Harald Hannelius
2015-Feb-10 12:37 UTC
[Samba] 3.6.6 map untrusted to domain does not work if winbind is running
Hi all,
I have a domain member server 3.6.6 running on debian7, authenticating
against another debian7 + samba 3.6.6 in DC-mode. Both servers have
user-accounts and groups on LDAP and resolve posix users using libnss-ldap.
The groupmap is living on LDAP as well.
The domain member server serves a share with ACL enabled. I got the upgrade
to 3.6.X and idmap-updates working, but the old behaviour where clients from
other (or unknown) domains should be mapped to domain users is not.
I have been testing with "smbclient '\\server\intra'" which
fails. If I test
with "smbclient '\\server\intra' -WGROUP" it works.
If i stop winbindd (needed for groupmap) I am able to authenticate without
entering a workgroup.
Workstations here are sitting in an AD-tree, and they are largerly now
unable to automagically authenticate to the share (they share the same
usernames and passwords).
Please suggest anything
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[intra]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = GROUP
server string = Intranet
security = DOMAIN
passdb backend = ldapsam:"ldaps://ldap1.domain.com
ldaps://ldap2.domain.com "
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100
unix extensions = No
socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 IPTOS_LOWDELAY
load printers = No
os level = 65
local master = No
wins server = 11.22.33.44
ldap admin dn = "cn=sambaadmin,dc=domain,dc=com"
ldap idmap suffix = ou=people
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=people
utmp = Yes
winbind enum groups = Yes
idmap config * : base_rid = 0
idmap config GROUP : ldap_user_dn = cn=server,dc=domain,dc=com
idmap config GROUP : ldap_base_dn = ou=people,dc=domain,dc=com
idmap config GROUP : ldap_url = ldaps://ldap1.domain.com/
idmap config GROUP : read only = yes
idmap config GROUP : range = 2000000-4000000
idmap config GROUP : backend = ldap
idmap config * : range = 2000-4999
idmap config * : backend = tdb
[intra]
comment = Intranet
path = /intra
invalid users = root, someuser
read only = No
create mask = 0665
directory mask = 02775
[2015/02/10 14:31:07.975917, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [GROUP]\[harald]@[BIATCH]
[2015/02/10 14:31:07.976003, 10] auth/auth.c:231(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2015/02/10 14:31:07.976088, 10] auth/auth.c:233(check_ntlm_password)
challenge is:
[2015/02/10 14:31:07.976172, 5] ../lib/util/util.c:415(dump_data)
[0000] 1E FA EF 6E 4C 2B DD CF ...nL+..
[2015/02/10 14:31:07.976292, 10]
auth/auth_builtin.c:44(check_guest_security)
Check auth for: [harald]
[2015/02/10 14:31:07.976381, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2015/02/10 14:31:07.976472, 10] auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [harald]
[2015/02/10 14:31:07.976557, 8] lib/util.c:1521(is_myname)
is_myname("GROUP") returns 0
[2015/02/10 14:31:07.976643, 6] auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: GROUP is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2015/02/10 14:31:07.976729, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2015/02/10 14:31:07.976821, 10]
auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [harald]
[2015/02/10 14:31:07.976907, 4] smbd/sec_ctx.c:214(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2015/02/10 14:31:07.977003, 4] smbd/uid.c:460(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2015/02/10 14:31:07.977089, 4] smbd/sec_ctx.c:314(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2015/02/10 14:31:07.977175, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2015/02/10 14:31:07.977258, 5]
auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2015/02/10 14:31:07.993761, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/02/10 14:31:07.993861, 10]
auth/auth_winbind.c:99(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2015/02/10 14:31:07.993944, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [harald] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2015/02/10 14:31:07.994032, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [harald] -> [harald] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2015/02/10 14:31:07.994141, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2015/02/10 14:31:07.994241, 5] lib/util.c:332(show_msg)
[2015/02/10 14:31:07.994289, 5] lib/util.c:342(show_msg)
--
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Harald Hannelius
2015-Feb-12 13:47 UTC
[Samba] 3.6.6 map untrusted to domain does not work if winbind is running
Anyone? On Tue, 10 Feb 2015, Harald Hannelius wrote:> > Hi all, > > I have a domain member server 3.6.6 running on debian7, authenticating > against another debian7 + samba 3.6.6 in DC-mode. Both servers have > user-accounts and groups on LDAP and resolve posix users using libnss-ldap. > The groupmap is living on LDAP as well. > > The domain member server serves a share with ACL enabled. I got the upgrade > to 3.6.X and idmap-updates working, but the old behaviour where clients from > other (or unknown) domains should be mapped to domain users is not. > > I have been testing with "smbclient '\\server\intra'" which fails. If I test > with "smbclient '\\server\intra' -WGROUP" it works. > > If i stop winbindd (needed for groupmap) I am able to authenticate without > entering a workgroup. > > Workstations here are sitting in an AD-tree, and they are largerly now unable > to automagically authenticate to the share (they share the same usernames and > passwords). > > Please suggest anything > > > > # testparm > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[intra]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] > workgroup = GROUP > server string = Intranet > security = DOMAIN > passdb backend = ldapsam:"ldaps://ldap1.domain.com > ldaps://ldap2.domain.com " > map untrusted to domain = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 100 > unix extensions = No > socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 > IPTOS_LOWDELAY > load printers = No > os level = 65 > local master = No > wins server = 11.22.33.44 > ldap admin dn = "cn=sambaadmin,dc=domain,dc=com" > ldap idmap suffix = ou=people > ldap suffix = dc=domain,dc=com > ldap ssl = no > ldap user suffix = ou=people > utmp = Yes > winbind enum groups = Yes > idmap config * : base_rid = 0 > idmap config GROUP : ldap_user_dn = cn=server,dc=domain,dc=com > idmap config GROUP : ldap_base_dn = ou=people,dc=domain,dc=com > idmap config GROUP : ldap_url = ldaps://ldap1.domain.com/ > idmap config GROUP : read only = yes > idmap config GROUP : range = 2000000-4000000 > idmap config GROUP : backend = ldap > idmap config * : range = 2000-4999 > idmap config * : backend = tdb > > [intra] > comment = Intranet > path = /intra > invalid users = root, someuser > read only = No > create mask = 0665 > directory mask = 02775 > > > > [2015/02/10 14:31:07.975917, 3] auth/auth.c:222(check_ntlm_password) > check_ntlm_password: mapped user is: [GROUP]\[harald]@[BIATCH] > [2015/02/10 14:31:07.976003, 10] auth/auth.c:231(check_ntlm_password) > check_ntlm_password: auth_context challenge created by random > [2015/02/10 14:31:07.976088, 10] auth/auth.c:233(check_ntlm_password) > challenge is: > [2015/02/10 14:31:07.976172, 5] ../lib/util/util.c:415(dump_data) > [0000] 1E FA EF 6E 4C 2B DD CF ...nL+.. > [2015/02/10 14:31:07.976292, 10] auth/auth_builtin.c:44(check_guest_security) > Check auth for: [harald] > [2015/02/10 14:31:07.976381, 10] auth/auth.c:259(check_ntlm_password) > check_ntlm_password: guest had nothing to say > [2015/02/10 14:31:07.976472, 10] auth/auth_sam.c:75(auth_samstrict_auth) > Check auth for: [harald] > [2015/02/10 14:31:07.976557, 8] lib/util.c:1521(is_myname) > is_myname("GROUP") returns 0 > [2015/02/10 14:31:07.976643, 6] auth/auth_sam.c:88(auth_samstrict_auth) > check_samstrict_security: GROUP is not one of my local names > (ROLE_DOMAIN_MEMBER) > [2015/02/10 14:31:07.976729, 10] auth/auth.c:259(check_ntlm_password) > check_ntlm_password: sam had nothing to say > [2015/02/10 14:31:07.976821, 10] > auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [harald] > [2015/02/10 14:31:07.976907, 4] smbd/sec_ctx.c:214(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2015/02/10 14:31:07.977003, 4] smbd/uid.c:460(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2015/02/10 14:31:07.977089, 4] smbd/sec_ctx.c:314(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2015/02/10 14:31:07.977175, 5] > ../libcli/security/security_token.c:53(security_token_debug) > Security token: (NULL) > [2015/02/10 14:31:07.977258, 5] auth/token_util.c:527(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2015/02/10 14:31:07.993761, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2015/02/10 14:31:07.993861, 10] > auth/auth_winbind.c:99(check_winbind_security) > check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR > [2015/02/10 14:31:07.993944, 5] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: winbind authentication for user [harald] FAILED with > error NT_STATUS_WRONG_PASSWORD > [2015/02/10 14:31:07.994032, 2] auth/auth.c:319(check_ntlm_password) > check_ntlm_password: Authentication for user [harald] -> [harald] FAILED > with error NT_STATUS_WRONG_PASSWORD > [2015/02/10 14:31:07.994141, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > [2015/02/10 14:31:07.994241, 5] lib/util.c:332(show_msg) > [2015/02/10 14:31:07.994289, 5] lib/util.c:342(show_msg) > > >-- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020