samba - Nov 2012 - User is invalid on this system

Hello all.

We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from
3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map
Samba shares from our Windows XP SP3 and Windows 7 clients:


Here's an example from my workstation (logging verbosity set at 10):

[2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
  switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2012/11/29 15:23:58.120353,  3]
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2012/11/29 15:23:58.120409,  3]
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [kevin_elliott at CBJ.LOCAL]
[2012/11/29 15:23:58.124710,  1]
auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 199.58.52.25 read error =
NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)



However, I can successfully return login information with winbind:

# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

'getent passwd' will only return the local users from /etc/passwd.


And the relevant section of smb.conf:

[global]
        workgroup = CBJ_NT
        realm = CBJ.LOCAL
        netbios aliases = CITY-LIZA-L90, CITY-LIZA
        server string = External FTP Server
        interfaces = 192.0.2.87/32, lo
        bind interfaces only = Yes
        security = ADS
        obey pam restrictions = Yes
        password server = 192.0.2.25, 192.0.2.50
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        client NTLMv2 auth = Yes
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 2500
        printcap name = cups
        os level = 5
        local master = No
        domain master = No
        wins server = 192.0.2.25
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config LIBRARY:range = 65535-79999
        idmap config LIBRARY:base_rid = 0
        idmap config LIBRARY:backend = rid
        idmap config * : range = 10000-65533
        idmap config * : base_rid = 0
        idmap config * : backend = rid
        admin users = @CBJ_NT+admin
        veto files = /.*/

[ftp]
        comment = FTP directory
        path = /var/ftp/pub/
        valid users = "@CBJ_NT+domain users"
        read only = No
        create mask = 0775
        directory mask = 0775
        hide unreadable = Yes


Any ideas? Anyone else see this?

---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905

Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott:
> Hello all.
> 
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade
> from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the
> ability to map Samba shares from our Windows XP SP3 and Windows 7
> clients:
> 
> 
> Here's an example from my workstation (logging verbosity set at 10):
> 
...
> auth/user_krb5.c:162(get_user_from_kerberos_info)
>   Username CBJ_NT+kevin_elliott is invalid on this system
...
> 
> 
> However, I can successfully return login information with winbind:
> 
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
> 
> 'getent passwd' will only return the local users from /etc/passwd.
> 
....
> 
> Any ideas? Anyone else see this?
maybe the "winbind" in /etc/nsswitch.conf got lost? 

is "getent -s winbind passwd $username" returning something?

is winbindd running ("ps -C winbindd -f")?

any log messages in /var/log/samba/log.winbindd ?

- Thomas

Kevin,

3.6.x has had several issues with idmap rid.  I was hit with this one: 
https://bugzilla.samba.org/show_bug.cgi?id=8676 .  Searching for idmap 
rid issues with 3.6.x will reveal others as well.

Someone indicated that rejoining the domain would fix this issue. As it 
so happened, I had to rebuild one of the servers.  After joining the 
rebuilt system to the domain, it has worked flawlessly ever since.  So, 
it appears the problem with rid and some of the other idmap backends is 
somehow related to upgrading, as newly joined systems work as expected.

Dale


On 11/29/2012 6:51 PM, Kevin Elliott wrote:
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade
from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to
map Samba shares from our Windows XP SP3 and Windows 7 clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
> [2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
>    switch message SMBsesssetupX (pid 2517) conn 0x0
> [2012/11/29 15:23:58.120212,  3]
smbd/sesssetup.c:1333(reply_sesssetup_and_X)
>    wct=12 flg2=0xc807
> [2012/11/29 15:23:58.120258,  2]
smbd/sesssetup.c:1279(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
> [2012/11/29 15:23:58.120353,  3]
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
>    Doing spnego session setup
> [2012/11/29 15:23:58.120409,  3]
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
>    NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/11/29 15:23:58.120498,  3]
smbd/sesssetup.c:660(reply_spnego_negotiate)
>    reply_spnego_negotiate: Got secblob of size 1680
> [2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
>    Found account name from PAC: kevin_elliott [Kevin Elliott]
> [2012/11/29 15:23:58.124309,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
>    Kerberos ticket principal name is [kevin_elliott at CBJ.LOCAL]
> [2012/11/29 15:23:58.124710,  1]
auth/user_krb5.c:162(get_user_from_kerberos_info)
>    Username CBJ_NT+kevin_elliott is invalid on this system
> [2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
>    error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
> [2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
>    receive_smb_raw_talloc failed for client 199.58.52.25 read error =
NT_STATUS_CONNECTION_RESET.
> [2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
>    Server exit (failed to receive smb request)
>
>
>
> However, I can successfully return login information with winbind:
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
>
> And the relevant section of smb.conf:
>
> [global]
>          workgroup = CBJ_NT
>          realm = CBJ.LOCAL
>          netbios aliases = CITY-LIZA-L90, CITY-LIZA
>          server string = External FTP Server
>          interfaces = 192.0.2.87/32, lo
>          bind interfaces only = Yes
>          security = ADS
>          obey pam restrictions = Yes
>          password server = 192.0.2.25, 192.0.2.50
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
>          client NTLMv2 auth = Yes
>          log level = 3
>          log file = /var/log/samba/log.%m
>          max log size = 2500
>          printcap name = cups
>          os level = 5
>          local master = No
>          domain master = No
>          wins server = 192.0.2.25
>          ldap ssl = no
>          panic action = /usr/share/samba/panic-action %d
>          winbind separator = +
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          idmap config LIBRARY:range = 65535-79999
>          idmap config LIBRARY:base_rid = 0
>          idmap config LIBRARY:backend = rid
>          idmap config * : range = 10000-65533
>          idmap config * : base_rid = 0
>          idmap config * : backend = rid
>          admin users = @CBJ_NT+admin
>          veto files = /.*/
>
> [ftp]
>          comment = FTP directory
>          path = /var/ftp/pub/
>          valid users = "@CBJ_NT+domain users"
>          read only = No
>          create mask = 0775
>          directory mask = 0775
>          hide unreadable = Yes
>
>
> Any ideas? Anyone else see this?
>
> ---
> Kevin Elliott
>
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>
>