1) Does 'getent passwd policia\gafranchello' produce output when run on a Unix client ? If try to logon on unis console --> auth.log Jul 2 14:13:59 samba-cliente sshd[11654]: Invalid user POLICIA+gafranchello from 172.33.10.1 Jul 2 14:13:59 samba-cliente sshd[11654]: input_userauth_request: invalid user POLICIA+gafranchello [preauth] Jul 2 14:14:04 samba-cliente sshd[11654]: pam_winbind(sshd:auth): getting password (0x00000000) Jul 2 14:14:04 samba-cliente sshd[11654]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user Jul 2 14:14:04 samba-cliente sshd[11654]: pam_unix(sshd:auth): check pass; user unknown Jul 2 14:14:04 samba-cliente sshd[11654]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=172.33.10.1 Jul 2 14:14:05 samba-cliente sshd[11654]: Failed password for invalid user POLICIA+gafranchello from 172.33.10.1 port 54715 ssh2 ---- Jul 2 14:22:07 samba-cliente sshd[11699]: Invalid user policia\\gafranchello from 172.33.10.1 Jul 2 14:22:07 samba-cliente sshd[11699]: input_userauth_request: invalid user policia\\\\gafranchello [preauth] Jul 2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): getting password (0x00000000) Jul 2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Jul 2 14:22:09 samba-cliente sshd[11699]: pam_winbind(sshd:auth): user 'policia\gafranchello' denied access (incorrect password or invalid membership) Jul 2 14:22:09 samba-cliente sshd[11699]: pam_unix(sshd:auth): check pass; user unknown Jul 2 14:22:09 samba-cliente sshd[11699]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=172.33.10.1 Jul 2 14:22:11 samba-cliente sshd[11699]: Failed password for invalid user policia\\gafranchello from 172.33.10.1 port 54725 ssh2 --- This is other user that is created on the machine and can logon on desktop client whith domain credential, but can't logon on unis/console client Jul 2 14:23:15 samba-cliente sshd[11703]: Invalid user policia\\jmperrote from 172.33.10.1 Jul 2 14:23:15 samba-cliente sshd[11703]: input_userauth_request: invalid user policia\\\\jmperrote [preauth] Jul 2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): getting password (0x00000000) Jul 2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Jul 2 14:23:19 samba-cliente sshd[11703]: pam_winbind(sshd:auth): user 'policia\jmperrote' denied access (incorrect password or invalid membership) Jul 2 14:23:19 samba-cliente sshd[11703]: pam_unix(sshd:auth): check pass; user unknown Jul 2 14:23:19 samba-cliente sshd[11703]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=172.33.10.1 Jul 2 14:23:22 samba-cliente sshd[11703]: Failed password for invalid user policia\\jmperrote from 172.33.10.1 port 54726 ssh2 Jul 2 14:23:40 samba-cliente sshd[11703]: Connection closed by 172.33.10.1 port 54726 [preauth] 2) What are the 'other purposes' you are using LDAP for ? Most, if not all, can be added to Samba AD. The think is very complex because we have various products authenticating whith ldap squid/git/syspass/moodle/openfire/zentyal/etc and we are modified and adapted the ldap schema with some ldap entries for this products, the samba schema in the same schema (we have only one lsap schema), and we interactive with this via a ad hoc developed interface. Change or update samba to samba 4 AD implies that we have change the unis schema, receding the interface, proves, etc it is to much time. We try once to implemente samba 4 AD and notice that the ldap schema are very different that we have, so many changes, that implies to many development on the interface. Know I thinking that is posible to make another ldap schema just for samba 4 AD and continue using the other for rest of products, but this implies to redising the interface to update users, groups on both schemas. Another question: Thinking on samba 4 AD, when a user logon on desktop client, it can map o access direct to resources shared on samba server or need to authenticate almost at once ? Because actually on windows clients this is not needed, when a user logon on domain can map or access shared folders whitout authentication again. Regards. El jue., 2 jul. 2020 a las 9:52, Rowland penny via samba (< samba at lists.samba.org>) escribi?:> On 02/07/2020 13:03, jmpatagonia via samba wrote: > > Hello we use a samba with a old ldap (zentyal-ebox), for now it is > > impossible to update to new samba version because we use the ldap schema > > repository for others purposes, son we can move to another version that > > support samba 4 AD, for the moment we just keep this version. > > It is possible to join and validate user with linux desktop, we actually > > use a lot of clients with windows xp/7 and work perfectly. > > > This gets worse, XP and Windows 7 are both EOL, but you have what you > have :-( > > Does 'getent passwd policia\gafranchello' produce output when run on a > Unix client ? > > What are the 'other purposes' you are using LDAP for ? Most, if not all, > can be added to Samba AD. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 02/07/2020 18:27, jmpatagonia via samba wrote:> 1) Does 'getent passwd policia\gafranchello' produce output when run on a > Unix client ? > If try to logon on unis console > > --> auth.log > Jul 2 14:13:59 samba-cliente sshd[11654]: Invalid user > POLICIA+gafranchello from 172.33.10.1Try adding these lines to all of your Unix machines: client max protocol = NT1 server max protocol = NT1 They will force your Samba machines to use SMBv1 and you need it for an NT4-style domain (so yet another reason to upgrade) I take it that the machine is running headless, so can you log in via ssh as a Unix user and run the getent command ? Until your users are known via 'getent' or 'id', then you will not get Samba to work correctly.> The think is very complex because we have various products authenticating > whith ldap squid/git/syspass/moodle/openfire/zentyal/etc and we are > modified and adapted the ldap schema with some ldap entries for this > products, the samba schema in the same schema (we have only one lsap > schema), and we interactive with this via a ad hoc developed interface. > Change or update samba to samba 4 AD implies that we have change the unis > schema, receding the interface, proves, etc it is to much time.Not half as much time as you will spend if your domain totally stops working. Take smbldap-tools for instance, this isn't just EOL, it is dead and disappeared, you cannot find the source code repository anywhere on the internet, it is no longer maintained, so sooner or later it will be removed by the distro's.> We try once to implemente samba 4 AD and notice that the ldap schema are > very different that we have, so many changes, that implies to many > development on the interface.Yes AD uses its own schema and must be extended differently from openldap etc, but it can be extended.> Know I thinking that is posible to make another ldap schema just for samba > 4 AD and continue using the other for rest of products, but this implies to > redising the interface to update users, groups on both schemas.That is the problem with trying to maintain two ldap versions> Another question: Thinking on samba 4 AD, when a user logon on desktop > client, it can map o access direct to resources shared on samba server or > need to authenticate almost at once ? Because actually on windows clients > this is not needed, when a user logon on domain can map or access shared > folders whitout authentication again.In this instance, a Samba AD client or server should work like a Windows client or server. From the list of programs you listed above, I can not see one that cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD. If you require help in upgrading, we are here to help you. Rowland
Ok, know from desktop logon apparently the user logon right, look user 'policia\gafranchello' granted access on the trace below, but still tel me "Invalid password please try again" Jul 2 16:15:03 samba-cliente polkitd(authority=local): Unregistered Authentication Agent for unix-session:c6 (system bus name :1.231, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm:session): session closed for user jmperrote Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm:session): pam_kwallet: pam_sm_close_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session Jul 2 16:15:05 samba-cliente systemd-logind[635]: Removed session c6. Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:setcred): (null): pam_sm_setcred Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:setcred): (null): pam_sm_setcred Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jul 2 16:15:05 samba-cliente systemd-logind[635]: New session c7 of user lightdm. Jul 2 16:15:05 samba-cliente systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:session): (null): pam_sm_open_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:session): pam_kwallet: open_session called without kwallet_key Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:session): (null): pam_sm_open_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:session): pam_kwallet5: open_session called without kwallet5_key Jul 2 16:15:25 samba-cliente lightdm: pam_winbind(lightdm:auth): getting password (0x00000000) Jul 2 16:15:28 samba-cliente lightdm: pam_winbind(lightdm:auth): user 'policia\gafranchello' granted access Jul 2 16:15:28 samba-cliente lightdm: pam_unix(lightdm:account): could not identify user (from getpwnam(gafranchello)) Jul 2 16:15:31 samba-cliente dbus[653]: [system] Failed to activate service 'org.bluez': timed out And from unix console not work , same error ul 2 16:20:41 samba-cliente sshd[13844]: Invalid user policia\\gafranchello from 172.33.10.1 Jul 2 16:20:41 samba-cliente sshd[13844]: input_userauth_request: invalid user policia\\\\gafranchello [preauth] Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): getting password (0x00000000) Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): user 'policia\gafranchello' denied access (incorrect password or invalid membership) Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): check pass; user unknown Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=172.33.10.1 Jul 2 16:20:45 samba-cliente sshd[13844]: Failed password for invalid user policia\\gafranchello from 172.33.10.1 port 55002 ssh2 This commands work fine--> root at samba-cliente:/etc/samba# wbinfo -m BUILTIN SAMBA-CLIENTE POLICIA root at samba-cliente:/etc/samba# net rpc testjoin -U jmperrote Join to 'POLICIA' is OK root at samba-cliente:/etc/samba# net rpc info -U jmperrote Enter jmperrote's password: Domain Name: POLICIA Domain SID: S-1-5-21-2536628940-703160423-1994053749 Sequence number: 1593717825 Num users: 9469 Num domain groups: 82 Num local groups: 0 root at samba-cliente:/etc/samba# wbinfo -g | grep repar fs_dg2_repar root at samba-cliente:/etc/samba# getent group fs_dg2_repar fs_dg2_repar:x:10000036: root at samba-cliente:/etc/samba# wbinfo -N samba-cliente 10.11.37.149 samba-cliente root at samba-cliente:/etc/samba# id uid=0(root) gid=0(root) groups=0(root),15001(BUILTIN\users) But 'getent pass' and 'getent group' not work , running for a various second and only get users/groups locals. El jue., 2 jul. 2020 a las 15:46, Rowland penny via samba (< samba at lists.samba.org>) escribi?:> On 02/07/2020 18:27, jmpatagonia via samba wrote: > > 1) Does 'getent passwd policia\gafranchello' produce output when run on a > > Unix client ? > > If try to logon on unis console > > > > --> auth.log > > Jul 2 14:13:59 samba-cliente sshd[11654]: Invalid user > > POLICIA+gafranchello from 172.33.10.1 > > Try adding these lines to all of your Unix machines: > > client max protocol = NT1 > server max protocol = NT1 > > They will force your Samba machines to use SMBv1 and you need it for an > NT4-style domain (so yet another reason to upgrade) > > I take it that the machine is running headless, so can you log in via > ssh as a Unix user and run the getent command ? > > Until your users are known via 'getent' or 'id', then you will not get > Samba to work correctly. > > > The think is very complex because we have various products authenticating > > whith ldap squid/git/syspass/moodle/openfire/zentyal/etc and we are > > modified and adapted the ldap schema with some ldap entries for this > > products, the samba schema in the same schema (we have only one lsap > > schema), and we interactive with this via a ad hoc developed interface. > > Change or update samba to samba 4 AD implies that we have change the unis > > schema, receding the interface, proves, etc it is to much time. > Not half as much time as you will spend if your domain totally stops > working. Take smbldap-tools for instance, this isn't just EOL, it is > dead and disappeared, you cannot find the source code repository > anywhere on the internet, it is no longer maintained, so sooner or later > it will be removed by the distro's. > > We try once to implemente samba 4 AD and notice that the ldap schema are > > very different that we have, so many changes, that implies to many > > development on the interface. > Yes AD uses its own schema and must be extended differently from > openldap etc, but it can be extended. > > Know I thinking that is posible to make another ldap schema just for > samba > > 4 AD and continue using the other for rest of products, but this implies > to > > redising the interface to update users, groups on both schemas. > That is the problem with trying to maintain two ldap versions > > Another question: Thinking on samba 4 AD, when a user logon on desktop > > client, it can map o access direct to resources shared on samba server or > > need to authenticate almost at once ? Because actually on windows clients > > this is not needed, when a user logon on domain can map or access shared > > folders whitout authentication again. > > In this instance, a Samba AD client or server should work like a Windows > client or server. > > From the list of programs you listed above, I can not see one that > cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD. > > If you require help in upgrading, we are here to help you. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 7/2/20 1:45 PM, Rowland penny via samba wrote:> On 02/07/2020 18:27, jmpatagonia via samba wrote: >> 1) Does 'getent passwd policia\gafranchello' produce output when run >> on a >> Unix client ? >> If try to logon on unis console >> >> --> auth.log >> Jul? 2 14:13:59 samba-cliente sshd[11654]: Invalid user >> POLICIA+gafranchello from 172.33.10.1 > > Try adding these lines to all of your Unix machines: > > client max protocol = NT1 > server max protocol = NT1 > > They will force your Samba machines to use SMBv1 and you need it for > an NT4-style domain (so yet another reason to upgrade) > > I take it that the machine is running headless, so can you log in via > ssh as a Unix user and run the getent command ? > > Until your users are known via 'getent' or 'id', then you will not get > Samba to work correctly. > >> The think is very complex because we have various products >> authenticating >> whith ldap squid/git/syspass/moodle/openfire/zentyal/etc? and we are >> modified and adapted the ldap schema with some ldap entries for this >> products, the samba schema in the same schema (we have only one lsap >> schema), and we interactive with this via a ad hoc developed interface. >> Change or update samba to samba 4 AD implies that we have change the >> unis >> schema, receding the interface, proves, etc it is to much time. > Not half as much time as you will spend if your domain totally stops > working. Take smbldap-tools for instance, this isn't just EOL, it is > dead and disappeared, you cannot find the source code repository > anywhere on the internet, it is no longer maintained, so sooner or > later it will be removed by the distro's.Oddly enough, after languishing untouched for nearly 8 years, Debian has had 3 smbldap-tools updates this year, although you will need to use Bullseye to get the updates. https://packages.debian.org/bullseye/smbldap-tools https://metadata.ftp-master.debian.org/changelogs//main/s/smbldap-tools/smbldap-tools_0.9.11-1_changelog Dale>> We try once to implemente samba 4 AD and notice that the ldap schema are >> very different that we have, so many changes, that implies to many >> development on the interface. > Yes AD uses its own schema and must be extended differently from > openldap etc, but it can be extended. >> Know I thinking that is posible to make another ldap schema just for >> samba >> 4 AD and continue using the other for rest of products, but this >> implies to >> redising the interface to update users, groups on both schemas. > That is the problem with trying to maintain two ldap versions >> Another question: Thinking on samba 4 AD, when a user logon on desktop >> client, it can map o access direct to resources shared on samba >> server or >> need to authenticate almost at once ? Because actually on windows >> clients >> this is not needed, when a user logon on domain can map or access shared >> folders whitout authentication again. > > In this instance, a Samba AD client or server should work like a > Windows client or server. > > From the list of programs you listed above, I can not see one that > cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD. > > If you require help in upgrading, we are here to help you. > > Rowland > > >