Hey Jeremy,
Thanks for the advice. I followed your suggestion collected the logged
information for a single connection attempt (i.e. smbclient
//servername/sharename -U username); I've included the log data below (in
the postscript). It looks like Samba is still looking for a Unix user
account and not finding one. I should mention that it seems that I am able
to authenticate as the user; the following command executes properly, for
example:
smbclient -L //servername -U username
So I'm guessing that problem is that the user doesn't have permission to
access the shares they're trying to access. However, my (extremely limited)
understanding is that Samba inherits permissions from the host Linux
system, and in this case the corresponding Linux user is a member of the
appropriate group for each corresponding share. Any further thoughts would
be greatly appreciated. Thanks again!
Cheers,
Itamar
Here's the log data:
[2015/04/18 13:41:26.261983, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[Sharename]\[username]@[Server] with the new password interface
[2015/04/18 13:41:26.262024, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [Sharename]\[username]@[Server]
[2015/04/18 13:41:26.275787, 3] lib/smbldap.c:803(smb_ldap_start_tls)
StartTLS issued: using a TLS connection
[2015/04/18 13:41:26.275830, 2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened
[2015/04/18 13:41:26.277053, 3] lib/smbldap.c:1240(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2015/04/18 13:41:26.277795, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: username
[2015/04/18 13:41:26.279734, 0]
passdb/lookup_sid.c:1684(get_primary_group_sid)
Failed to find a Unix account for username User username in passdb, but
getpwnam() fails!
[2015/04/18 13:41:26.279895, 0] auth/check_samsec.c:492(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2015/04/18 13:41:26.279929, 3]
auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [Sharename]
was for this SAM.
[2015/04/18 13:41:26.279954, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [username] -> [username]
FAILED with error NT_STATUS_NO_SUCH_USER
[2015/04/18 13:41:26.279981, 3] smbd/sesssetup.c:63(do_map_to_guest)
No such user username [Sharename] - using guest account
[2015/04/18 13:41:26.280011, 3] smbd/password.c:297(register_existing_vuid)
register_existing_vuid: User name: nobody Real name: (null)
[2015/04/18 13:41:26.280039, 3] smbd/password.c:307(register_existing_vuid)
register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be
vuid 100
[2015/04/18 13:41:26.280327, 3] smbd/process.c:1662(process_smb)
Transaction 3 of length 116 (0 toread)
[2015/04/18 13:41:26.280396, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.280443, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.280481, 3] smbd/service.c:837(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2015/04/18 13:41:26.280531, 3] smbd/vfs.c:102(vfs_init_default)
Initialising default vfs hooks
[2015/04/18 13:41:26.280562, 3] smbd/vfs.c:128(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2015/04/18 13:41:26.280630, 3]
../libcli/security/dom_sid.c:208(dom_sid_parse_endp)
string_to_sid: SID ig3223 is not in a valid format
[2015/04/18 13:41:26.281305, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: ig3223
[2015/04/18 13:41:26.282110, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283328, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1080
[2015/04/18 13:41:26.283448, 3] smbd/service.c:1081(make_connection_snum)
Server (127.0.0.1) connect to service IPC$ initially as user nobody
(uid=65534, gid=65534) (pid 32646)
[2015/04/18 13:41:26.283485, 3] smbd/reply.c:871(reply_tcon_and_X)
tconX service=IPC$
[2015/04/18 13:41:26.283699, 3] smbd/process.c:1662(process_smb)
Transaction 4 of length 136 (0 toread)
[2015/04/18 13:41:26.283769, 3] smbd/process.c:1467(switch_message)
switch message SMBtrans2 (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.283836, 3] smbd/msdfs.c:891(get_referred_path)
get_referred_path: |Sharename| in dfs path \Server.hosturl\Sharename is
not a dfs root.
[2015/04/18 13:41:26.283867, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/trans2.c(8345) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2015/04/18 13:41:26.284057, 3] smbd/process.c:1662(process_smb)
Transaction 5 of length 39 (0 toread)
[2015/04/18 13:41:26.284127, 3] smbd/process.c:1467(switch_message)
switch message SMBtdis (pid 32646) conn 0x7f0404cc8590
[2015/04/18 13:41:26.284182, 3] smbd/service.c:1345(close_cnum)
Server (127.0.0.1) closed connection to service IPC$
[2015/04/18 13:41:26.284211, 3] smbd/connection.c:35(yield_connection)
Yielding connection to IPC$
[2015/04/18 13:41:26.284347, 3] smbd/process.c:1662(process_smb)
Transaction 6 of length 116 (0 toread)
[2015/04/18 13:41:26.284381, 3] smbd/process.c:1467(switch_message)
switch message SMBtconX (pid 32646) conn 0x0
[2015/04/18 13:41:26.284417, 3] lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/04/18 13:41:26.284446, 2]
smbd/service.c:616(create_connection_session_info)
guest user (from session setup) not permitted to access this share
(Sharename)
[2015/04/18 13:41:26.284471, 1] smbd/service.c:770(make_connection_snum)
create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284496, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/reply.c(803) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2015/04/18 13:41:26.284777, 3] smbd/server_exit.c:180(exit_server_common)
Server exit (failed to receive smb request)
On Fri, Apr 17, 2015 at 4:29 PM, Jeremy Allison <jra at samba.org> wrote:
> On Fri, Apr 17, 2015 at 03:15:48PM -0500, Itamar Gal wrote:
> > Hey Samba list,
> > Home Directory: \\files\userid
> > Profile Path: \\files\userid \profile
> >
> > 3. I reset the user's password:
> >
> > echo -e "password\npassword\n" | passwordsudo smbpasswd -s
> >
> > Then I tried to connect to the Samba server as the user:
> >
> > smbclient //fileserver/domain -U userid
> >
> > Unfortunately I was unable to authenticate; I get the following error
> > message:
> >
> > Domain=[domain] OS=[Unix] Server=[Samba 3.6.3]
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> > 4. I checked to see if there was in fact a Unix account for the user,
and
> > there wasn't, so I added one, and set the UNIX password to match
the
> > password set with smbpasswd. Then I tried again to connect to the
Samba
> > server, but was still unable to connect.
> >
> > Can anyone shed any light on this? Help!
>
> Set the log level in smbd to 10, then take a look
> at the logs produced when smbclient tries to connect.
>
> Here's how I set that up in smb.conf:
>
> log file = /usr/local/samba/var/log.%m
> max log size = 0
> log level = 10
>
> That will be the quickest way to track down the problem.
>
> Jeremy.
>