Alex Wakizashi
2013-Oct-27 12:31 UTC
[Samba] User Administrator (and only it) access denied on member server
Hello all, I have really strange problem with Samba 4.1.0 - regarding only one user - Administrator. There are 2 servers: NAS (which is DC) and CHEETAH (Which is domain member). Have spent long time in efforts to sync UID/GID across servers (these are used both from Linux over NFS and from Windows) - and finally wrote the scripts to make all users/groups (even including the builtin one, like "NT AUTHORITY\SYSTEM) consistent on all my Linux systems through nslcd (just enumerate users and groups through ldbsearch, get UIDs/GIDs from wbinfo and set these to rfc2307 attributes through ldbmodify, along with few other POSIX attributes). So, there are no crazy numeric IDs anymore, everything working fine - users/groups are visible and ACLs are working, but one issue still left: When I trying to access member server as Administrator (which have UID=0), getting error: session setup failed: NT_STATUS_ACCESS_DENIED That happens both from Windows (tried Win7 Ultimate and XP Pro) and from Linux. - Cut - root at nas:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at SAMBA.LOCAL.NET Valid starting Expires Service principal 27/10/2013 15:48 28/10/2013 01:48 krbtgt/SAMBA.LOCAL.NET at SAMBA.LOCAL.NET renew until 28/10/2013 15:48 27/10/2013 15:48 28/10/2013 01:48 cifs/nas at SAMBA.LOCAL.NET 27/10/2013 15:48 28/10/2013 01:48 cifs/cheetah at SAMBA.LOCAL.NET root at nas:~# smbclient -k -L cheetah session setup failed: NT_STATUS_ACCESS_DENIED root at nas:~# smbclient -k -L nas Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0] Sharename Type Comment --------- ---- ------- home Disk NAS Home (Read-Only) sysvol Disk netlogon Disk IPC$ IPC IPC Service (Samba 4.1.0) Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0] Server Comment --------- ------- Workgroup Master --------- ------- - Cut - So, it working fine with DC, but does not working on member server Here is the relevant part of log.smbd on CHEETAH: - Cut - [2013/10/27 15:59:49.335505, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username SAMBA\administrator is invalid on this system [2013/10/27 15:59:49.335604, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2013/10/27 15:59:49.335666, 1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED - Cut - And as you can see, it looking for user "SAMBA\administrator", rather than "Administrator", which is available through nss/nslcd: - Cut - root at cheetah:/home/wakizashi# getent passwd | grep Administrator Administrator:*:0:100::/home/Administrator:/bin/false root at cheetah:/home/wakizashi# id Administrator uid=0(Administrator) gid=100(users) ??????=100(users) - Cut - And here is example of working fine user "test": - Cut - root at nas:~# kdestroy root at nas:~# kinit test Password for test at SAMBA.LOCAL.NET: root at nas:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test at SAMBA.LOCAL.NET Valid starting Expires Service principal 27/10/2013 16:15 28/10/2013 02:15 krbtgt/SAMBA.LOCAL.NET at SAMBA.LOCAL.NET renew until 28/10/2013 16:15 root at nas:~# smbclient -k -L cheetah Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.1.0) torrents Disk Torrents Disk Domain=[SAMBA] OS=[Unix] Server=[Samba 4.1.0] Server Comment --------- ------- CHEETAH Samba 4.1.0 Workgroup Master --------- ------- SAMBA - Cut - As you can see below, user "test" is also available from DC on CHEETAH (It have crazy UID from DC mapping, BTW): - Cut - root at cheetah:/home/wakizashi# getent passwd | grep test test:*:3000054:100:Test User:/home/test:/bin/false - Cut - And here is the log (loglevel increased to 3): - Cut - [2013/10/27 16:20:29.490777, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: test [Test User] [2013/10/27 16:20:29.490827, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [test at SAMBA.LOCAL.NET] [2013/10/27 16:20:29.490990, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2013/10/27 16:20:29.491063, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2013/10/27 16:20:29.491120, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2013/10/27 16:20:29.491157, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2013/10/27 16:20:29.491439, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[torrents]" [2013/10/27 16:20:29.491462, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2013/10/27 16:20:29.492062, 3] ../source3/smbd/password.c:144(register_homes_share) Adding homes service for user 'test' using home directory: '/home/test' [2013/10/27 16:20:29.493097, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 2 of length 84 (0 toread) [2013/10/27 16:20:29.493136, 3] ../source3/smbd/process.c:1398(switch_message) switch message SMBtconX (pid 6974) conn 0x0 [2013/10/27 16:20:29.493290, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from nas (192.168.2.1) [2013/10/27 16:20:29.493373, 3] ../source3/smbd/service.c:612(make_connection_snum) Connect path is '/tmp' for service [IPC$] [2013/10/27 16:20:29.493436, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2013/10/27 16:20:29.493480, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2013/10/27 16:20:29.493502, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2013/10/27 16:20:29.494696, 2] ../lib/util/modules.c:191(do_smb_load_module) Module 'acl_xattr' loaded [2013/10/27 16:20:29.494743, 2] ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode true' and 'force unknown acl user = true' for service IPC$ [2013/10/27 16:20:29.494916, 3] ../source3/smbd/service.c:848(make_connection_snum) nas (ipv4:192.168.2.1:34866) connect to service IPC$ initially as user test (uid=3000054, gid=100) (pid 6974) - Cut - So, it's not trying to get something like "SAMBA\test" - and working fine, using user "test", which is available in the system. Any thoughts? Why for "Administrator" it looking for "SAMBA\Administrator", rather than "Administrator", but for other accounts it's working correctly? Regards, Alex
steve
2013-Oct-27 13:31 UTC
[Samba] User Administrator (and only it) access denied on member server
On Sun, 2013-10-27 at 16:31 +0400, Alex Wakizashi wrote:> > Why for "Administrator" it looking for "SAMBA\Administrator", rather > than "Administrator", but for other accounts it's working correctly?Do you want the domain admin to be root of the linux member? If so, make a username map e.g. /home/alex/smbmap: !root = SAMBA\Administrator SAMBA\administrator SAMBA\\Administrator SAMBA\administrator (I've put the alternatives because I'm not sure if you need to escape the \) then put it in smb.conf: username map = /home/alex/smbmap I'm sure there must be an easier way but anyway. . . HTH Steve
Possibly Parallel Threads
- Samba4: "MYDOM\Administrator" quite useless on a member
- How winbindd is working on DC/member? It ignores rfc2703 on DC, and not showing all users on member server... Where is a error?
- domain user mapped to unix/root via smbmap
- Samba4: Setting up share/security permissions for shares on member server
- Setup_a_Samba_AD_Member_Server can get the id of user.