Shane Robinson
2014-Feb-12 00:15 UTC
[Samba] Domain Member server - Domain users don't get access
Hello list!
I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise
KVM guest. It seems to be running well. Recent list posts have led me to set
up a second instance of samba/ubuntu as a file server. Like the domain
controller, Samba was built from git, but then it was configured using the
"Samba/Domain Member" wiki. I added the sfu attributes to a few
users/groups
using ADUC, but I don't see that mentioned as a requirement (Is it a
requirement?).
My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new
file server's name is FS2. I start the services with a script that runs
winbindd, then smbd, then nmbd, in that order.
Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups.
Kinit works.
$ getent passwd INTERNAL\\administrator
AND
getent group INTERNAL\\hrall
. give nothing.
An strace of getent revealed that /lib64 was never queried for
libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
libnss_winbind.so to that folder.
(Is this incorrect, or shall I update the Wiki with this information for
Ubuntu users?)
After the relinking, getent group INTERNAL\\hrall shows the members of the
group "hrall", but getent passwd INTERNAL\\Administrator still fails.
$smbclient -L fs2 -UAdministrator
Session setup failed: NT_STATUS_LOGON_FAILURE
And, as you'd expect, domain users can't connect to FS2's shares
from
windows either.
The log.smbd shows:
[2014/02/11 14:52:42.335901, 5]
../source3/auth/auth_util.c:115(make_user_info_map)
Mapping user [INTERNAL]\[Administrator] from workstation [FS2]
[2014/02/11 14:52:42.336554, 5]
../source3/auth/user_info.c:61(make_user_info)
attempting to make a user_info for Administrator (Administrator)
[2014/02/11 14:52:42.336592, 5]
../source3/auth/user_info.c:72(make_user_info)
making strings for Administrator's user_info struct
[2014/02/11 14:52:42.336629, 5]
../source3/auth/user_info.c:92(make_user_info)
making blobs for Administrator's user_info struct
[2014/02/11 14:52:42.336657, 3]
../source3/auth/auth.c:177(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[INTERNAL]\[Administrator]@[FS2] with the new password interface
[2014/02/11 14:52:42.336685, 3]
../source3/auth/auth.c:180(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [INTERNAL]\[Administrator]@[FS2]
[2014/02/11 14:52:42.336714, 5] ../lib/util/util.c:556(dump_data)
[0000] 4E 9F 81 20 8D B4 2D 02 N.. ..-.
[2014/02/11 14:52:42.336765, 6]
../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: INTERNAL is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2014/02/11 14:52:42.336798, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2014/02/11 14:52:42.336825, 4] ../source3/smbd/uid.c:485(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2014/02/11 14:52:42.336851, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2014/02/11 14:52:42.336877, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/02/11 14:52:42.336908, 5]
../source3/auth/token_util.c:528(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/02/11 14:52:42.353224, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/02/11 14:52:42.353328, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user INTERNAL\administrator
[2014/02/11 14:52:42.353366, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is internal\administrator
[2014/02/11 14:52:42.353786, 5]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is INTERNAL\administrator
[2014/02/11 14:52:42.354074, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR
[2014/02/11 14:52:42.354402, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in internal\administrator
[2014/02/11 14:52:42.354436, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [INTERNAL\administrator]!
[2014/02/11 14:52:42.354463, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user administrator
[2014/02/11 14:52:42.354490, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is administrator
[2014/02/11 14:52:42.354771, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
[2014/02/11 14:52:42.355046, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in administrator
[2014/02/11 14:52:42.355079, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [administrator]!
[2014/02/11 14:52:42.355152, 3]
../source3/auth/auth_util.c:1247(check_account)
Failed to find authenticated user INTERNAL\administrator via getpwnam(),
denying access.
[2014/02/11 14:52:42.355204, 5]
../source3/auth/auth.c:229(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355247, 2]
../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355293, 5]
../source3/auth/auth_ntlmssp.c:144(auth3_check_password)
Checking NTLMSSP password for INTERNAL\Administrator failed:
NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355329, 5]
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
INTERNAL\Administrator failed: NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355368, 2]
../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
log.winbindd shows:
[2014/02/11 14:48:22.544398, 6]
../source3/winbindd/winbindd.c:870(new_connection)
accepted socket 25
[2014/02/11 14:48:22.544610, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 2629]: request interface version
[2014/02/11 14:48:22.544767, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 2629]: request location of privileged pipe
[2014/02/11 14:48:22.544911, 6]
../source3/winbindd/winbindd.c:870(new_connection)
accepted socket 28
[2014/02/11 14:48:22.545005, 6]
../source3/winbindd/winbindd.c:918(winbind_client_request_read)
closing socket 25, client exited
[2014/02/11 14:48:22.545112, 3]
../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)
[ 2629]: domain_info [INTERNAL]
[2014/02/11 14:48:22.546028, 3]
../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)
[ 2629]: pam auth crap domain: [INTERNAL] user: Administrator
[2014/02/11 14:48:22.613469, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam internal\administrator
[2014/02/11 14:48:24.273838, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274046, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam INTERNAL\administrator
[2014/02/11 14:48:24.274271, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274415, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam INTERNAL\ADMINISTRATOR
[2014/02/11 14:48:24.274558, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274775, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
Below are the configuration files for FS2 (the file server / domain member
server). Commented parameters are ones I tried, with no change to the
aforementioned results.
SMB.Conf:
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.SIMPEQ.CA
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 500-40000
winbind nss info = rfc2307
#these are NOT from the domain member wiki
winbind use default domain = yes
#winbind separator = +
#wibind enum groups = yes
#winbind trusted domains only = no
###########################
#from wiki on Configuring file shares (feb7'14)
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
#########################
log level = 7
#Oplocks
veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt/*.pst
[test]
path = /srv/test
read only = no
#valid users = @"Domain Users"
[Sites]
path = /srv/sites
read only = no
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you would like to see any further information, please let me know.
Thank you very much!
Shane Robinson
Chief Administrative Officer
SimpeQ Care
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.
On Tue, 2014-02-11 at 16:15 -0800, Shane Robinson wrote:> Hello list! > > > > I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise > KVM guest. It seems to be running well. Recent list posts have led me to set > up a second instance of samba/ubuntu as a file server. Like the domain > controller, Samba was built from git, but then it was configured using the > "Samba/Domain Member" wiki. I added the sfu attributes to a few users/groups > using ADUC, but I don't see that mentioned as a requirement (Is it a > requirement?).If you want getent to work, you don't _have_ to add the sfu stuff. uidNumber and gidNumber are sufficient.> > > > My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new > file server's name is FS2. I start the services with a script that runs > winbindd, then smbd, then nmbd, in that order. >> > > Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups. > > > > Kinit works. > > > > > > $ getent passwd INTERNAL\\administrator > > AND > > getent group INTERNAL\\hrall > > > > . give nothing. > > > > An strace of getent revealed that /lib64 was never queried for > libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked > libnss_winbind.so to that folder. > > (Is this incorrect, or shall I update the Wiki with this information for > Ubuntu users?) > > amThe wiki is for 32 bit non-Debian distros only. How did you join FS2? Could you post: The content of its keytab The DN of INTERNAL\administrator Cheers, Steve
Possibly Parallel Threads
- smbd/winbindd truncating user name: "Could not parse domain user"
- adding samba4 member to samba4 domain
- winbind causing huge timeouts/delays since 4.8
- samba 4.5.0 on hpux ia64: smbd not able to use domain users for file sharing
- samba 4.5.0 on hpux ia64: smbd not able to use domain users for file sharing