Elias Probst
2014-Jul-21 13:56 UTC
[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users
Hi list, I'm trying to set up a simple fileserver (Samba 4.1.6 on Ubuntu 14.04) as domain member, which delegates user authentication to AD (2k8R2) via Kerberos/NSS ? SSSD without using Winbind. I have SSSD up and running and things like getent passwd some-domain-user getent group some-domain-group chown some-domain-user:some-domain-group /tmp/foobar work just fine and show the expected results. When trying to connect to a share (using MY-DOMAIN\kxmjd01 on a Win7 client), my log (full log attached) shows some hints:> Found account name from PAC: kxmjd01 [Doe, John]which looks good? but then> Username MY-DOMAIN\kxmjd01 is invalid on this system > Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > Server exit (NT_STATUS_CONNECTION_RESET)The server was also joined to the domain and 'klist -ke' prints the following keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-crc) 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-md5) 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96) 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96) 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (arcfour-hmac) 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-crc) 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-md5) 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96) 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96) 4 host/MN1221-S0002 at MY-DOMAIN.TLD (arcfour-hmac) 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-crc) 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-md5) 4 MN1221-S0002$@MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96) 4 MN1221-S0002$@MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96) 4 MN1221-S0002$@MY-DOMAIN.TLD (arcfour-hmac) My smb.conf (testparm output) is: [global] workgroup = MY-DOMAIN realm = MY-DOMAIN.TLD security = ADS kerberos method = system keytab client signing = if_required load printers = No printcap name = /dev/null idmap config MY-DOMAIN.TLD : schema_mode = rfc2307bis idmap config MY-DOMAIN.TLD : range = 900-9999999999 idmap config MY-DOMAIN.TLD : readonly = yes idmap config MY-DOMAIN.TLD : backend = nss idmap config MY-DOMAIN.TLD : default = yes idmap config * : backend = tdb printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j [tdrive] comment = Team Drive path = /tmp/tdrive valid users = @dep0815-gdm_staff Any ideas what could be wrong with my setup? Is there something missing regarding the mapping of Kerberos principals to NSS accounts? Thanks! Elias P. ------- Full log: [2014/07/21 13:17:30.631879, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.632052, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.632205, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.632266, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.632481, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.632672, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.632864, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.633027, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.633192, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.633368, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 159 (0 toread) [2014/07/21 13:17:30.633450, 3] ../source3/smbd/process.c:1398(switch_message) switch message SMBnegprot (pid 13438) conn 0x0 [2014/07/21 13:17:30.634200, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2014/07/21 13:17:30.634270, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [LANMAN1.0] [2014/07/21 13:17:30.634322, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2014/07/21 13:17:30.634371, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [LM1.2X002] [2014/07/21 13:17:30.634418, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [LANMAN2.1] [2014/07/21 13:17:30.634465, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [NT LM 0.12] [2014/07/21 13:17:30.634512, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [SMB 2.002] [2014/07/21 13:17:30.634559, 3] ../source3/smbd/negprot.c:563(reply_negprot) Requested protocol [SMB 2.???] [2014/07/21 13:17:30.634766, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_FF [2014/07/21 13:17:30.636686, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.636762, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.636812, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.636863, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.636912, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.636960, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.637010, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.637056, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.645510, 3] ../source3/smbd/negprot.c:671(reply_negprot) Selected protocol SMB 2.??? [2014/07/21 13:17:30.645912, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.650719, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.650802, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.651176, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.651233, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.651819, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.654785, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.654958, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.655104, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.655164, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.655379, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.655569, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.655758, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.655916, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.656070, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.656237, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.656411, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.663521, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.663593, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.663620, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.663646, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.663670, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.663695, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.663720, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.663744, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.669010, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.669094, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.669454, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.669510, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.670055, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.672127, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.672274, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.672412, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.672471, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.672685, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.672875, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.673075, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.673233, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.673388, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.673554, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.673729, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.675935, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.676011, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.676061, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.676112, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.676161, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.676210, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.676260, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.676306, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.686467, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.686525, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.686719, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.686749, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.687192, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.690050, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.690193, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.690331, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.690391, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.690605, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.690795, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.691000, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.691172, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.691330, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.691498, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.691673, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.693883, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.693957, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.694006, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.694070, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.694120, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.694168, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.694218, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.694264, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.733725, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.733826, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.734188, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.734243, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.734751, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.737213, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.737289, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.737365, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.737398, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.737504, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.737601, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.737710, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.737796, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.737881, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.737974, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.738072, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.745230, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.745327, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.745376, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.745427, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.745477, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.745525, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.745576, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.745622, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.767122, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.767219, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.767582, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.767652, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.768188, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.772465, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.772608, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.772750, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.772809, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.773023, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.773212, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.773399, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.773556, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.773713, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.773882, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.774058, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.776305, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.776381, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.776431, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.776481, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.776530, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.776579, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.776630, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.776677, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.786375, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.786433, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.786627, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.786657, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.787159, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.789452, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.789595, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.789733, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.789792, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.790007, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.790210, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.790399, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.790557, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.790713, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.790881, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.791110, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.793323, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.793396, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.793447, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.793498, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.793547, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.793596, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.793647, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.793693, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.805251, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.805381, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.805769, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.805824, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.806432, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.809140, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.809217, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.809293, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.809325, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.809433, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.809529, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.809639, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.809726, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.809812, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.809908, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.810007, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.811496, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.811572, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.811636, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.811688, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.811737, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.811785, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.811836, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.811882, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.848149, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.848252, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.848622, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.848677, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.849252, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.851615, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.851758, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.851897, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.851957, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.852172, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.852361, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.852549, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.852705, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.852861, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.853029, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.853207, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.855449, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.855525, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.855575, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.855626, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.855675, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.855724, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.855775, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.855821, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.872758, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.872816, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.873019, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.873049, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.873492, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.876937, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.877080, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.877218, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.877278, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.877492, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.877681, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.877870, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.878027, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.878182, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.878349, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.878525, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.880779, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.880854, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.880904, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.880955, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.881004, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.881052, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.881102, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.881149, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.892199, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.892295, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.892654, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.892709, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.893265, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:30.895727, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:30.895870, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:30.896008, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:30.896067, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:30.896295, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:30.896484, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:30.896672, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:30.896828, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:30.896984, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:30.897150, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:30.897324, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:30.899546, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:30.899622, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:30.899672, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:30.899723, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:30.899773, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:30.899822, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:30.899873, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:30.899919, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:30.910437, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:30.910498, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:30.910701, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:30.910732, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:30.911245, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:34.556875, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:34.557039, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:34.557182, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:34.557242, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:34.557458, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:34.557649, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:34.557840, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:34.558005, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:34.558170, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:34.558346, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:34.558532, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:34.560851, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:34.560940, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:34.560991, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:34.561043, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:34.561092, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:34.561141, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:34.561192, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:34.561238, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:34.567766, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:34.567850, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:34.568205, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:34.568261, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:34.574039, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2014/07/21 13:17:34.576271, 3] ../source3/param/loadparm.c:4838(lp_load_ex) lp_load_ex: refreshing parameters [2014/07/21 13:17:34.576413, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2014/07/21 13:17:34.576552, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2014/07/21 13:17:34.576612, 3] ../source3/param/loadparm.c:3564(do_section) Processing section "[global]" [2014/07/21 13:17:34.576827, 2] ../source3/param/loadparm.c:3581(do_section) Processing section "[tdrive]" [2014/07/21 13:17:34.577017, 3] ../source3/param/loadparm.c:1773(lp_add_ipc) adding IPC service [2014/07/21 13:17:34.577206, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=xxx.xxx.132.79 bcast=xxx.xxx.132.255 netmask=255.255.255.0 [2014/07/21 13:17:34.577365, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from xxx.xxx.132.171 (xxx.xxx.132.171) [2014/07/21 13:17:34.577523, 3] ../source3/smbd/oplock.c:870(init_oplocks) init_oplocks: initializing messages. [2014/07/21 13:17:34.577696, 3] ../source3/smbd/process.c:1795(process_smb) Transaction 0 of length 108 (0 toread) [2014/07/21 13:17:34.577876, 3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2014/07/21 13:17:34.580137, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2014/07/21 13:17:34.580213, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2014/07/21 13:17:34.580264, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2014/07/21 13:17:34.580315, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2014/07/21 13:17:34.580364, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2014/07/21 13:17:34.580413, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2014/07/21 13:17:34.580464, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2014/07/21 13:17:34.580511, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2014/07/21 13:17:34.585636, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: kxmjd01 [Doe, John] [2014/07/21 13:17:34.585693, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [kxmjd01 at MY-DOMAIN.TLD] [2014/07/21 13:17:34.585879, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username MY-DOMAIN\kxmjd01 is invalid on this system [2014/07/21 13:17:34.585909, 1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) [2014/07/21 13:17:34.586332, 3] ../source3/smbd/server_exit.c:212(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 884 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140721/fc097c94/attachment.pgp>
Rowland Penny
2014-Jul-21 14:35 UTC
[Samba] Domain member (2k8R2) server, problem mapping Kerberos/NSS users
On 21/07/14 14:56, Elias Probst wrote:> Hi list, > > I'm trying to set up a simple fileserver (Samba 4.1.6 on Ubuntu 14.04) > as domain member, which delegates user authentication to AD (2k8R2) via > Kerberos/NSS ? SSSD without using Winbind. > > I have SSSD up and running and things like > getent passwd some-domain-user > getent group some-domain-group > chown some-domain-user:some-domain-group /tmp/foobar > work just fine and show the expected results. > > When trying to connect to a share (using MY-DOMAIN\kxmjd01 on a Win7 > client), my log (full log attached) shows some hints: >> Found account name from PAC: kxmjd01 [Doe, John] > which looks good? but then >> Username MY-DOMAIN\kxmjd01 is invalid on this system >> Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) >> Server exit (NT_STATUS_CONNECTION_RESET) > The server was also joined to the domain and 'klist -ke' prints the > following keytab: > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-crc) > 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (des-cbc-md5) > 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD > (aes128-cts-hmac-sha1-96) > 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD > (aes256-cts-hmac-sha1-96) > 4 host/mn1221-s0002.am15.my-domain.tld at MY-DOMAIN.TLD (arcfour-hmac) > 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-crc) > 4 host/MN1221-S0002 at MY-DOMAIN.TLD (des-cbc-md5) > 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 4 host/MN1221-S0002 at MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 4 host/MN1221-S0002 at MY-DOMAIN.TLD (arcfour-hmac) > 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-crc) > 4 MN1221-S0002$@MY-DOMAIN.TLD (des-cbc-md5) > 4 MN1221-S0002$@MY-DOMAIN.TLD (aes128-cts-hmac-sha1-96) > 4 MN1221-S0002$@MY-DOMAIN.TLD (aes256-cts-hmac-sha1-96) > 4 MN1221-S0002$@MY-DOMAIN.TLD (arcfour-hmac) > > > My smb.conf (testparm output) is: > [global] > workgroup = MY-DOMAIN > realm = MY-DOMAIN.TLD > security = ADS > kerberos method = system keytab > client signing = if_required > load printers = No > printcap name = /dev/null > idmap config MY-DOMAIN.TLD : schema_mode = rfc2307bis > idmap config MY-DOMAIN.TLD : range = 900-9999999999 > idmap config MY-DOMAIN.TLD : readonly = yes > idmap config MY-DOMAIN.TLD : backend = nss > idmap config MY-DOMAIN.TLD : default = yes > idmap config * : backend = tdb > printing = bsd > print command = lpr -r -P'%p' %s > lpq command = lpq -P'%p' > lprm command = lprm -P'%p' %j > > [tdrive] > comment = Team Drive > path = /tmp/tdrive > valid users = @dep0815-gdm_staff > > Any ideas what could be wrong with my setup? > Is there something missing regarding the mapping of Kerberos principals > to NSS accounts? > > Thanks! > Elias P. > > > ------- >Hi, These appear to be possible problems: idmap config MY-DOMAIN.TLD : schema_mode = rfc2307bis # this is only used by the ad backend idmap config MY-DOMAIN.TLD : readonly = yes # only used by the tdb, tdb2 and ldap backends idmap config MY-DOMAIN.TLD : default = yes # where did this come from?? idmap config * : backend = tdb # no range given Please have a look at 'man smb.conf' and 'man idmap_nss' Rowland