Himanshi Yadav
2023-Jul-28 18:18 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
Hi Rowland,
Thanks for the prompt response. I changed the SSSD authentication from NSS db to
sssd to check the issue yesterday. reverted again from sssd to nss. But still
have the same issue. It was working perfectly before rebooted the machine with
nss. I can?t identify the issue with NSS db too.
Pasted output here after reverted to NSS db.
[root at midway3-dm1 samba]# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is
deprecated
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
clustering = Yes
idmap cache time = 1
idmap negative cache time = 1
kerberos method = system keytab
log file = /var/log/samba/log.%m
max log size = 50
netbios name = DMCIFS
realm = AD.UCHICAGO.EDU
security = ADS
server min protocol = SMB3_02
server string = Samba Server Version %v
winbind cache time = 1
workgroup = AD
fruit:delete_empty_adfiles = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:veto_appledouble = no
fruit:posix_rename = yes
fruit:model = MacSamba
fruit:metadata = stream
fileid:algorithm = fsname
idmap config ad : range = 1401-2147483647
idmap config ad : backend = nss
idmap config * : range = 2147483648-3000000000
idmap config * : backend = tdb2
hosts allow = 127. 128.135.0.0/255.255.0.0 205.208.0.0/255.255.128.0
10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0
invalid users = root bin daemon adm lp sync shutdown halt mail operator
games ftp nobody dbus systemd-coredump systemd-resolve tss polkitd geoclue rtkit
pulse pipewire libstoragemgmt qemu usbmuxd unbound rpc gluster chrony
setroubleshoot saslauth dnsmasq radvd clevis cockpit-ws cockpit-wsinstance sssd
flatpak colord gdm rpcuser gnome-initial-setup sshd pesign avahi rngd tcpdump
munge
kernel oplocks = Yes
[root at midway3-dm1 samba]# systemctl status sssd
? sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset:
enabled)
Active: inactive (dead) since Fri 2023-07-28 13:02:11 CDT; 2min 22s ago
Process: 1092096 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} (code=exited,
status=0/SUCCESS)
Main PID: 1092096 (code=exited, status=0/SUCCESS)
Jul 28 09:37:35 midway3-dm1.rcc.local sssd_be[1092099]: Starting up
Jul 28 09:37:35 midway3-dm1.rcc.local sssd_nss[1092100]: Starting up
Jul 28 09:37:35 midway3-dm1.rcc.local sssd_pam[1092101]: Starting up
Jul 28 09:37:35 midway3-dm1.rcc.local systemd[1]: Started System Security
Services Daemon.
Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopping System Security
Services Daemon...
Jul 28 13:02:11 midway3-dm1.rcc.local sssd_pam[1092101]: Shutting down (status =
0)
Jul 28 13:02:11 midway3-dm1.rcc.local sssd_be[1092099]: Shutting down (status =
0)
Jul 28 13:02:11 midway3-dm1.rcc.local sssd_nss[1092100]: Shutting down (status =
0)
Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: sssd.service: Succeeded.
Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopped System Security
Services Daemon.
[root at midway3-dm1 samba]# id dgmartin
uid=2088466063(dgmartin) gid=2088466063(dgmartin)
groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli)
[root at midway3-dm1 samba]# grep -v "#" /etc/nsswitch.conf
passwd: db files systemd
group: db files systemd
netgroup: db files
automount: files
services: files
shadow: db files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files
still have the same error :--
[root at midway3-dm1 samba]# tail -f log.128.135.186.8
[2023/07/28 13:09:51.101676, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:53.110963, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:53.117397, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:55.127351, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:55.135854, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:57.179610, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
[2023/07/28 13:09:57.186094, 0]
../../source3/auth/auth_util.c:1936(check_account)
check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Date: Friday, July 28, 2023 at 12:05 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] check_account: Failed to find local account with UID"
issue / The university of Chicago
On 28/07/2023 17:35, Himanshi Yadav via samba wrote:> Hi Experts,
>
> We encountered a weird issue after restarting the server. Seems everything
working fine on the configuration side but the user?s not able to authenticate
with the Samba server. Can you please help to investigate the issue?
>
> Our setup details and configuration file + error logs + service status.
>
> Samba:- 4.18.3-0
> CentOS Linux release 8.4.2105
> Authentication mechanism is SSSD
>
> [root at midway3-dm1 samba]# testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> lpcfg_do_global_parameter: WARNING: The "encrypt passwords"
option is deprecated
> Loaded services file OK.
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
>
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> clustering = Yes
> idmap cache time = 1
> idmap negative cache time = 1
> kerberos method = system keytab
> log file = /var/log/samba/log.%m
> max log size = 50
> netbios name = DMCIFS
> realm = AD.UCHICAGO.EDU
> security = ADS
> server min protocol = SMB3_02
> server string = Samba Server Version %v
> winbind cache time = 1
> workgroup = AD
> fruit:delete_empty_adfiles = yes
> fruit:wipe_intentionally_left_blank_rfork = yes
> fruit:veto_appledouble = no
> fruit:posix_rename = yes
> fruit:model = MacSamba
> fruit:metadata = stream
> fileid:algorithm = fsname
> idmap config ad : range = 1401-2147483647
> idmap config ad : backend = sss
> idmap config * : range = 2147483648-3000000000
> idmap config * : backend = tdb2
> hosts allow = 127. 128.135.0.0/255.255.0.0
205.208.0.0/255.255.128.0 10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0
> invalid users = root bin daemon adm lp sync shutdown halt mail
operator games ftp nobody dbus systemd-coredump systemd-resolve tss polkitd
geoclue rtkit pulse pipewire libstoragemgmt qemu usbmuxd unbound rpc gluster
chrony setroubleshoot saslauth dnsmasq radvd clevis cockpit-ws
cockpit-wsinstance sssd flatpak colord gdm rpcuser gnome-initial-setup sshd
pesign avahi rngd tcpdump munge
> kernel oplocks = Yes
> vfs objects = gpfs fileid catia fruit streams_xattr
>
>
> [root at midway3-dm1 samba]# wbinfo -D ADLOCAL
> Name : ADLOCAL
> Alt_Name : ad.local
> SID : S-1-5-21-1644491937-1604221776-725345543
> Active Directory : Yes
> Native : Yes
> Primary : No
>
>
> Error file /////
> [2023/07/28 10:57:18.459537, 0]
../../source3/auth/auth_util.c:1936(check_account)
> check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
Hmm, your workgroup is 'AD' (see above), but it is a user from a
workgroup called 'ADLOCAL' that is trying to connect, unless it is
sanitising error ?
However, that may be correct, because the ID '2147483648' is part of the
default '*' domain.
> [2023/07/28 10:57:20.478287, 0]
../../source3/auth/auth_util.c:1936(check_account)
> check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
> [2023/07/28 10:57:20.484230, 0]
../../source3/auth/auth_util.c:1936(check_account)
> check_account: Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
>
> [root at midway3-dm1 samba]# wbinfo -s
S-1-5-21-1644491937-1604221776-725345543-304562
> ADLOCAL\dgmartin 1
>
>
> [root at midway3-dm1 samba]# id dgmartin
> uid=2088466063(dgmartin) gid=2088466063(dgmartin)
groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli)
>
> [root at midway3-dm1 samba]# smbstatus
>
> Samba version 4.18.3
> PID Username Group Machine
Protocol Version Encryption Signing
>
----------------------------------------------------------------------------------------------------------------------------------------
>
> Service pid Machine Connected at
Encryption Signing
>
---------------------------------------------------------------------------------------------
>
> No locked files
>
> [root at midway3-dm1 samba]# systemctl status smb.service
> ? smb.service - Samba SMB Daemon
> Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor
preset: disabled)
> Active: active (running) since Fri 2023-07-28 09:33:17 CDT; 1h 25min
ago
> Docs: man:smbd(8)
> man:samba(7)
> man:smb.conf(5)
> Main PID: 1084106 (smbd)
> Status: "smbd: ready to serve connections..."
> Tasks: 4 (limit: 1233751)
> Memory: 7.3M
> CGroup: /system.slice/smb.service
> ??1084106 /usr/sbin/smbd --foreground --no-process-group
> ??1084110 /usr/sbin/smbd --foreground --no-process-group
> ??1084111 /usr/sbin/smbd --foreground --no-process-group
> ??1246399 /usr/sbin/smbd --foreground --no-process-group
>
> Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:39.579270, 0] ../../source3/auth/auth_util.c:1936(check_account)
> Jul 28 10:58:39 midway3-dm1.rcc.local smbd[1246399]: check_account:
Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
> Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:41.590064, 0] ../../source3/auth/auth_util.c:1936(check_account)
> Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account:
Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
> Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:41.595463, 0] ../../source3/auth/auth_util.c:1936(check_account)
> Jul 28 10:58:41 midway3-dm1.rcc.local smbd[1246399]: check_account:
Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
> Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:43.605547, 0] ../../source3/auth/auth_util.c:1936(check_account)
> Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account:
Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
> Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: [2023/07/28
10:58:43.611198, 0] ../../source3/auth/auth_util.c:1936(check_account)
> Jul 28 10:58:43 midway3-dm1.rcc.local smbd[1246399]: check_account:
Failed to find local account with UID 2147483648 for SID
S-1-5-21-1644491937-1604221776-725345543-304562 (dom_user[ADLOCAL\dgmartin])
>
How can I put this politely ?
Samba does not produce sssd or idmap-sss
This means that Samba cannot really provide support for sssd, you need
to ask the sssd-users mailing list.
There is however a problem with the way that you are running Samba with
sssd, not even red-hat supports such a setup. Note that there are those
that say 'you just need to run winbind as well', which to me totally
misses the point, you only need one and if you are running Samba as a
Unix domain member, you need to run winbind, so there is no real point
to running sssd as well.
If you just require authentication from AD, then sssd is great, but the
moment Samba enters the scene, please do not use sssd.
I am sorry if this not what you wanted to hear, but it appears to be how
it is.
Also, before anyone claims that I hate sssd, I do not, I just do not see
the point in running it with Samba, Samba has enough of its own idmap
backends.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2023-Jul-28 18:53 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
On 28/07/2023 19:18, Himanshi Yadav wrote:> Hi?Rowland, > > Thanks for the prompt response. I changed the SSSD authentication from > NSS db to sssd to check the issue yesterday. reverted again from sssd to > nss. But still have the same issue. It was working perfectly before > rebooted the machine with nss. I can?t identify the issue with NSS db too.I have never understood why anyone would use the nss idmap backend with AD, it requires local unix users and idmap backends like 'ad', 'rid' and 'autorid' backends make AD users into Unix users without being in /etc/passwd, but that is your decision.> > Pasted output here after reverted to NSS db. > > [root at midway3-dm1 samba]# testparm /etc/samba/smb.conf > > Load smb config files from /etc/samba/smb.conf > > lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is > deprecated > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > > [global] > ??????? clustering = Yes > ??????? idmap cache time = 1 > ??????? idmap negative cache time = 1 > ??????? kerberos method = system keytab > ??????? log file = /var/log/samba/log.%m > ??????? max log size = 50 > ??????? netbios name = DMCIFS > ??????? realm =?AD.UCHICAGO.EDU > ??????? security = ADS > ??????? server min protocol = SMB3_02 > ??????? server string = Samba Server Version %v > ??????? winbind cache time = 1 > ??????? workgroup = AD > ??????? fruit:delete_empty_adfiles = yes > ??????? fruit:wipe_intentionally_left_blank_rfork = yes > ??????? fruit:veto_appledouble = no > ??????? fruit:posix_rename = yes > ??????? fruit:model = MacSamba > ??????? fruit:metadata = stream > ??????? fileid:algorithm = fsname > ??????? idmap config ad : range = 1401-2147483647 > ??????? idmap config ad : backend = nss > ??????? idmap config * : range = 2147483648-3000000000 > ??????? idmap config * : backend = tdb2 > ??????? hosts allow = 127. 128.135.0.0/255.255.0.0 > 205.208.0.0/255.255.128.0 10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0 > ??????? invalid users = root bin daemon adm lp sync shutdown halt mail > operator games ftp nobody dbus systemd-coredump systemd-resolve tss > polkitd geoclue rtkit pulse pipewire libstoragemgmt qemu usbmuxd unbound > rpc gluster chrony setroubleshoot saslauth dnsmasq radvd clevis > cockpit-ws cockpit-wsinstance sssd flatpak colord gdm rpcuser > gnome-initial-setup sshd pesign avahi rngd tcpdump munge > ??????? kernel oplocks = Yes > > > > [root at midway3-dm1 samba]# systemctl status sssd > ? sssd.service - System Security Services Daemon > ?? Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; > vendor preset: enabled) > ?? Active: inactive (dead) since Fri 2023-07-28 13:02:11 CDT; 2min 22s ago > ? Process: 1092096 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} > (code=exited, status=0/SUCCESS) > > Main PID: 1092096 (code=exited, status=0/SUCCESS) > > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_be[1092099]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_nss[1092100]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_pam[1092101]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local systemd[1]: Started System > Security Services Daemon. > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopping System > Security Services Daemon... > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_pam[1092101]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_be[1092099]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_nss[1092100]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: sssd.service: Succeeded. > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopped System > Security Services Daemon. > > [root at midway3-dm1 samba]# id dgmartin > > uid=2088466063(dgmartin) gid=2088466063(dgmartin) > groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli) > > [root at midway3-dm1 samba]# grep -v "#" /etc/nsswitch.conf > > passwd:???? db files? systemd > group:????? db files? systemdIs winbind installed and running, it should be and you need 'winbind' in the 'passwd' and 'group' lines> netgroup:?? db? files > > automount:?? files > > services:??? files > > shadow:???? db files sssI suggest you remove 'sss' from the 'shadow' line> > hosts:????? files dns myhostname > > aliases:??? files > > ethers:???? files > > gshadow:??? files > > networks:?? files dns > > protocols:? files > > publickey:? files > > rpc:??????? files > > > still have the ?same error :-- > > [root at midway3-dm1 samba]# tail -f log.128.135.186.8 > > [2023/07/28 13:09:51.101676,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin])As I said earlier, '2147483648' is in the default '*' range, your DOMAIN appears to be 'AD' but the user with the RID '304562' appears to be from the 'ADLOCAL' domain/workgroup. If this user is in the REALM 'AD.UCHICAGO.EDU', it should have a uidNumber attribute containing a number in the '1401-2147483647' range.> > [2023/07/28 13:09:53.110963,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:53.117397,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:55.127351,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:55.135854,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:57.179610,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:57.186094,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin])Rowland