samba - Sep 2017 - user works on DC, not on DM

good morning (here)

At a customer we face the issue that a new user (we tested creating via
RSAT and samba-tool) can't login to the DM server, but works on the DC.

DM: gentoo linux, samba 4.6.7
DC: Debian 9.1, samba 4.6.7

-

on the DM "main":

main ~ # smbclient  -L localhost -U hansi%Kwaksi29+
session setup failed: NT_STATUS_LOGON_FAILURE

main ~ # wbinfo -i hansi
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user hansi

main ~ # wbinfo -a hansi%Kwaksi29+
plaintext password authentication succeeded
challenge/response password authentication succeeded

main ~ # wbinfo -u | grep hansi
hansi

Sure, we restarted the daemons, even rebooted the server.

on DC:

# wbinfo -i hansi
ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false

I noticed the --------^^^^^^^  id ... and checked against the id range
on the DM:


[global]
	realm = ARBEITSGRUPPE.THEIR.TLD
	workgroup = ARBEITSGRUPPE
	log file = /var/log/samba/%m.log
	load printers = No
	printcap name = /dev/null
	security = ADS
	username map = /etc/samba/user.map
	winbind nss info = rfc2307
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	idmap config arbeitsgruppe:schema_mode = rfc2307
	idmap config arbeitsgruppe:range = 10000-9999999
	idmap config arbeitsgruppe:backend = ad
	idmap config * : range = 2000-2999
	idmap config * : backend = tdb

it was 999999 before, I increased that and restarted/rebooted DM, no change.

The user can login to the domain, it only can't connect to a share on
the DM (group membership is OK, we only filter for "Domain Users", and
the GPOs are applied).

Any hints? What can I provide to help you help me?
Thanks, Stefan

On Fri, 1 Sep 2017 08:49:26 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> good morning (here)
> 
> At a customer we face the issue that a new user (we tested creating
> via RSAT and samba-tool) can't login to the DM server, but works on
> the DC.
> 
> DM: gentoo linux, samba 4.6.7
> DC: Debian 9.1, samba 4.6.7
> 
> -
> 
> on the DM "main":
> 
> main ~ # smbclient  -L localhost -U hansi%Kwaksi29+
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> main ~ # wbinfo -i hansi
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user hansi
> 
> main ~ # wbinfo -a hansi%Kwaksi29+
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> 
> main ~ # wbinfo -u | grep hansi
> hansi
> 
> Sure, we restarted the daemons, even rebooted the server.
> 
> on DC:
> 
> # wbinfo -i hansi
> ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false
> 
> I noticed the --------^^^^^^^  id ... and checked against the id range
> on the DM:
 I noticed that these   ^^^^^^^^^^^^ are xidNumbers.

xidNumbers are only used on a DC, they are NOT used anywhere else!
> 
> [global]
> 	realm = ARBEITSGRUPPE.THEIR.TLD
> 	workgroup = ARBEITSGRUPPE
> 	log file = /var/log/samba/%m.log
> 	load printers = No
> 	printcap name = /dev/null
> 	security = ADS
> 	username map = /etc/samba/user.map
> 	winbind nss info = rfc2307
> 	winbind refresh tickets = Yes
> 	winbind use default domain = Yes
> 	idmap config arbeitsgruppe:schema_mode = rfc2307
> 	idmap config arbeitsgruppe:range = 10000-9999999
> 	idmap config arbeitsgruppe:backend = ad
> 	idmap config * : range = 2000-2999
> 	idmap config * : backend = tdb
> 
> it was 999999 before, I increased that and restarted/rebooted DM, no
> change.
> 
> The user can login to the domain, it only can't connect to a share on
> the DM (group membership is OK, we only filter for "Domain
Users", and
> the GPOs are applied).
Have you given the user a 'uidNumber' attribute containing a unique
number inside 10000-9999999 ? and have you given Domain Users a
gidNumber attribute containing a number inside the same range (I don't
think you have, or it wouldn't be '100' above)
 
Rowland

Am 2017-09-01 um 09:17 schrieb Rowland Penny via samba:
>> The user can login to the domain, it only can't connect to a share
on
>> the DM (group membership is OK, we only filter for "Domain
Users", and
>> the GPOs are applied).
> 
> Have you given the user a 'uidNumber' attribute containing a unique
> number inside 10000-9999999 ? and have you given Domain Users a
> gidNumber attribute containing a number inside the same range (I don't
> think you have, or it wouldn't be '100' above)
We expected that creating the user via RSAT would be enough.
But now as I read this I remember a similar thread from back then.

How to add that uidNumber in the easiest way?
I would like to be able to let the local admin do that ...

can't remember the steps anymore, something with LDAP, I assume?

thx