samba - May 2014 - samba 4.1.7 member server errors trying to access share(s)

Hai, 
?
I have some strange things and i cant figure out whats going on. 
The problem is the my domain users and the extra Domain Admin ( Admin )? cant
access my member server ( and shares )
?
?
When?i login with the DOMAIN\Administrator it all works fine, can access all
shares not popups with authorisation requests.
?
but as DOMAIN\Admin ( has the same rights as domain Administrator ), is added to
"Domain Admins"? and the domain admins have all privilages.
when i login as my?"DOMAIN\Admin" and i try to access any share on my
member server im getting? a popup with authorisation request.
when entering as "Administrator" it works, all other users/Admins not.
my 2 DC's? \\rtd-dc1?and \\rtd-dc2? i can access without any problem, but
\\rtd-mem1? im getting the popup.
also tried \rtd-mem1\software but the same, popup. 
?
I cant figure out where something is wrong, im missing something.. 
If someone can help me trace this, that would be nice. below is the info about
the setup.
?
?
Client pc, domain joined, ?is Windows 7 64Bit, logged in as
"DOMAIN\Admin"??
and other strange thing. 
I've also setup a zarafa mail server with webacces and Single Sing On which
is working fine.
( used this page for the SSO setup.
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4?)
i can access https://mailserver/webassess as Admin and no popup and auths fine. 
?
I saw the following errors in the log.smbd? and these are the only errors i
found on whole my system.
( can be from testing, i dont know anymore..? ) 
[2014/05/28 10:44:59.886717,? 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
? gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:44:59.887122,? 0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
? Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
[2014/05/28 10:45:00.177559,? 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
? gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:45:00.177813,? 0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
? Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
[2014/05/28 10:45:01.302718,? 0] ../source3/librpc/crypto/gse.c:645(gse_unseal)
? gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
[2014/05/28 10:45:01.302967,? 0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
? Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)

?
?
It's setup with debian wheezy sernet samba 4.1.7.?? ?2 x DC and 1 x member
server.?? ( all sernet samba )
?
Im testing/setting up?the member server smb.conf is as the wiki says with few
extra things.
+> smb.conf of the member server. 
setup followed : http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server?
?
Joined with net ads join -U administrator

checked the A and PTR records, checked the keytab file all hosts entrys are
there
wbinfo -u / -g??works fine for all my users and admins in the domain.
getent passwd gives back my users it RFC2307. 
?
libpam-krb5 is installed.
Time is in sync with less than 2 sec difference. 
?
shares setup followed :
http://wiki.samba.org/index.php/Setup_and_configure_file_shares?
?
?
------------------? SMB conf -----------------------

?
[global]
?? workgroup =?MYDOMAIN
?? security = ADS
?? realm = MYDOMAIN.DDOMAIN.TLD
?
?? netbios name = rtd-mem1
?? domain master = no
?? local master = no
?? host msdfs = no
?
?? dedicated keytab file = /etc/krb5.keytab
?? kerberos method = secrets and keytab
?? client signing = if_required
?
?? ## map id's outside to domain to tdb files.
?? idmap config *:backend = tdb
?? idmap config *:range = 50001-80000
?? ## map ids from the domain? the range may not overlap !
?? idmap config MYDOMAIN:backend = ad
?? idmap config MYDOMAIN:schema_mode = rfc2307
?? idmap config MYDOMAIN:range = 2000-40000
?
?? winbind nss info = rfc2307
?? winbind trusted domains only = no
?? winbind use default domain = yes
?? winbind enum users? = yes
?? winbind enum groups = yes
?? winbind refresh tickets = yes
?? winbind offline logon = yes
?
?? wins server = 192.168.1.1, 192.168.1.2
?
?? template shell = /bin/sh
?? template homedir = /home/users/%USERNAME%
?
?? # user Administrator workaround, without it you are unable to set privileges
?? username map = /etc/samba/samba_usermapping
?
?? # For ACL support on member server
?? vfs objects = acl_xattr
?? map acl inherit = Yes
?? store dos attributes = Yes
?
?? # Share Setting Globally
?? usershare allow guests = no
?? unix extensions = no
?? wide links = no
?? reset on zero vc = yes
?? veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
?? hide unreadable = yes
?
?? # disable printing completely
?? load printers = no
?? printing = bsd
?? printcap name = /dev/null
?? disable spoolss = yes
?
[home]
?? path = /home/users
?? read only = no

[software]
?? path = /home/samba/software
?? read only = no
?
------------------? KRB5? -----------------------
## krb5 setup.? /etc/krb5.conf
[libdefaults]
??????? default_realm = MYDOMAIN.DOMAIN.TLD
??????? dns_lookup_realm = false
??????? dns_lookup_kdc = true
??????? ticket_lifetime = 24h
??????? renew_lifetime = 7d
??????? forwardable = true

?
------------------? NSSWITCH -----------------------

/etc/nsswitch.conf
passwd:???????? compat winbind
group:????????? compat winbind
shadow:???????? compat
?
hosts:????????? files dns
networks:?????? files

?

On Wed, 2014-05-28 at 12:07 +0200, L.P.H. van Belle
wrote:
> Hai, 
>  
> I have some strange things and i cant figure out whats going on. 
> The problem is the my domain users and the extra Domain Admin ( Admin ) 
cant access my member server ( and shares )
>  
>  
> When i login with the DOMAIN\Administrator it all works fine, can access
all shares not popups with authorisation requests.
>  
> but as DOMAIN\Admin ( has the same rights as domain Administrator ), is
added to "Domain Admins"  and the domain admins have all privilages.
> when i login as my "DOMAIN\Admin" and i try to access any share
on my member server im getting  a popup with authorisation request.
> when entering as "Administrator" it works, all other users/Admins
not.
Hi Louis
Administrator works because you're mapping him to someone who has
privileges. Admin doesn't enjoy any mapping.
> my 2 DC's  \\rtd-dc1 and \\rtd-dc2  i can access without any problem,
but \\rtd-mem1  im getting the popup.
> also tried \rtd-mem1\software but the same, popup. 
>  
> I cant figure out where something is wrong, im missing something.. 
> If someone can help me trace this, that would be nice. below is the info
about the setup.
>  
>  
> Client pc, domain joined,  is Windows 7 64Bit, logged in as
"DOMAIN\Admin"
> and other strange thing. 
> I've also setup a zarafa mail server with webacces and Single Sing On
which is working fine.
> ( used this page for the SSO setup.
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4
)
> i can access https://mailserver/webassess as Admin and no popup and auths
fine.
>  
> I saw the following errors in the log.smbd  and these are the only errors i
found on whole my system.
> ( can be from testing, i dont know anymore..  ) 
> [2014/05/28 10:44:59.886717,  0]
../source3/librpc/crypto/gse.c:645(gse_unseal)
>   gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:44:59.887122,  0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
> [2014/05/28 10:45:00.177559,  0]
../source3/librpc/crypto/gse.c:645(gse_unseal)
>   gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:45:00.177813,  0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
> [2014/05/28 10:45:01.302718,  0]
../source3/librpc/crypto/gse.c:645(gse_unseal)
>   gss_unwrap_iov failed with [ Miscellaneous failure (see text): unknown
mech-code 0 for mech 1 2 840 113554 1 2 2]
> [2014/05/28 10:45:01.302967,  0]
../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
> 
>  
>  
> It's setup with debian wheezy sernet samba 4.1.7.    2 x DC and 1 x
member server.   ( all sernet samba )
>  
> Im testing/setting up the member server smb.conf is as the wiki says with
few extra things.
> +> smb.conf of the member server. 
> setup followed :
http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>  
> Joined with net ads join -U administrator
> 
> checked the A and PTR records, checked the keytab file all hosts entrys are
there
> wbinfo -u / -g  works fine for all my users and admins in the domain.
> getent passwd gives back my users it RFC2307. 
>  
> libpam-krb5 is installed.
> Time is in sync with less than 2 sec difference. 
>  
> shares setup followed :
http://wiki.samba.org/index.php/Setup_and_configure_file_shares
>  
>  
> ------------------  SMB conf -----------------------
> 
>  
> [global]
>    workgroup = MYDOMAIN
>    security = ADS
>    realm = MYDOMAIN.DDOMAIN.TLD
>  
>    netbios name = rtd-mem1
>    domain master = no
>    local master = no
>    host msdfs = no
>  
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    client signing = if_required
>  
>    ## map id's outside to domain to tdb files.
>    idmap config *:backend = tdb
>    idmap config *:range = 50001-80000
>    ## map ids from the domain  the range may not overlap !
>    idmap config MYDOMAIN:backend = ad
>    idmap config MYDOMAIN:schema_mode = rfc2307
>    idmap config MYDOMAIN:range = 2000-40000
>  
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = yes
>    winbind offline logon = yes
>  
>    wins server = 192.168.1.1, 192.168.1.2
>  
>    template shell = /bin/sh
>    template homedir = /home/users/%USERNAME%
>  
>    # user Administrator workaround, without it you are unable to set
privileges
>    username map = /etc/samba/samba_usermapping
>  
>    # For ACL support on member server
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>  
>    # Share Setting Globally
>    usershare allow guests = no
>    unix extensions = no
>    wide links = no
>    reset on zero vc = yes
>    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>    hide unreadable = yes
>  
>    # disable printing completely
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>  
> [home]
>    path = /home/users
>    read only = no
> 
> [software]
>    path = /home/samba/software
>    read only = no
>  
> ------------------  KRB5  -----------------------
> ## krb5 setup.  /etc/krb5.conf
> [libdefaults]
>         default_realm = MYDOMAIN.DOMAIN.TLD
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         ticket_lifetime = 24h
>         renew_lifetime = 7d
>         forwardable = true
> 
>  
> ------------------  NSSWITCH -----------------------
> 
> /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>  
> hosts:          files dns
> networks:       files
> 
>  
We set the permissions on the file system and it works fine.
What does:
getfacl on the share folders give us and what does getfacl on a user
folder under /home/users give us?
Cheers,
Steve

Hai Steve, 

Thanks for the reply. Right on the spot. 

I checked my rights, and something was messed up there.. 
i did set some rights again but still same error. ( but read on, not entirly the
same )

getfacl afdelingen/

# file: afdelingen/
# owner: root
# group: root
# flags: -s-
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::r-x
default:group:root:r-x
default:mask::rwx
default:other::---

totaly correct.. 
root is mapped to "DOMAIN\Administrator"  ( only the member server )
( the DC is DC and only DC with sysvol and netlogon share ) 
>Administrator works because you're mapping him to someone who has
>privileges. Admin doesn't enjoy any mapping.
but i did set the "Domain Admins" privileges, shouldnt that work also
then?
and i didnt set any other privileges on the servers, only for "Domain
Admins"

Ok, now the "strange" thing. 
I did set the rights again, ( as example from the wiki ) 
Now the following happens. 

1) DOMAIN\Administrator works fine everywhere. 
2) DOMAIN\someuser	works fine now on my member server, can access the shares,
but SSO for webmail fails, popups domain auth..
3) Domain\Admin		works fine for the webmail SSO, but not for the shares on the
member server, popups domain auth. on the DC it works.

Arg... :-//  
Someuser is member of "Domain Users"
Admin is member of "Domain users" AND "Domain Admins" (
setup the same as the original Domain\Administrator )

1 step forward and 1 back :-/ 

the member server is not in production so if you advice is format, consider it
done..
the mail server is no option for reinstall.. 
* the mail server, i'll look into on a later moment, this is for the member
server.
I need that one for my auto software installations through GPO setup. 


any other suggestions? 

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org] 
>Namens steve
>Verzonden: woensdag 28 mei 2014 12:29
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] samba 4.1.7 member server errors trying 
>to access share(s)
>
>On Wed, 2014-05-28 at 12:07 +0200, L.P.H. van Belle wrote:
>> Hai, 
>>  
>> I have some strange things and i cant figure out whats going on. 
>> The problem is the my domain users and the extra Domain 
>Admin ( Admin )  cant access my member server ( and shares ) 
>>  
>>  
>> When i login with the DOMAIN\Administrator it all works 
>fine, can access all shares not popups with authorisation requests. 
>>  
>> but as DOMAIN\Admin ( has the same rights as domain 
>Administrator ), is added to "Domain Admins"  and the domain 
>admins have all privilages. 
>> when i login as my "DOMAIN\Admin" and i try to access any 
>share on my member server im getting  a popup with 
>authorisation request. 
>> when entering as "Administrator" it works, all other 
>users/Admins not. 
>
>Hi Louis
>Administrator works because you're mapping him to someone who has
>privileges. Admin doesn't enjoy any mapping.
>
>> my 2 DC's  \\rtd-dc1 and \\rtd-dc2  i can access without any 
>problem, but \\rtd-mem1  im getting the popup. 
>> also tried \rtd-mem1\software but the same, popup. 
>>  
>> I cant figure out where something is wrong, im missing something.. 
>> If someone can help me trace this, that would be nice. below 
>is the info about the setup. 
>>  
>>  
>> Client pc, domain joined,  is Windows 7 64Bit, logged in as 
>"DOMAIN\Admin"   
>> and other strange thing. 
>> I've also setup a zarafa mail server with webacces and 
>Single Sing On which is working fine. 
>> ( used this page for the SSO setup. 
>https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-
>amp-webaccess-sso-with-samba4 ) 
>> i can access https://mailserver/webassess as Admin and no 
>popup and auths fine. 
>>  
>> I saw the following errors in the log.smbd  and these are 
>the only errors i found on whole my system.
>> ( can be from testing, i dont know anymore..  ) 
>> [2014/05/28 10:44:59.886717,  0] 
>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>   gss_unwrap_iov failed with [ Miscellaneous failure (see 
>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>> [2014/05/28 10:44:59.887122,  0] 
>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>> [2014/05/28 10:45:00.177559,  0] 
>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>   gss_unwrap_iov failed with [ Miscellaneous failure (see 
>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>> [2014/05/28 10:45:00.177813,  0] 
>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>> [2014/05/28 10:45:01.302718,  0] 
>../source3/librpc/crypto/gse.c:645(gse_unseal)
>>   gss_unwrap_iov failed with [ Miscellaneous failure (see 
>text): unknown mech-code 0 for mech 1 2 840 113554 1 2 2]
>> [2014/05/28 10:45:01.302967,  0] 
>../source3/rpc_server/srv_pipe.c:1525(process_request_pdu)
>>   Failed to check packet auth. (NT_STATUS_ACCESS_DENIED)
>> 
>>  
>>  
>> It's setup with debian wheezy sernet samba 4.1.7.    2 x DC 
>and 1 x member server.   ( all sernet samba ) 
>>  
>> Im testing/setting up the member server smb.conf is as the 
>wiki says with few extra things. 
>> +> smb.conf of the member server. 
>> setup followed : 
>http://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server 
>>  
>> Joined with net ads join -U administrator
>> 
>> checked the A and PTR records, checked the keytab file all 
>hosts entrys are there
>> wbinfo -u / -g  works fine for all my users and admins in the domain.
>> getent passwd gives back my users it RFC2307. 
>>  
>> libpam-krb5 is installed.
>> Time is in sync with less than 2 sec difference. 
>>  
>> shares setup followed : 
>http://wiki.samba.org/index.php/Setup_and_configure_file_shares 
>>  
>>  
>> ------------------  SMB conf -----------------------
>> 
>>  
>> [global]
>>    workgroup = MYDOMAIN
>>    security = ADS
>>    realm = MYDOMAIN.DDOMAIN.TLD
>>  
>>    netbios name = rtd-mem1
>>    domain master = no
>>    local master = no
>>    host msdfs = no
>>  
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>    client signing = if_required
>>  
>>    ## map id's outside to domain to tdb files.
>>    idmap config *:backend = tdb
>>    idmap config *:range = 50001-80000
>>    ## map ids from the domain  the range may not overlap !
>>    idmap config MYDOMAIN:backend = ad
>>    idmap config MYDOMAIN:schema_mode = rfc2307
>>    idmap config MYDOMAIN:range = 2000-40000
>>  
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = yes
>>    winbind offline logon = yes
>>  
>>    wins server = 192.168.1.1, 192.168.1.2
>>  
>>    template shell = /bin/sh
>>    template homedir = /home/users/%USERNAME%
>>  
>>    # user Administrator workaround, without it you are 
>unable to set privileges
>>    username map = /etc/samba/samba_usermapping
>>  
>>    # For ACL support on member server
>>    vfs objects = acl_xattr
>>    map acl inherit = Yes
>>    store dos attributes = Yes
>>  
>>    # Share Setting Globally
>>    usershare allow guests = no
>>    unix extensions = no
>>    wide links = no
>>    reset on zero vc = yes
>>    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>    hide unreadable = yes
>>  
>>    # disable printing completely
>>    load printers = no
>>    printing = bsd
>>    printcap name = /dev/null
>>    disable spoolss = yes
>>  
>> [home]
>>    path = /home/users
>>    read only = no
>> 
>> [software]
>>    path = /home/samba/software
>>    read only = no
>>  
>> ------------------  KRB5  -----------------------
>> ## krb5 setup.  /etc/krb5.conf
>> [libdefaults]
>>         default_realm = MYDOMAIN.DOMAIN.TLD
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>         ticket_lifetime = 24h
>>         renew_lifetime = 7d
>>         forwardable = true
>> 
>>  
>> ------------------  NSSWITCH -----------------------
>> 
>> /etc/nsswitch.conf
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>  
>> hosts:          files dns
>> networks:       files
>> 
>>  
>
>We set the permissions on the file system and it works fine.
>What does:
>getfacl on the share folders give us and what does getfacl on a user
>folder under /home/users give us?
>Cheers,
>Steve
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>