Comment<o:p></o:p></pre>
<pre> --------- -------<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre> Workgroup Master<o:p></o:p></pre>
<pre> --------- -------<o:p></o:p></pre>
</blockquote>
<p>and with "bad_user" I get <o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre># smbclient -U bad_user -L //omnios<o:p></o:p></pre>
<pre>Enter bad_user's password: <o:p></o:p></pre>
<pre>session setup failed: NT_STATUS_ACCESS_DENIED<o:p></o:p></pre>
</blockquote>
<p>I cannot see any difference between the users. They are members of the same AD groups. Even the password is the same! It seems like //omnios does not like the two users (or cannot authorize them). As a workaround I created two new accounts and they work
as a charm. But that is just a temporary workaround.<o:p></o:p></p>
<p>I'd be grateful for a hint where to look for the mistake.<o:p></o:p></p>
<p>With regards<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Piotr<o:p></o:p></pre>
</div>
</body>
</html>