samba - Nov 2021 - Share won't mount -- how to debug?

Sorry for spamming the list today.

I'm slowly testing out my new Samba AD network. At the moment I'm trying
to mount a share on a W10 client from a CMD prompt, and the mount is 
failing:

   net use G: \\data2\share

I tried a suggestion from Louis to use the FQDN:

   net use G: \\data2.ea.linuxcs.com\share

and it still failed, but with a different Windows error message.  When I 
tail -f /var/log/samba/smbd on the fileserver I see


---------------------------
[2021/11/03 10:20:25.088689,  0] 
../../source3/auth/token_util.c:565(add_local_groups)
   add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-1103 
-> getpwuid(11103) failed, is nsswitch configured?
[2021/11/03 10:20:35.371582,  0] 
../../source3/auth/token_util.c:565(add_local_groups)
   add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-1103 
-> getpwuid(11103) failed, is nsswitch configured?
[2021/11/03 10:20:35.383936,  0] 
../../source3/auth/token_util.c:565(add_local_groups)
   add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-1103 
-> getpwuid(11103) failed, is nsswitch configured?
---------------------------


11103 is the uid of the user I'm trying to connect this share for.  The 
suggestion is that nsswitch.conf isn't configured, but in fact it is:

root at data2:/etc# cat nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         files systemd winbind
group:          files systemd winbind
...



I know I'm using the correct password, because I used it to log in on 
the W10 client as this user.  Any thoughts on what I should look at next?


Other AD stuff works properly:
root at data2:/etc# getent passwd patrickgoetz
patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
root at data2:/etc# wbinfo -i mduffy
mduffy:*:11103:10513::/home/EA/mduffy:/bin/false



The share has appropriate ACLs set:

root at data2:/data# ls -ld share
drwxrwx--- 2 root staff 4096 Nov  2 19:15 share


The user is a member of the staff group.  I can't get `get-adgroup` or 
`get-adgroupmember` to work in PowerShell to demonstrate this; 
presumably this has to do with the Windows web interface thing.


And here is the resource section from smb.conf:

[share]
    comment = Share Directory
    path = /data/share
    guest ok = no
    browseable = yes
    writeable = yes
    create mask = 0770
    directory mask = 0770
    follow symlinks = yes

Hai, 

Did you install : libnss-winbind libpam-winbind ? 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Patrick Goetz via samba
> Verzonden: woensdag 3 november 2021 16:59
> Aan: Samba listserv
> Onderwerp: [Samba] Share won't mount -- how to debug?
> 
> Sorry for spamming the list today.
> 
> I'm slowly testing out my new Samba AD network. At the moment 
> I'm trying 
> to mount a share on a W10 client from a CMD prompt, and the mount is 
> failing:
> 
>    net use G: \\data2\share
> 
> I tried a suggestion from Louis to use the FQDN:
> 
>    net use G: \\data2.ea.linuxcs.com\share
> 
> and it still failed, but with a different Windows error 
> message.  When I 
> tail -f /var/log/samba/smbd on the fileserver I see
> 
> 
> ---------------------------
> [2021/11/03 10:20:25.088689,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID 
> S-1-5-21-2398640129-655337111-1434392923-1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> [2021/11/03 10:20:35.371582,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID 
> S-1-5-21-2398640129-655337111-1434392923-1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> [2021/11/03 10:20:35.383936,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID 
> S-1-5-21-2398640129-655337111-1434392923-1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> ---------------------------
> 
> 
> 11103 is the uid of the user I'm trying to connect this share 
> for.  The 
> suggestion is that nsswitch.conf isn't configured, but in fact it is:
> 
> root at data2:/etc# cat nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages 
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         files systemd winbind
> group:          files systemd winbind
> ...
> 
> 
> 
> I know I'm using the correct password, because I used it to log in on 
> the W10 client as this user.  Any thoughts on what I should 
> look at next?
> 
> 
> Other AD stuff works properly:
> root at data2:/etc# getent passwd patrickgoetz
> patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
> root at data2:/etc# wbinfo -i mduffy
> mduffy:*:11103:10513::/home/EA/mduffy:/bin/false
> 
> 
> 
> The share has appropriate ACLs set:
> 
> root at data2:/data# ls -ld share
> drwxrwx--- 2 root staff 4096 Nov  2 19:15 share
> 
> 
> The user is a member of the staff group.  I can't get 
> `get-adgroup` or 
> `get-adgroupmember` to work in PowerShell to demonstrate this; 
> presumably this has to do with the Windows web interface thing.
> 
> 
> And here is the resource section from smb.conf:
> 
> [share]
>     comment = Share Directory
>     path = /data/share
>     guest ok = no
>     browseable = yes
>     writeable = yes
>     create mask = 0770
>     directory mask = 0770
>     follow symlinks = yes
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Wed, 2021-11-03 at 10:58 -0500, Patrick Goetz via samba
wrote:
> Sorry for spamming the list today.
> 
> I'm slowly testing out my new Samba AD network. At the moment I'm
> trying 
> to mount a share on a W10 client from a CMD prompt, and the mount is 
> failing:
> 
>    net use G: \\data2\share
> 
> I tried a suggestion from Louis to use the FQDN:
> 
>    net use G: \\data2.ea.linuxcs.com\share
> 
> and it still failed, but with a different Windows error
> message.  When I 
> tail -f /var/log/samba/smbd on the fileserver I see
> 
> 
> ---------------------------
> [2021/11/03 10:20:25.088689,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
> 1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> [2021/11/03 10:20:35.371582,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
> 1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> [2021/11/03 10:20:35.383936,  0] 
> ../../source3/auth/token_util.c:565(add_local_groups)
>    add_local_groups: SID S-1-5-21-2398640129-655337111-1434392923-
> 1103 
> -> getpwuid(11103) failed, is nsswitch configured?
> ---------------------------
> 
> 
> 11103 is the uid of the user I'm trying to connect this share
> for.  The 
> suggestion is that nsswitch.conf isn't configured, but in fact it is:
> 
> root at data2:/etc# cat nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
> 
> passwd:         files systemd winbind
> group:          files systemd winbind
> ...
> 
> 
> 
> I know I'm using the correct password, because I used it to log in
> on 
> the W10 client as this user.  Any thoughts on what I should look at
> next?
> 
> 
> Other AD stuff works properly:
> root at data2:/etc# getent passwd patrickgoetz
> patrickgoetz:*:11104:10513::/home/EA/patrickgoetz:/bin/false
> root at data2:/etc# wbinfo -i mduffy
> mduffy:*:11103:10513::/home/EA/mduffy:/bin/false
> 
> 
> 
> The share has appropriate ACLs set:
> 
> root at data2:/data# ls -ld share
> drwxrwx--- 2 root staff 4096 Nov  2 19:15 share
The only people that can connect to that share are, the Unix user
'root' and members of the Unix group 'staff'
Remember what I said about 'setfacl'
> 
> 
> The user is a member of the staff group.
Where did you make the user a member of 'staff' and how ?
>   I can't get `get-adgroup` or 
> `get-adgroupmember` to work in PowerShell to demonstrate this; 
> presumably this has to do with the Windows web interface thing.
More likely Windows not having a clue what the Unix group 'staff' is.
> 
> 
> And here is the resource section from smb.conf:
> 
> [share]
>     comment = Share Directory
>     path = /data/share
>     guest ok = no
>     browseable = yes
>     writeable = yes
>     create mask = 0770
>     directory mask = 0770
>     follow symlinks = yes
Please do not post parts of a smb.conf, without the 'global' part, it
hasn't any context (I know you may have posted it previously, but this
would mean searching for it and you may have changed it anyway) :-)

Rowland