Hello,
I'm running a compiled-from-source instance of Samba 3.4.5 on RHEL AS 4u2,
and am having some flakiness with AD-Unix mappings. We're talking to a
Windows 2008R2 server, with AD in "2003 mode" I believe.
What the issue appears to be is that smbd does not seem to want to talk
with winbindd. One moment my account worked:
[2010/01/25 08:13:07, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[dmagda] domain=[ADS] workstation=[TOR123] len1=24 len2=24
[2010/01/25 08:13:07, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[ADS]\[dmagda]@[TOR123] with the new password interface
[2010/01/25 08:13:07, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [ADS]\[dmagda]@[TOR123]
[...]
[2010/01/25 08:13:07, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [ADS]\[dmagda]@[TOR123]
[2010/01/25 08:13:07, 3] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [dmagda] succeeded
[2010/01/25 08:13:07, 2] auth/auth.c:310(check_ntlm_password)
check_ntlm_password: authentication for user [dmagda] -> [dmagda] ->
[ADS+dmagda] succeeded
[2010/01/25 08:13:07, 3] smbd/password.c:269(register_existing_vuid)
register_existing_vuid: User name: ADS+dmagda Real name:
[2010/01/25 08:13:07, 3] smbd/password.c:279(register_existing_vuid)
register_existing_vuid: UNIX uid 16777216 is UNIX user ADS+dmagda, and
will be vuid 100
[2010/01/25 08:13:07, 3] smbd/password.c:211(register_homes_share)
Adding homes service for user 'ADS+dmagda' using home directory:
'/var/empty/sshd'
[2010/01/25 08:13:07, 3] smbd/service.c:1047(make_connection_snum)
tor123 (::ffff:10.aaa.bbb.ccc) connect to service IPC$ initially as user
ADS+dmagda (uid=16777216, gid=16777218) (pid 22758)
I then uncommented a share in "smb.conf" and restarted smbd:
[2010/01/25 08:13:54, 3] param/loadparm.c:9040(lp_load_ex)
lp_load_ex: refreshing parameters
Initialising global parameters
[2010/01/25 08:13:54, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file
"/etc/samb/smb.conf"
[2010/01/25 08:13:54, 3] param/loadparm.c:7727(do_section)
Processing section "[global]"
[...]
And suddenly I no longer get a mapping:
[2010/01/25 08:14:08, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2010/01/25 08:14:08, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/01/25 08:14:08, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[dmagda] domain=[ADS] workstation=[TOR123] len1=24 len2=24
[2010/01/25 08:14:08, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[ADS]\[dmagda]@[TOR123] with the new password interface
[2010/01/25 08:14:08, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [ADS]\[dmagda]@[TOR123]
[...]
[2010/01/25 08:14:08, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [dmagda] -> [dmagda]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/01/25 08:14:08, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Reverting the change (i.e., re-commenting out that the share and
restarting) didn't work: things still stayed broken.
If I try putting my account into /etc/passwd, then all of a sudden things
work again. Also, if I add a "username map" entry to my smb.conf (and
comment out all the uidmap/winbind stuff), and have the following line in
/etc/samba/smbusers:
nobody = *
Things generally work again as well.
Is there any particular reason why smbd would stop talking with winbindd?
I don't necessarily mind using a generic 'smbusers' file, as access
is
read-only, but are there any real differences between mapping to the Unix
"nobody" account and getting a random UID from winbind?
My sanitized smb.conf file:
[global]
server string = fileserv (File Server)
netbios name = FILESERV
workgroup = ADS
security = domain
password server = adchost1, adchost2, adshost3
wins server = 111.222.333.444, 222.333.444.555
domain master = no
local master = no
unix password sync = false
lock directory = /var/spool/locks
max log size = 0
log level = 1
socket options = SO_KEEPALIVE
deadtime = 15
kernel oplocks = yes
aio read size = 1
disable spoolss = yes
show add printer wizard = no
printing = bsd
client schannel = no # doesn't help, with or without this line
passdb backend = tdbsam
idmap backend = tdb
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
template homedir = /var/empty/sshd
winbind separator = +
winbind nested groups = yes
winbind enum users = yes
winbind use default domain = yes # also tried "no"
winbind trusted domains only = no
allow trusted domains = yes
# share below this line
