samba - Jun 2019 - Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

So I re run the test with domain users gid 14513

Still not working (sssd stopped, nsswitch.cnf with? "files winbind"
for
passwd group, # net cache flush + restart winbindd smb)

On the samba server :
# wbinfo -i MYDOMAIN\usertest
MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash

In log, I have :

myw7worstation.log
/[2019/06/19 12:04:29.496822,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
//[2019/06/19 12:04:34.085421,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
//[2019/06/19 12:05:22.113816,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
//[2019/06/19 12:05:27.124307,? 1] 
../source3/smbd/service.c:521(make_connection_snum)//
//? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/

log.winbindd-idmap
/[2019/06/19 12:04:29.464431,? 1] 
../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
//? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
transaction error pending//
//[2019/06/19 12:04:29.464460,? 1] 
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
//? Error allocating a new GID//
//[2019/06/19 12:04:29.464606,? 1] 
../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
//? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
transaction error pending//
//[2019/06/19 12:04:29.464622,? 1] 
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
//? Error allocating a new GID/

And when I try to mount the share manually (same syntax than the one in 
the logon script), I get :
net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
"invalid password for \\mysambaserver\groups"
and System error 5

In smb.cnf, I set valid users = @"utilisateurs du domaine at
MYDOMAIN.LOCAL"
Can it be the reason ?

On 19/06/2019 16:16, Edouard Guign? via samba wrote:
> So I re run the test with domain users gid 14513
>
> Still not working (sssd stopped, nsswitch.cnf with? "files
winbind"
> for passwd group, # net cache flush + restart winbindd smb)
>
> On the samba server :
> # wbinfo -i MYDOMAIN\usertest
> MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash
>
> In log, I have :
>
> myw7worstation.log
> /[2019/06/19 12:04:29.496822,? 1] 
> ../source3/smbd/service.c:521(make_connection_snum)//
> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
> //[2019/06/19 12:04:34.085421,? 1] 
> ../source3/smbd/service.c:521(make_connection_snum)//
> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
> //[2019/06/19 12:05:22.113816,? 1] 
> ../source3/smbd/service.c:521(make_connection_snum)//
> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
> //[2019/06/19 12:05:27.124307,? 1] 
> ../source3/smbd/service.c:521(make_connection_snum)//
> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/
>
> log.winbindd-idmap
> /[2019/06/19 12:04:29.464431,? 1] 
> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
> //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
> transaction error pending//
> //[2019/06/19 12:04:29.464460,? 1] 
> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
> //? Error allocating a new GID//
> //[2019/06/19 12:04:29.464606,? 1] 
> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
> //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
> transaction error pending//
> //[2019/06/19 12:04:29.464622,? 1] 
> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
> //? Error allocating a new GID/
>
> And when I try to mount the share manually (same syntax than the one 
> in the logon script), I get :
> net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
> "invalid password for \\mysambaserver\groups"
> and System error 5
>
> In smb.cnf, I set valid users = @"utilisateurs du domaine at
MYDOMAIN.LOCAL"
> Can it be the reason ?
>
>
Lets start again:

Do your users have a uidNumber attribute ?

If so, are the contents of these uidNumber attributes, numbers inside 
'10000-14999' ?

Does 'Domain Users' have a gidNumber attribute containing a number 
inside '10000-14999' ?

Does 'getent passwd <A_DOMAIN_USER>' return output ?

Note: Replace '<A_DOMAIN_USER>' with a valid domain username, if
you do
not have 'winbind use default domain = yes' in smb.conf, this will be in
the format 'DOMAIN\\username'

Does 'getent group Domain\ Users' return output ?

Rowland

The 2 commands works :
# getent passwd MYDOMAIN\\usertest
MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash

# getent group MYDOMAIN\\"Utilisateurs du domaine"
MYDOMAIN\utilisateurs du domaine:x:14513:

I have to put "Utilisateurs du domaine" instead of Domain\ Users
because
the Windows AD is a french AD.


Le 19/06/2019 ? 12:32, Rowland penny via samba a ?crit?:
> On 19/06/2019 16:16, Edouard Guign? via samba wrote:
>> So I re run the test with domain users gid 14513
>>
>> Still not working (sssd stopped, nsswitch.cnf with? "files
winbind"
>> for passwd group, # net cache flush + restart winbindd smb)
>>
>> On the samba server :
>> # wbinfo -i MYDOMAIN\usertest
>> MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash
>>
>> In log, I have :
>>
>> myw7worstation.log
>> /[2019/06/19 12:04:29.496822,? 1] 
>> ../source3/smbd/service.c:521(make_connection_snum)//
>> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>> //[2019/06/19 12:04:34.085421,? 1] 
>> ../source3/smbd/service.c:521(make_connection_snum)//
>> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>> //[2019/06/19 12:05:22.113816,? 1] 
>> ../source3/smbd/service.c:521(make_connection_snum)//
>> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>> //[2019/06/19 12:05:27.124307,? 1] 
>> ../source3/smbd/service.c:521(make_connection_snum)//
>> //? create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/
>>
>> log.winbindd-idmap
>> /[2019/06/19 12:04:29.464431,? 1] 
>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>> //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
>> transaction error pending//
>> //[2019/06/19 12:04:29.464460,? 1] 
>>
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>> //? Error allocating a new GID//
>> //[2019/06/19 12:04:29.464606,? 1] 
>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>> //? tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
>> transaction error pending//
>> //[2019/06/19 12:04:29.464622,? 1] 
>>
../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>> //? Error allocating a new GID/
>>
>> And when I try to mount the share manually (same syntax than the one 
>> in the logon script), I get :
>> net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
>> "invalid password for \\mysambaserver\groups"
>> and System error 5
>>
>> In smb.cnf, I set valid users = @"utilisateurs du 
>> domaine at MYDOMAIN.LOCAL"
>> Can it be the reason ?
>>
>>
> Lets start again:
>
> Do your users have a uidNumber attribute ?
>
> If so, are the contents of these uidNumber attributes, numbers inside 
> '10000-14999' ?
>
> Does 'Domain Users' have a gidNumber attribute containing a number 
> inside '10000-14999' ?
>
> Does 'getent passwd <A_DOMAIN_USER>' return output ?
>
> Note: Replace '<A_DOMAIN_USER>' with a valid domain username,
if you
> do not have 'winbind use default domain = yes' in smb.conf, this
will
> be in the format 'DOMAIN\\username'
>
> Does 'getent group Domain\ Users' return output ?
>
> Rowland
>
>
>