Hello, I cannot access a remote drive using Windows or smbclient; my authentication appears successful according to the samba log file, but `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3. The logfile shows: [2017/05/06 22:57:48.729284, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [developer_prod] -> [developer_prod] -> [developer_prod] succeeded [2017/05/06 22:57:48.731091, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-4007675785-2624567327-467545301-1000 -> getpwuid(16777216) failed [2017/05/06 22:57:48.731164, 1] ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL Strangely, the SID corresponds to a local user: # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000 NY4010\developer_prod 1 (ny4010 is my samba server machine) Even though on the client I am logging in using a domain user: $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release 'password' session setup failed: NT_STATUS_UNSUCCESSFUL Here is my smb.conf file: [global] workgroup = MYDOMAIN password server = my_domain_server.mydomain.local realm = MYDOMAIN.LOCAL security = ads idmap config * : range = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash kerberos method = secrets only winbind use default domain = true winbind offline logon = false log level = 2 encrypt passwords = yes unix extensions = no server string = Samba Server Version %v log file = /var/log/samba/log.%m max log size = 50 security = ads passdb backend = tdbsam realm = MYDOMAIN.LOCAL password server = my_domain_server.mydomain.local local master = no [homes] comment = Home Directories browseable = no writable = yes [release] comment = Shared directory: /prod path = /prod browseable = yes read only = no valid users = developer_prod guest ok = yes public = yes follow symlinks = yes wide links = yes force user = developer_prod [log] comment = Shared directory: /prod/log path = /prod/log browseable = yes read only = yes guest ok = yes public = yes my nsswitch.conf file looks like: passwd: files winbind I think the smoking gun here is that a local user's SID is showing up in that "getpwuid() failed" line... Thanks. -- -Mike Schwager
On Sun, 7 May 2017 09:04:25 -0500 Michael Schwager via samba <samba at lists.samba.org> wrote:> Hello, > I cannot access a remote drive using Windows or smbclient; my > authentication appears successful according to the samba log file, but > `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba > 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3. The logfile > shows: > > [2017/05/06 22:57:48.729284, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [developer_prod] > -> [developer_prod] -> [developer_prod] succeeded > [2017/05/06 22:57:48.731091, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-4007675785-2624567327-467545301-1000 -> > getpwuid(16777216) failed > [2017/05/06 22:57:48.731164, 1] > ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for > session setup: NT_STATUS_UNSUCCESSFUL > > Strangely, the SID corresponds to a local user: > > # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000 > NY4010\developer_prod 1 > > (ny4010 is my samba server machine) Even though on the client I am > logging in using a domain user: > > $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release > 'password' session setup failed: NT_STATUS_UNSUCCESSFUL > > Here is my smb.conf file: > > [global] > workgroup = MYDOMAIN > password server = my_domain_server.mydomain.local > realm = MYDOMAIN.LOCAL > security = ads > idmap config * : range = 16777216-33554431 > template homedir = /home/%U > template shell = /bin/bash > kerberos method = secrets only > winbind use default domain = true > winbind offline logon = false > log level = 2 > encrypt passwords = yes > unix extensions = no > server string = Samba Server Version %v > log file = /var/log/samba/log.%m > max log size = 50 > security = ads > passdb backend = tdbsam > realm = MYDOMAIN.LOCAL > password server = my_domain_server.mydomain.local > local master = no > [homes] > comment = Home Directories > browseable = no > writable = yes > [release] > comment = Shared directory: /prod > path = /prod > browseable = yes > read only = no > valid users = developer_prod > guest ok = yes > public = yes > follow symlinks = yes > wide links = yes > force user = developer_prod > [log] > comment = Shared directory: /prod/log > path = /prod/log > browseable = yes > read only = yes > guest ok = yes > public = yes > > my nsswitch.conf file looks like: > passwd: files winbind > > I think the smoking gun here is that a local user's SID is showing up > in that "getpwuid() failed" line... > > Thanks.Are you using sssd, if so then remove 'winbind' from the 'passwd' line in /etc/nsswitch.conf , put back 'sss' that you must have removed. Remove winbind and then go and ask on the sssd-users mailing, you cannot use sssd and winbind. If however, you are not using sssd, then add winbind to the group line in /etc/nsswitch.conf then make [global] in smb.conf look like this: [global] workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL server string = Samba Server Version %v security = ads template homedir = /home/%U template shell = /bin/bash winbind use default domain = true log level = 2 unix extensions = no log file = /var/log/samba/log.%m max log size = 50 local master = no idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-999999 # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes Rowland
Hi Rowland, Thanks for the reply. I did as you suggested and did not see any change in my system behavior. I put everything back the way it was. Then I noticed that I have an identical system (so I think) right next to it, on the same rack, connected to the same switch, with the same OS and hardware, and it is working 100%. Fundamentally, I cannot su to my user "developer_prod" as the "id" utility complains that it "cannot find user for ID 16777216". I believe something is wrong with winbind, and I don't know what it is. Does winbind use the smb.conf file? On Sun, May 7, 2017 at 9:34 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sun, 7 May 2017 09:04:25 -0500 > Michael Schwager via samba <samba at lists.samba.org> wrote: > > > Hello, > > I cannot access a remote drive using Windows or smbclient; my > > authentication appears successful according to the samba log file, but > > `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba > > 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3. The logfile > > shows: > > > > [2017/05/06 22:57:48.729284, 2] > > ../source3/auth/auth.c:305(auth_check_ntlm_password) > > check_ntlm_password: authentication for user [developer_prod] > > -> [developer_prod] -> [developer_prod] succeeded > > [2017/05/06 22:57:48.731091, 1] > > ../source3/auth/token_util.c:430(add_local_groups) > > SID S-1-5-21-4007675785-2624567327-467545301-1000 -> > > getpwuid(16777216) failed > > [2017/05/06 22:57:48.731164, 1] > > ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego) > > Failed to generate session_info (user and group token) for > > session setup: NT_STATUS_UNSUCCESSFUL > > > > Strangely, the SID corresponds to a local user: > > > > # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000 > > NY4010\developer_prod 1 > > > > (ny4010 is my samba server machine) Even though on the client I am > > logging in using a domain user: > > > > $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release > > 'password' session setup failed: NT_STATUS_UNSUCCESSFUL > > > > Here is my smb.conf file: > > > > [global] > > workgroup = MYDOMAIN > > password server = my_domain_server.mydomain.local > > realm = MYDOMAIN.LOCAL > > security = ads > > idmap config * : range = 16777216-33554431 > > template homedir = /home/%U > > template shell = /bin/bash > > kerberos method = secrets only > > winbind use default domain = true > > winbind offline logon = false > > log level = 2 > > encrypt passwords = yes > > unix extensions = no > > server string = Samba Server Version %v > > log file = /var/log/samba/log.%m > > max log size = 50 > > security = ads > > passdb backend = tdbsam > > realm = MYDOMAIN.LOCAL > > password server = my_domain_server.mydomain.local > > local master = no > > [homes] > > comment = Home Directories > > browseable = no > > writable = yes > > [release] > > comment = Shared directory: /prod > > path = /prod > > browseable = yes > > read only = no > > valid users = developer_prod > > guest ok = yes > > public = yes > > follow symlinks = yes > > wide links = yes > > force user = developer_prod > > [log] > > comment = Shared directory: /prod/log > > path = /prod/log > > browseable = yes > > read only = yes > > guest ok = yes > > public = yes > > > > my nsswitch.conf file looks like: > > passwd: files winbind > > > > I think the smoking gun here is that a local user's SID is showing up > > in that "getpwuid() failed" line... > > > > Thanks. > > Are you using sssd, if so then remove 'winbind' from the 'passwd' line > in /etc/nsswitch.conf , put back 'sss' that you must have removed. > Remove winbind and then go and ask on the sssd-users mailing, you > cannot use sssd and winbind. > > If however, you are not using sssd, then add winbind to the group line > in /etc/nsswitch.conf then make [global] in smb.conf look like this: > > [global] > workgroup = MYDOMAIN > realm = MYDOMAIN.LOCAL > server string = Samba Server Version %v > security = ads > template homedir = /home/%U > template shell = /bin/bash > winbind use default domain = true > log level = 2 > unix extensions = no > log file = /var/log/samba/log.%m > max log size = 50 > local master = no > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config MYDOMAIN : backend = rid > idmap config MYDOMAIN : range = 10000-999999 > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- -Mike Schwager
Possibly Parallel Threads
- Samba login failure: getpwuid failed
- Samba login failure: getpwuid failed
- [patch] ssh.c load_public_identity_files calls getpwuid twice without copy
- [Bug 1377] New: getpwuid called twice without pwcopy (percent_expand: NULL replacement)
- Auth fail getpwuid(3000007) failed