Epsilon Minus
2020-Sep-10 20:28 UTC
[Samba] Samba as member of DC - NT_STATUS_LOGON_FAILURE
Hello !
And i have problem with user validation. wbinfo work well, but i cant
use de AD users.
root at samba01:~# smbclient -L 127.0.0.1 -Ugalerna\\gcarballo
Enter GALERNA\gcarballo's password:
session setup failed: NT_STATUS_LOGON_FAILURE
root at samba01:~# smbclient -L 127.0.0.1 -Ugalerna\\administrator
Enter GALERNA\administrator's password:
Administrator work with the mapping root:
root at samba01:~# cat /etc/samba/user.map
!root = GALERNA\Administrator
Sharename Type Comment
--------- ---- -------
Publica Disk
IPC$ IPC IPC Service (Samba 4.11.6-Ubuntu)
SMB1 disabled -- no workgroup available
I read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members
Configuration:
root at samba01:~# samba -V
Version 4.11.6-Ubuntu
root at samba01:~# cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = GALERNA
realm = GALERNA.COM.AR
log file = /var/log/samba/%m.log
log level = 10
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config GALERNA :backend = ad
idmap config GALERNA :range = 10000-999999
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
## Para que el dominio declarado en Workgroup sea el default:
winbind use default domain = yes
I run:
getent passwd "galerna\administrator"
don't display anything
or
root at samba01:~# id "galerna\administrator"
id: ?galerna\\administrator?: no such user
root at samba01:~# net ads info
LDAP server: 192.168.1.245
LDAP server name: dc01.galerna.com.ar
Realm: GALERNA.COM.AR
Bind Path: dc=GALERNA,dc=COM,dc=AR
LDAP port: 389
Server time: Thu, 10 Sep 2020 17:22:43 -03
KDC server: 192.168.1.245
Server time offset: 0
Last machine account password change: Thu, 10 Sep 2020 16:34:06 -03
nsswitch.conf:
root at samba01:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files winbind compat systemd
group: files winbind compat systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Log:
[2020/09/10 17:15:13.115954, 10, pid=162, effective(0, 0), real(0, 0),
class=tdb] ../../source3/lib/gencache.c:222(gencache_set_data_blob)
gencache_set_data_blob: Adding cache entry with
key=[NAME2SID/GALERNA\GCARBALLO] and timeout=[Thu Sep 10 17:20:13 2020
-03] (300 seconds ahead)
[2020/09/10 17:15:13.116028, 5, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_pam.c:3298(winbindd_pam_auth_pac_verify)
winbindd_pam_auth_pac_verify: PAC for user GALERNA\gcarballo SID
S-1-5-21-2104135160-127914087-578546287-1107 primed cache
[2020/09/10 17:15:13.116127, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:806(process_request_done)
process_request_done: [nss_winbind(450):PAM_AUTH_CRAP]: NT_STATUS_OK
[2020/09/10 17:15:13.116222, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:851(process_request_written)
process_request_written: [nss_winbind(450):PAM_AUTH_CRAP]: delivered
response to client
[2020/09/10 17:15:13.120611, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:740(process_request_send)
process_request_send: process_request: Handling async request
nss_winbind(450):GETPWNAM
[2020/09/10 17:15:13.120673, 3, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
winbindd_getpwnam_send: [nss_winbind (450)] getpwnam galerna\gcarballo
[2020/09/10 17:15:13.120769, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'GALERNA'
name : *
name : 'GCARBALLO'
flags : 0x00000008 (8)
[2020/09/10 17:15:13.121393, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cache.c:4812(wcache_store_ndr)
could not fetch seqnum for domain GALERNA
[2020/09/10 17:15:13.121488, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2104135160-127914087-578546287-1107
result : NT_STATUS_OK
[2020/09/10 17:15:13.121705, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-2104135160-127914087-578546287-1107
[2020/09/10 17:15:13.121785, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:57(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
value=[-1:N]
[2020/09/10 17:15:13.121859, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
id=[4294967295], endptr=[:N]
[2020/09/10 17:15:13.121922, 5, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2104135160-127914087-578546287-1107:
NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.122003, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:806(process_request_done)
process_request_done: [nss_winbind(450):GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.122087, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:851(process_request_written)
process_request_written: [nss_winbind(450):GETPWNAM]: delivered
response to client
[2020/09/10 17:15:13.122810, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:740(process_request_send)
process_request_send: process_request: Handling async request
nss_winbind(450):GETPWNAM
[2020/09/10 17:15:13.122871, 3, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
winbindd_getpwnam_send: [nss_winbind (450)] getpwnam GALERNA\gcarballo
[2020/09/10 17:15:13.122935, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'GALERNA'
name : *
name : 'GCARBALLO'
flags : 0x00000008 (8)
[2020/09/10 17:15:13.123391, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cache.c:4812(wcache_store_ndr)
could not fetch seqnum for domain GALERNA
[2020/09/10 17:15:13.123478, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2104135160-127914087-578546287-1107
result : NT_STATUS_OK
[2020/09/10 17:15:13.123676, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-2104135160-127914087-578546287-1107
[2020/09/10 17:15:13.123737, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:57(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
value=[-1:N]
[2020/09/10 17:15:13.123807, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
id=[4294967295], endptr=[:N]
[2020/09/10 17:15:13.123872, 5, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2104135160-127914087-578546287-1107:
NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.123948, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:806(process_request_done)
process_request_done: [nss_winbind(450):GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.124034, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:851(process_request_written)
process_request_written: [nss_winbind(450):GETPWNAM]: delivered
response to client
[2020/09/10 17:15:13.124711, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:740(process_request_send)
process_request_send: process_request: Handling async request
nss_winbind(450):GETPWNAM
[2020/09/10 17:15:13.124772, 3, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
winbindd_getpwnam_send: [nss_winbind (450)] getpwnam GALERNA\GCARBALLO
[2020/09/10 17:15:13.124835, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'GALERNA'
name : *
name : 'GCARBALLO'
flags : 0x00000008 (8)
[2020/09/10 17:15:13.125268, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd_cache.c:4812(wcache_store_ndr)
could not fetch seqnum for domain GALERNA
[2020/09/10 17:15:13.125356, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-2104135160-127914087-578546287-1107
result : NT_STATUS_OK
[2020/09/10 17:15:13.125553, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/wb_sids2xids.c:113(wb_sids2xids_send)
SID 0: S-1-5-21-2104135160-127914087-578546287-1107
[2020/09/10 17:15:13.125614, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:57(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
value=[-1:N]
[2020/09/10 17:15:13.125685, 10, pid=162, effective(0, 0), real(0, 0)]
../../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-2104135160-127914087-578546287-1107]:
id=[4294967295], endptr=[:N]
[2020/09/10 17:15:13.125750, 5, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:141(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2104135160-127914087-578546287-1107:
NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.125827, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:806(process_request_done)
process_request_done: [nss_winbind(450):GETPWNAM]: NT_STATUS_NO_SUCH_USER
[2020/09/10 17:15:13.125913, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:851(process_request_written)
process_request_written: [nss_winbind(450):GETPWNAM]: delivered
response to client
[2020/09/10 17:15:13.126695, 10, pid=162, effective(0, 0), real(0, 0),
class=winbind] ../../source3/winbindd/winbindd.c:740(process_request_send)
process_request_send: process_request: Handling async request
nss_winbind(450):GETPWNAM
[2020/09/10 17:15:13.126756, 3, pid=162, effective(0, 0), real(0, 0),
class=winbind]
../../source3/winbindd/winbindd_getpwnam.c:59(winbindd_getpwnam_send)
winbindd_getpwnam_send: [nss_winbind (450)] getpwnam gcarballo
[2020/09/10 17:15:13.126820, 1, pid=162, effective(0, 0), real(0, 0),
class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'GALERNA'
name : *
name : 'GCARBALLO'
flags : 0x00000008 (8)
Thanks!
Rowland penny
2020-Sep-11 07:16 UTC
[Samba] Samba as member of DC - NT_STATUS_LOGON_FAILURE
On 10/09/2020 21:28, Epsilon Minus via samba wrote:> Hello ! > > > > And i have problem with user validation. wbinfo work well, but i cant > use de AD users. >Have you added uidNumber & gidNumber attributes to AD ? Rowland
Epsilon Minus
2020-Sep-11 18:03 UTC
[Samba] Samba as member of DC - NT_STATUS_LOGON_FAILURE
El vie., 11 sept. 2020 a las 4:17, Rowland penny via samba (<samba at lists.samba.org>) escribi?:> > On 10/09/2020 21:28, Epsilon Minus via samba wrote: > > Hello ! > > > > > > > > And i have problem with user validation. wbinfo work well, but i cant > > use de AD users. > > > Have you added uidNumber & gidNumber attributes to AD ? > > RowlandI use RFC2307 on the provision, but i don't edit anything de uidNumber & gidNumber. I change backend to rid and work de validation, but not understand de change. [global] security = ADS workgroup = GALERNA realm = GALERNA.COM.AR log file = /var/log/samba/%m.log log level = 10 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config GALERNA :backend = rid <<<<<----------- idmap config GALERNA:schema_mode = rfc2307 idmap config GALERNA :range = 10000-999999 username map = /etc/samba/user.map is it okey ? or need to research more?