samba - May 2015 - Failed to find authenticated user via getpwnam(), denying access

Hi,


I'm trying a basic setup : samba 4.2 on vm as ad dc, linux server as a dc
member with samba shares and win 7 as a ad member and samba client.

Unix attrs are assigned, windows auth and linux kinit work ok. But when I
try to access samba share from windows a get an error above in my log.smb:

  check_ntlm_password:  Checking password for unmapped user
[KURSK]\[video]@[EVENT] with the new password interface
[2015/05/20 19:52:36.319290,  3]
../source3/auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [KURSK]\[video]@[EVENT]
[2015/05/20 19:52:36.319324,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2015/05/20 19:52:36.319351,  4] ../source3/smbd/uid.c:485(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2015/05/20 19:52:36.319376,  4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2015/05/20 19:52:36.326815,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/05/20 19:52:36.327565,  3]
../source3/auth/auth_util.c:1247(check_account)
  Failed to find authenticated user KURSK\video via getpwnam(), denying
access.
[2015/05/20 19:52:36.327620,  2]
../source3/auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [video] -> [video] FAILED
with error NT_STATUS_NO_SUCH_USER


What am I missing here?

Linux ad member smb.conf:

[global]

   workgroup = KURSK
   security = ADS
   realm = KURSK.MTT
   server role = member server
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   log level = 4


   idmap config *:backend = tdb
   idmap config *:range = 2000-9999
   idmap config KURSK:backend = ad
   idmap config KURSK:schema_mode = rfc2307
   idmap config KURSK:range = 10000-99999

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
   winbind refresh tickets = Yes
   winbind expand groups = 4
   winbind normalize names = Yes
   domain master = no
   local master = no
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

[demoshare]
   path = /archive/video
   read only = no


krb5.conf :

[libdefaults]
        default_realm = KURSK.MTT
        dns_lookup_realm = false
        dns_lookup_kdc = true
        clockskew = 300
[domain_realm]
        .kursk.mtt = KURSK.MTT
[realms]
         KURSK.MTT = {
                kdc = debian-dc.kursk.mtt
                default_domain = kursk.mtt
                admin_server = debian-dc.kursk.mtt
        }
[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
        clockskew = 300
        external = sshd
        use_shmem = sshd
}
[logging]
        kdc = FILE:/var/log/krb5.log
        kdc = SYSLOG:INFO
        default = SYSLOG:UNFO:USER


/etc/nsswitch.conf :


#passwd: compat
#group:  compat

passwd: compat winbind
group:  compat winbind
shadow: files winbind



hosts:          files mdns_minimal [NOTFOUND=return] dns
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

The problem was due to winbind missing symlinks in opensuse 13.1/13.2.

It's fixed with:

ln -s /usr/lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2



2015-05-20 20:50 GMT+03:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Hi,
>
>
> I'm trying a basic setup : samba 4.2 on vm as ad dc, linux server as a
dc
> member with samba shares and win 7 as a ad member and samba client.
>
> Unix attrs are assigned, windows auth and linux kinit work ok. But when I
> try to access samba share from windows a get an error above in my log.smb:
>
>   check_ntlm_password:  Checking password for unmapped user
> [KURSK]\[video]@[EVENT] with the new password interface
> [2015/05/20 19:52:36.319290,  3]
> ../source3/auth/auth.c:180(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [KURSK]\[video]@[EVENT]
> [2015/05/20 19:52:36.319324,  4]
> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2015/05/20 19:52:36.319351,  4] ../source3/smbd/uid.c:485(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2015/05/20 19:52:36.319376,  4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2015/05/20 19:52:36.326815,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2015/05/20 19:52:36.327565,  3]
> ../source3/auth/auth_util.c:1247(check_account)
>   Failed to find authenticated user KURSK\video via getpwnam(), denying
> access.
> [2015/05/20 19:52:36.327620,  2]
> ../source3/auth/auth.c:288(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [video] -> [video]
FAILED
> with error NT_STATUS_NO_SUCH_USER
>
>
> What am I missing here?
>
> Linux ad member smb.conf:
>
> [global]
>
>    workgroup = KURSK
>    security = ADS
>    realm = KURSK.MTT
>    server role = member server
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    log level = 4
>
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config KURSK:backend = ad
>    idmap config KURSK:schema_mode = rfc2307
>    idmap config KURSK:range = 10000-99999
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>    winbind expand groups = 4
>    winbind normalize names = Yes
>    domain master = no
>    local master = no
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>
> [demoshare]
>    path = /archive/video
>    read only = no
>
>
> krb5.conf :
>
> [libdefaults]
>         default_realm = KURSK.MTT
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         clockskew = 300
> [domain_realm]
>         .kursk.mtt = KURSK.MTT
> [realms]
>          KURSK.MTT = {
>                 kdc = debian-dc.kursk.mtt
>                 default_domain = kursk.mtt
>                 admin_server = debian-dc.kursk.mtt
>         }
> [appdefaults]
> pam = {
>         ticket_lifetime = 1d
>         renew_lifetime = 1d
>         forwardable = true
>         proxiable = false
>         minimum_uid = 1
>         clockskew = 300
>         external = sshd
>         use_shmem = sshd
> }
> [logging]
>         kdc = FILE:/var/log/krb5.log
>         kdc = SYSLOG:INFO
>         default = SYSLOG:UNFO:USER
>
>
> /etc/nsswitch.conf :
>
>
> #passwd: compat
> #group:  compat
>
> passwd: compat winbind
> group:  compat winbind
> shadow: files winbind
>
>
>
> hosts:          files mdns_minimal [NOTFOUND=return] dns
> networks:       files dns
>
> services:       files
> protocols:      files
> rpc:            files
> ethers:         files
> netmasks:       files
> netgroup:       files nis
> publickey:      files
>
> bootparams:     files
> automount:      files nis
> aliases:        files
>
>
>