Shane Robinson
2014-Feb-12 00:15 UTC
[Samba] Domain Member server - Domain users don't get access
Hello list! I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise KVM guest. It seems to be running well. Recent list posts have led me to set up a second instance of samba/ubuntu as a file server. Like the domain controller, Samba was built from git, but then it was configured using the "Samba/Domain Member" wiki. I added the sfu attributes to a few users/groups using ADUC, but I don't see that mentioned as a requirement (Is it a requirement?). My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new file server's name is FS2. I start the services with a script that runs winbindd, then smbd, then nmbd, in that order. Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups. Kinit works. $ getent passwd INTERNAL\\administrator AND getent group INTERNAL\\hrall . give nothing. An strace of getent revealed that /lib64 was never queried for libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked libnss_winbind.so to that folder. (Is this incorrect, or shall I update the Wiki with this information for Ubuntu users?) After the relinking, getent group INTERNAL\\hrall shows the members of the group "hrall", but getent passwd INTERNAL\\Administrator still fails. $smbclient -L fs2 -UAdministrator Session setup failed: NT_STATUS_LOGON_FAILURE And, as you'd expect, domain users can't connect to FS2's shares from windows either. The log.smbd shows: [2014/02/11 14:52:42.335901, 5] ../source3/auth/auth_util.c:115(make_user_info_map) Mapping user [INTERNAL]\[Administrator] from workstation [FS2] [2014/02/11 14:52:42.336554, 5] ../source3/auth/user_info.c:61(make_user_info) attempting to make a user_info for Administrator (Administrator) [2014/02/11 14:52:42.336592, 5] ../source3/auth/user_info.c:72(make_user_info) making strings for Administrator's user_info struct [2014/02/11 14:52:42.336629, 5] ../source3/auth/user_info.c:92(make_user_info) making blobs for Administrator's user_info struct [2014/02/11 14:52:42.336657, 3] ../source3/auth/auth.c:177(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [INTERNAL]\[Administrator]@[FS2] with the new password interface [2014/02/11 14:52:42.336685, 3] ../source3/auth/auth.c:180(auth_check_ntlm_password) check_ntlm_password: mapped user is: [INTERNAL]\[Administrator]@[FS2] [2014/02/11 14:52:42.336714, 5] ../lib/util/util.c:556(dump_data) [0000] 4E 9F 81 20 8D B4 2D 02 N.. ..-. [2014/02/11 14:52:42.336765, 6] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: INTERNAL is not one of my local names (ROLE_DOMAIN_MEMBER) [2014/02/11 14:52:42.336798, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2014/02/11 14:52:42.336825, 4] ../source3/smbd/uid.c:485(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2014/02/11 14:52:42.336851, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2014/02/11 14:52:42.336877, 5] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2014/02/11 14:52:42.336908, 5] ../source3/auth/token_util.c:528(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2014/02/11 14:52:42.353224, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2014/02/11 14:52:42.353328, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user INTERNAL\administrator [2014/02/11 14:52:42.353366, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is internal\administrator [2014/02/11 14:52:42.353786, 5] ../source3/lib/username.c:128(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is INTERNAL\administrator [2014/02/11 14:52:42.354074, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR [2014/02/11 14:52:42.354402, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in internal\administrator [2014/02/11 14:52:42.354436, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [INTERNAL\administrator]! [2014/02/11 14:52:42.354463, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user administrator [2014/02/11 14:52:42.354490, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is administrator [2014/02/11 14:52:42.354771, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR [2014/02/11 14:52:42.355046, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in administrator [2014/02/11 14:52:42.355079, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [administrator]! [2014/02/11 14:52:42.355152, 3] ../source3/auth/auth_util.c:1247(check_account) Failed to find authenticated user INTERNAL\administrator via getpwnam(), denying access. [2014/02/11 14:52:42.355204, 5] ../source3/auth/auth.c:229(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2014/02/11 14:52:42.355247, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2014/02/11 14:52:42.355293, 5] ../source3/auth/auth_ntlmssp.c:144(auth3_check_password) Checking NTLMSSP password for INTERNAL\Administrator failed: NT_STATUS_NO_SUCH_USER [2014/02/11 14:52:42.355329, 5] ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password) ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for INTERNAL\Administrator failed: NT_STATUS_NO_SUCH_USER [2014/02/11 14:52:42.355368, 2] ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER log.winbindd shows: [2014/02/11 14:48:22.544398, 6] ../source3/winbindd/winbindd.c:870(new_connection) accepted socket 25 [2014/02/11 14:48:22.544610, 3] ../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version) [ 2629]: request interface version [2014/02/11 14:48:22.544767, 3] ../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir) [ 2629]: request location of privileged pipe [2014/02/11 14:48:22.544911, 6] ../source3/winbindd/winbindd.c:870(new_connection) accepted socket 28 [2014/02/11 14:48:22.545005, 6] ../source3/winbindd/winbindd.c:918(winbind_client_request_read) closing socket 25, client exited [2014/02/11 14:48:22.545112, 3] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [ 2629]: domain_info [INTERNAL] [2014/02/11 14:48:22.546028, 3] ../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send) [ 2629]: pam auth crap domain: [INTERNAL] user: Administrator [2014/02/11 14:48:22.613469, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam internal\administrator [2014/02/11 14:48:24.273838, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500: NT_STATUS_NONE_MAPPED [2014/02/11 14:48:24.274046, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam INTERNAL\administrator [2014/02/11 14:48:24.274271, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500: NT_STATUS_NONE_MAPPED [2014/02/11 14:48:24.274415, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam INTERNAL\ADMINISTRATOR [2014/02/11 14:48:24.274558, 5] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500: NT_STATUS_NONE_MAPPED [2014/02/11 14:48:24.274775, 3] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) Below are the configuration files for FS2 (the file server / domain member server). Commented parameters are ones I tried, with no change to the aforementioned results. SMB.Conf: [global] workgroup = INTERNAL security = ADS realm = INTERNAL.SIMPEQ.CA idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config INTERNAL:backend = ad idmap config INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 500-40000 winbind nss info = rfc2307 #these are NOT from the domain member wiki winbind use default domain = yes #winbind separator = + #wibind enum groups = yes #winbind trusted domains only = no ########################### #from wiki on Configuring file shares (feb7'14) vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes ######################### log level = 7 #Oplocks veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt/*.pst [test] path = /srv/test read only = no #valid users = @"Domain Users" [Sites] path = /srv/sites read only = no nsswitch.conf: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis If you would like to see any further information, please let me know. Thank you very much! Shane Robinson Chief Administrative Officer SimpeQ Care t. 604.988.3103 ext. 104 c. 604.506.3311 f. 604.988.3105 Please consider the environment before printing this email.
On Tue, 2014-02-11 at 16:15 -0800, Shane Robinson wrote:> Hello list! > > > > I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise > KVM guest. It seems to be running well. Recent list posts have led me to set > up a second instance of samba/ubuntu as a file server. Like the domain > controller, Samba was built from git, but then it was configured using the > "Samba/Domain Member" wiki. I added the sfu attributes to a few users/groups > using ADUC, but I don't see that mentioned as a requirement (Is it a > requirement?).If you want getent to work, you don't _have_ to add the sfu stuff. uidNumber and gidNumber are sufficient.> > > > My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new > file server's name is FS2. I start the services with a script that runs > winbindd, then smbd, then nmbd, in that order. >> > > Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups. > > > > Kinit works. > > > > > > $ getent passwd INTERNAL\\administrator > > AND > > getent group INTERNAL\\hrall > > > > . give nothing. > > > > An strace of getent revealed that /lib64 was never queried for > libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked > libnss_winbind.so to that folder. > > (Is this incorrect, or shall I update the Wiki with this information for > Ubuntu users?) > > amThe wiki is for 32 bit non-Debian distros only. How did you join FS2? Could you post: The content of its keytab The DN of INTERNAL\administrator Cheers, Steve
Apparently Analagous Threads
- smbd/winbindd truncating user name: "Could not parse domain user"
- adding samba4 member to samba4 domain
- winbind causing huge timeouts/delays since 4.8
- samba 4.5.0 on hpux ia64: smbd not able to use domain users for file sharing
- samba 4.5.0 on hpux ia64: smbd not able to use domain users for file sharing