Hi,
I have a Samba 3 PDC/BDC with an LDAP backend and a Samba 3 file server
configured as domain member.
All was working fine but now when I create a new domain user, this one
try to connect to the file server and the add user script does not
trigger anymore.
I was trying to solve this problem but it seems I can't make it.
So here is my fileserver configuration (CentOS 5.10 ;
samba3x-3.6.6-0.139.el5_10):
[global]
workgroup = MYDOMAIN
server string = MYSERVER
security = DOMAIN
map untrusted to domain = Yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = wins host lmhosts bcast
server signing = auto
deadtime = 15
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536
load printers = No
printcap name = /dev/null
disable spoolss = Yes
show add printer wizard = No
add user script = /usr/sbin/useradd -g users -d /data/usr1/%u
-m -s /bin/bash %u
delete user script = /usr/sbin/userdel %u
os level = 0
local master = No
domain master = No
dns proxy = No
idmap config * : backend = tdb
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
winbind enum users = yes
winbind enum groups = yes
# This parameter specifies the number of seconds that Winbind's
idmap interface will cache positive SID/uid/gid query results.
# Default: idmap cache time = 604800 (one week)
# Ici : 86400 (1 jour)
idmap cache time = 86400
# This parameter specifies the number of seconds that Winbind's
idmap interface will cache negative SID/uid/gid query results.
# Default: idmap negative cache time = 120
idmap negative cache time = 120
# This parameter specifies the number of seconds the
winbindd(8) daemon will cache user and group information before querying
a Windows NT server again.
# This does not apply to authentication requests, these are
always evaluated in real time unless the winbind offline logon option
has been enabled.
# Default: winbind cache time = 300
winbind cache time = 60
[homes]
comment = Repertoire personnel de %u
path = /data/usr1/%S
force group = users
read only = No
browseable = No
When I try to connect from a Windows ou Linux workstation like this :
[rct at pc029-linux ~]$ smbclient //myserver/rct_test -U rct_test -W mydomain
Enter rct_test's password:
session setup failed: NT_STATUS_LOGON_FAILURE
I can see the following log in the fileserver :
[2014/07/25 17:50:49.528667, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[rct_test]@[PC029-LINUX] with the new password interface
[2014/07/25 17:50:49.528704, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[rct_test]@[PC029-LINUX]
[2014/07/25 17:50:49.532990, 3] auth/auth_util.c:1125(check_account)
Failed to find authenticated user MYDOMAIN\rct_test via getpwnam(),
denying access.
[2014/07/25 17:50:49.533029, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [rct_test] ->
[rct_test] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/07/25 17:50:49.533075, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2014/07/25 17:50:49.533478, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
If I manually execute the add user script the user will be ok to access
all the shares he can.
