thr3ads.net - samba - [Samba] Understanding ID mapping between a campus AD and a local LDAP [Mar 2021]

If this information is useful, please help other people find it:
Share via:

Jonathon A Anderson

2021-Mar-23 23:48 UTC

[Samba] Understanding ID mapping between a campus AD and a local LDAP

This was still unsuccessful, but hopefully this is enough information for us to
figure out what I'm doing wrong.

Forgive the redactions; I hope they don't get in the way; but if they do let
me know. In general, if I'm using the same string as a redaction, the values
are the same.

First, here's my record in AD. (There's more to it, of course, but I
think these are the relevant bits.)

-
[root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b
ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W
'(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
Enter LDAP Password: 
dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
cn: [myusername]
sAMAccountName: [myusername]
uidNumber: 416810
-

Then here's my identity as seen via NSS on my test server:

-
[root at opsdev1 ~]# id [myusername]
uid=999999([myusername]) gid=416810([myusername]pgrp) groups=[redacted group
list]

[root at opsdev1 ~]# getent passwd [myusername]
[myusername]:*:999999:416810:Jonathon Anderson,,,:/home/[myusername]:/bin/bash

[root at opsdev1 ~]# getent passwd 999999
[myusername]:*:999999:416810:Jonathon Anderson,,,:/home/[myusername]:/bin/bash
-

Finally, here's my new [global] section. I added an idmap config * section,
and disabled winbind use default domain.

-
[global]
dns proxy          = no
encrypt passwords  = yes
kerberos method    = system keytab
load printers      = no
map to guest       = Bad User
max log size       = 5000
passdb backend     = tdbsam
password server    = *
realm              = AD.[redacted]
restrict anonymous = 2
security           = ADS
server string      = %h samba
workgroup          = AD

dos charset  = CP850
unix charset = UTF-8

idmap config * : backend = tdb
idmap config * : range   = 20000001-20001000

idmap config AD : backend  = nss
idmap config AD : range = 1000-20000000

winbind enum groups        = yes
winbind enum users         = yes
winbind expand groups      = 1
winbind use default domain = no

log level = 3
-

I started tailing all the Samba logs, and then tried to log in once, as
AD\[myusername], via macOS Finder. Those logs are included below. I particularly
note that it says authentication succeeded, but it's still trying to use
416810 (the uidNumber from AD) to look me up in NSS, rather than [myusername] or
the uidNumber from NSS.

Thank you both so much for helping me out.

-
[root at opsdev1 ~]# tail -F /var/log/samba/log.* -n0
==> /var/log/samba/log.smbd <=
==> /var/log/samba/log.wb-AD <=
==> /var/log/samba/log.wb-BUILTIN <=
==> /var/log/samba/log.wb-OPSDEV1 <=
==> /var/log/samba/log.winbindd <=
==> /var/log/samba/log.winbindd-dc-connect <=
==> /var/log/samba/log.winbindd-idmap <=
==> /var/log/samba/log.smbd <=[2021/03/23 15:53:20.396730,  2]
../../source3/lib/tallocmsg.c:87(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2021/03/23 15:53:20.397310,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 172.21.35.68 (172.21.35.68)
[2021/03/23 15:53:20.398941,  3] ../../source3/smbd/oplock.c:1413(init_oplocks)
  init_oplocks: initializing messages.
[2021/03/23 15:53:20.556493,  3]
../../source3/smbd/server_exit.c:250(exit_server_common)
  Server exit (failed to receive smb request)
[2021/03/23 15:53:20.583297,  2]
../../source3/lib/tallocmsg.c:87(register_msg_pool_usage)
  Registered MSG_REQ_POOL_USAGE
[2021/03/23 15:53:20.583804,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 172.21.35.68 (172.21.35.68)
[2021/03/23 15:53:20.585007,  3] ../../source3/smbd/oplock.c:1413(init_oplocks)
  init_oplocks: initializing messages.
[2021/03/23 15:53:20.585233,  3] ../../source3/smbd/process.c:1958(process_smb)
  Transaction 0 of length 73 (0 toread)
[2021/03/23 15:53:20.585334,  3]
../../source3/smbd/process.c:1550(switch_message)
  switch message SMBnegprot (pid 25399) conn 0x0
[2021/03/23 15:53:20.586231,  3] ../../source3/smbd/negprot.c:637(reply_negprot)
  Requested protocol [NT LM 0.12]
[2021/03/23 15:53:20.586321,  3] ../../source3/smbd/negprot.c:637(reply_negprot)
  Requested protocol [SMB 2.002]
[2021/03/23 15:53:20.586357,  3] ../../source3/smbd/negprot.c:637(reply_negprot)
  Requested protocol [SMB 2.???]
[2021/03/23 15:53:20.587126,  3]
../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2021/03/23 15:53:20.591372,  3] ../../source3/smbd/negprot.c:776(reply_negprot)
  Selected protocol SMB 2.???
[2021/03/23 15:53:20.619939,  3]
../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_02
[2021/03/23 15:53:36.427821,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:36.533696,  3]
../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:36.533880,  3] ../../source3/param/loadparm.c:3933(lp_load_ex)
  lp_load_ex: refreshing parameters
[2021/03/23 15:53:36.534044,  3]
../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2021/03/23 15:53:36.534255,  3]
../../source3/param/loadparm.c:2845(lp_do_section)
  Processing section "[global]"
[2021/03/23 15:53:36.534323,  1]
../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
  WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:36.534808,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[dds_template]"
[2021/03/23 15:53:36.535384,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:36.535518,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:36.535547,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[pl_active_template]"
[2021/03/23 15:53:36.535617,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:36.535659,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:36.535677,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rcops_samba]"
[2021/03/23 15:53:36.535808,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[local_rcops]"
[2021/03/23 15:53:36.535852,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.535930,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rittger_esp_public]"
[2021/03/23 15:53:36.535959,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.536031,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[PLT1]"
[2021/03/23 15:53:36.536091,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service dds_template
[2021/03/23 15:53:36.536193,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:36.536224,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.536367,  3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
  adding IPC service
[2021/03/23 15:53:36.536471,  3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:36.536530,  3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[[myusername]]@[CRIPPS2]

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.540433,  3]
../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
  winbindd_interface_version: [smbd (25399)]: request interface version (version
= 31)
[2021/03/23 15:53:36.541554,  3]
../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
  winbindd_priv_pipe_dir: [smbd (25399)]: request location of privileged pipe
[2021/03/23 15:53:36.541654,  3]
../../source3/winbindd/winbindd_misc.c:483(winbindd_priv_pipe_dir)
  winbindd_priv_pipe_dir: [smbd (25399)]: response location of privileged pipe:
(null)
[2021/03/23 15:53:36.542424,  3]
../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
  [25399]: pam auth crap domain: [AD] user: [myusername]

==> /var/log/samba/log.wb-AD <=[2021/03/23 15:53:36.542923,  3]
../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
  [25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:36.548869,  3]
../../source3/winbindd/winbindd_ads.c:1332(sequence_number)
  ads: fetch sequence_number for AD
[2021/03/23 15:53:36.549148,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.550058,  3] ../../source3/libads/ldap.c:654(ads_connect)
  Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.550190,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.551119,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.553288,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.554009,  3] ../../source3/libads/ldap.c:654(ads_connect)
  Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.554135,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.554917,  3]
../../source3/libsmb/namequery.c:3126(get_dc_list)
  get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.557417,  3] ../../source3/libads/ldap.c:654(ads_connect)
  Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.557584,  3]
../../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 128.138.129.119 at port 389
[2021/03/23 15:53:36.571646,  3] ../../source3/libads/ldap.c:697(ads_connect)
  Connected to LDAP server DC14.ad.[redacted]
[2021/03/23 15:53:36.572951,  3]
../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2021/03/23 15:53:36.573003,  3]
../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2021/03/23 15:53:36.573023,  3]
../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2021/03/23 15:53:36.573041,  3]
../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2021/03/23 15:53:36.573058,  3]
../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
  ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2021/03/23 15:53:36.599130,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23
Mar 2021 15:53:36.599087 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation
[CRIPPS2] remote host [unix:] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
  {"timestamp": "2021-03-23T15:53:36.599307-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "e93854666071091a",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind",
"authDescription": "NTLM_AUTH, smbd, 25376",
"clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "NTLMv2", "duration":
56471}}

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.612364,  3]
../../source3/auth/auth.c:268(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [[myusername]]
succeeded
[2021/03/23 15:53:36.612509,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021
15:53:36.612475 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2]
remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host
[ipv4:10.225.160.143:445]
  {"timestamp": "2021-03-23T15:53:36.612638-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "0",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "ipv4:10.225.160.143:445",
"remoteAddress": "ipv4:172.21.35.68:58480",
"serviceDescription": "SMB2", "authDescription":
null, "clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": "[myusername]", "mappedDomain":
"AD", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration": 185135}}
[2021/03/23 15:53:36.612714,  2]
../../source3/auth/auth.c:329(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [[myusername]] ->
[[myusername]] -> [[myusername]] succeeded

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.612993,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.627656,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.627834,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:36.627944,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.627972,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:36.628057,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.628083,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.628673,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.629480,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.629561,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:36.629618,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:36.750201,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:36.856860,  3]
../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:36.856980,  3] ../../source3/param/loadparm.c:3933(lp_load_ex)
  lp_load_ex: refreshing parameters
[2021/03/23 15:53:36.857082,  3]
../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2021/03/23 15:53:36.857239,  3]
../../source3/param/loadparm.c:2845(lp_do_section)
  Processing section "[global]"
[2021/03/23 15:53:36.857285,  1]
../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
  WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:36.857715,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[dds_template]"
[2021/03/23 15:53:36.858315,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:36.858394,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:36.858418,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[pl_active_template]"
[2021/03/23 15:53:36.858491,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:36.858531,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:36.858550,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rcops_samba]"
[2021/03/23 15:53:36.858664,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[local_rcops]"
[2021/03/23 15:53:36.858700,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.858798,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rittger_esp_public]"
[2021/03/23 15:53:36.858843,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.858928,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[PLT1]"
[2021/03/23 15:53:36.858971,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service dds_template
[2021/03/23 15:53:36.859094,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:36.859128,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:36.859253,  3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
  adding IPC service
[2021/03/23 15:53:36.859298,  3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:36.859321,  3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[[myusername]]@[CRIPPS2]

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.859535,  3]
../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
  [25399]: pam auth crap domain: [AD] user: [myusername]

==> /var/log/samba/log.wb-AD <=[2021/03/23 15:53:36.862566,  3]
../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
  [25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:36.868628,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23
Mar 2021 15:53:36.868597 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation
[CRIPPS2] remote host [unix:] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
  {"timestamp": "2021-03-23T15:53:36.868729-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "e292e8463b652ba3",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind",
"authDescription": "NTLM_AUTH, smbd, 25376",
"clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "NTLMv2", "duration": 6198}}

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.870404,  3]
../../source3/auth/auth.c:268(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [[myusername]]
succeeded
[2021/03/23 15:53:36.870539,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021
15:53:36.870516 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2]
remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host
[ipv4:10.225.160.143:445]
  {"timestamp": "2021-03-23T15:53:36.870611-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "0",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "ipv4:10.225.160.143:445",
"remoteAddress": "ipv4:172.21.35.68:58480",
"serviceDescription": "SMB2", "authDescription":
null, "clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": "[myusername]", "mappedDomain":
"AD", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration": 120648}}
[2021/03/23 15:53:36.870687,  2]
../../source3/auth/auth.c:329(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [[myusername]] ->
[[myusername]] -> [[myusername]] succeeded

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.870986,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.871984,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.872097,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:36.872159,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.872192,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:36.872270,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.872296,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:36.872981,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:36.874006,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.874122,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:36.874174,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:36.960852,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:37.046383,  3]
../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
  Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:37.046819,  3] ../../source3/param/loadparm.c:3933(lp_load_ex)
  lp_load_ex: refreshing parameters
[2021/03/23 15:53:37.046925,  3]
../../source3/param/loadparm.c:550(init_globals)
  Initialising global parameters
[2021/03/23 15:53:37.047078,  3]
../../source3/param/loadparm.c:2845(lp_do_section)
  Processing section "[global]"
[2021/03/23 15:53:37.047126,  1]
../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
  WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:37.047577,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[dds_template]"
[2021/03/23 15:53:37.048228,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:37.048313,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:37.048344,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[pl_active_template]"
[2021/03/23 15:53:37.048411,  0]
../../lib/param/loadparm.c:1033(lpcfg_service_ok)
  WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:37.048455,  1]
../../lib/param/loadparm.c:1039(lpcfg_service_ok)
  NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:37.048483,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rcops_samba]"
[2021/03/23 15:53:37.048583,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[local_rcops]"
[2021/03/23 15:53:37.048619,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:37.048700,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[rittger_esp_public]"
[2021/03/23 15:53:37.048731,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:37.048835,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[PLT1]"
[2021/03/23 15:53:37.048882,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service dds_template
[2021/03/23 15:53:37.048992,  2]
../../source3/param/loadparm.c:2862(lp_do_section)
  Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:37.049028,  3] ../../lib/param/loadparm.c:1227(handle_copy)
  Copying service from service pl_active_template
[2021/03/23 15:53:37.049168,  3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
  adding IPC service
[2021/03/23 15:53:37.049220,  3]
../../source3/auth/auth.c:201(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:37.049245,  3]
../../source3/auth/auth.c:204(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[[myusername]]@[CRIPPS2]

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:37.050234,  3]
../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
  [25399]: pam auth crap domain: [AD] user: [myusername]

==> /var/log/samba/log.wb-AD <=[2021/03/23 15:53:37.050438,  3]
../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
  [25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:37.056128,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23
Mar 2021 15:53:37.056099 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation
[CRIPPS2] remote host [unix:] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
  {"timestamp": "2021-03-23T15:53:37.056210-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "81a0c835895a3c5b",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind",
"authDescription": "NTLM_AUTH, smbd, 25376",
"clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": null, "mappedDomain": null,
"netlogonComputer": null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
null, "passwordType": "NTLMv2", "duration": 5797}}

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:37.057498,  3]
../../source3/auth/auth.c:268(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [[myusername]]
succeeded
[2021/03/23 15:53:37.057614,  3]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
  Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021
15:53:37.057593 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2]
remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]]
[S-1-5-21-1275210071-492894223-682003330-475493]. local host
[ipv4:10.225.160.143:445]
  {"timestamp": "2021-03-23T15:53:37.057673-0600",
"type": "Authentication", "Authentication":
{"version": {"major": 1, "minor": 2},
"eventId": 4624, "logonId": "0",
"logonType": 3, "status": "NT_STATUS_OK",
"localAddress": "ipv4:10.225.160.143:445",
"remoteAddress": "ipv4:172.21.35.68:58480",
"serviceDescription": "SMB2", "authDescription":
null, "clientDomain": "AD", "clientAccount":
"[myusername]", "workstation": "CRIPPS2",
"becameAccount": "[myusername]", "becameDomain":
"AD", "becameSid":
"S-1-5-21-1275210071-492894223-682003330-475493",
"mappedAccount": "[myusername]", "mappedDomain":
"AD", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid": null, "passwordType":
"NTLMv2", "duration": 97055}}
[2021/03/23 15:53:37.057740,  2]
../../source3/auth/auth.c:329(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [[myusername]] ->
[[myusername]] -> [[myusername]] succeeded

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:37.058160,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:37.059082,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:37.059165,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:37.059217,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:37.059238,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:37.059309,  3]
../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:37.059332,  3]
../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215

==> /var/log/samba/log.winbindd <=[2021/03/23 15:53:37.059918,  3]
../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
  winbindd_ping: [smbd (25399)]: ping

==> /var/log/samba/log.smbd <=[2021/03/23 15:53:37.060744,  0]
../../source3/auth/token_util.c:567(add_local_groups)
  add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 ->
getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:37.060851,  3]
../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
  Failed to add local groups
[2021/03/23 15:53:37.060894,  3]
../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:38.621345,  3]
../../source3/smbd/server_exit.c:250(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)



________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny
via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 3:07 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local
LDAP

On 23/03/2021 21:02, Jonathon A Anderson via samba
wrote:> This is encouraging! I'm going to try again with
>
> winbind use default domain = no
>
> and see if it works. If it doesn't I'll send some shell logs and
Samba logs.
>
> ~jonathon
>
don't forget to add the 'idmap config *' lines as well.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland penny

2021-Mar-24 09:13 UTC

head link

[Samba] Understanding ID mapping between a campus AD and a local LDAP

On 23/03/2021 23:48, Jonathon A Anderson wrote:> This was still unsuccessful, but hopefully this is enough information for
us to figure out what I'm doing wrong.
>
> Forgive the redactions; I hope they don't get in the way; but if they
do let me know. In general, if I'm using the same string as a redaction, the
values are the same.
>
> First, here's my record in AD. (There's more to it, of course, but
I think these are the relevant bits.)
>
> -
> [root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b
ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W
'(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
> Enter LDAP Password:
> dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
> cn: [myusername]
> sAMAccountName: [myusername]
> uidNumber: 416810
> -

OK, I have been doing a bit of investigation about idmap_nss and I do 
not think it is going to work as is. If you read 'man idmap_nss', you 
will find this:

This example shows how to use idmap_nss to check the local accounts for 
its own domain while using allocation to create new mappings for trusted 
domains

I read this as being that it will only work if you run your samba server 
as a standalone server with a trust to your AD.

Most of the idmap backends were designed before AD and aren't really 
practicable with AD. The main backends that are used with AD are: 'ad', 
'rid' and 'autorid'. For what you are trying to do, I think you
need to
add/change the uidNumber & gidNumber attributes in AD to match the users 
& groups in /etc/passwd and /etc/group, then remove them from 
/etc/passwd and /etc/group, finally use the winbind 'ad' backend.

Rowland

samba - Mar 2021 - Understanding ID mapping between a campus AD and a local LDAP

[Samba] Understanding ID mapping between a campus AD and a local LDAP

[Samba] Understanding ID mapping between a campus AD and a local LDAP