Hi Everyone, my first foray into Samba and AD both. Not sure if this is an OS or configuration problem. I've found similar issues, but nothing either recent enough (is related to samba 3) or close enough. FreeBSD-10.1-RELENG, Samba 4.2.2. I have the domain provisioned as rfc2307 I have joined a Win7-virtual machine to the domain I have created a new user with ADUC I have assigned 10000 to the Domain Users GID I have assigned 10000 to the new user I have logged in with the new user I have joined a member server to the domain I cannot access anything from the member server, it would appear it doesn't recognize any of the users. Both the DC and MS are jailed. ***Domain controller*** 10.1.200.99/32 #cat /etc/resolv.conf nameserver 10.1.200.99 search ad.nyingma.org #hostname dc1.ad.nyingma.org # cat /etc/krb5.conf [libdefaults] default_realm = AD.NYINGMA.ORG dns_lookup_realm = false dns_lookup_kdc = true #cat /usr/local/etc/smb4.conf [global] workgroup = NYINGMA realm = AD.NYINGMA.ORG netbios name = DC1 interfaces = 10.1.200.99 bind interfaces only = Yes server role = active directory domain controller dns forwarder = 10.1.200.1 idmap_ldb:use rfc2307 = yes disable netbios = yes nsupdate command = /usr/local/bin/samba-nsupdate -g [netlogon] path = /var/db/samba4/sysvol/ad.nyingma.org/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No ***Member Server*** 10.1.200.98/32 # cat /etc/resolv.conf nameserver 10.1.200.99 search ad.nyingma.org # cat /usr/local/etc/smb4.conf # cat /usr/local/etc/smb4.conf [global] netbios name = MS1 workgroup = NYINGMA security = ADS realm = AD.NYINGMA.ORG dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config NYINGMA:backend = ad idmap config NYINGMA:schema_mode = rfc2307 idmap config NYINGMA:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes log level = 10 [demoshare] path = /srv/samba/test read only = no # wbinfo -u administrator krbtgt guest leeb # cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ # #group: compat #group_compat: nis hosts: files dns networks: files #passwd: compat #passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files group: files winbind user: files winbind # sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root winbindd 52698 26 tcp4 10.1.200.98:37794 10.1.200.99:445 root winbindd 52698 28 tcp4 10.1.200.98:37794 10.1.200.99:445 root winbindd 52698 30 tcp4 10.1.200.98:59691 10.1.200.99:389 root winbindd 52698 31 tcp4 10.1.200.98:59026 10.1.200.99:389 root winbindd 52698 32 tcp4 10.1.200.98:49319 10.1.200.99:1024 root smbd 52693 35 tcp4 10.1.200.98:445 *:* root smbd 52693 36 tcp4 10.1.200.98:139 *:* root nmbd 52689 16 udp4 10.1.200.98:137 *:* root nmbd 52689 17 udp4 10.1.200.98:138 *:* root nmbd 52689 18 udp4 10.1.200.98:137 *:* root nmbd 52689 19 udp4 10.1.200.98:137 *:* root nmbd 52689 20 udp4 10.1.200.98:138 *:* root nmbd 52689 21 udp4 10.1.200.98:138 *:* # wbinfo -i leeb leeb:*:10000:10000:lee:/home/leeb:/bin/sh # kinit leeb at AD.NYINGMA.ORG leeb at AD.NYINGMA.ORG's Password: # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: leeb at AD.NYINGMA.ORG Issued Expires Principal Jul 10 20:03:32 2015 Jul 11 06:03:32 2015 krbtgt/ AD.NYINGMA.ORG at AD.NYINGMA.ORG HOWEVER: # getent passwd does not list the above user The windows side gets an access denied. With a debug level of 1: # tail log.smbd [2015/07/10 20:01:31.573768, 0] ../source3/lib/util_sock.c:455(open_socket_in) open_socket_in(): socket() call failed: Protocol not supported [2015/07/10 20:01:31.573832, 0] ../source3/smbd/server.c:690(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Protocol not supported [2015/07/10 20:01:31.574017, 1] ../source3/printing/printer_list.c:227(printer_list_get_last_refresh) Failed to fetch record! [2015/07/10 20:01:38.007082, 1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) Username NYINGMA\leeb is invalid on this system [2015/07/10 20:01:38.007103, 1] ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) Any clues to where to go next would be very much appreciated. -- lee
On 11/07/15 04:06, Lee Brown wrote:> Hi Everyone, my first foray into Samba and AD both. > > Not sure if this is an OS or configuration problem. I've found similar > issues, but nothing either recent enough (is related to samba 3) or close > enough. > > FreeBSD-10.1-RELENG, Samba 4.2.2. > > I have the domain provisioned as rfc2307 > I have joined a Win7-virtual machine to the domain > I have created a new user with ADUC > I have assigned 10000 to the Domain Users GID > I have assigned 10000 to the new user > I have logged in with the new user > I have joined a member server to the domain > I cannot access anything from the member server, it would appear it doesn't > recognize any of the users. > > Both the DC and MS are jailed. > > ***Domain controller*** > 10.1.200.99/32 > > #cat /etc/resolv.conf > nameserver 10.1.200.99 > search ad.nyingma.org > > #hostname > dc1.ad.nyingma.org > > # cat /etc/krb5.conf > [libdefaults] > default_realm = AD.NYINGMA.ORG > dns_lookup_realm = false > dns_lookup_kdc = true > > #cat /usr/local/etc/smb4.conf > [global] > workgroup = NYINGMA > realm = AD.NYINGMA.ORG > netbios name = DC1 > interfaces = 10.1.200.99 > bind interfaces only = Yes > server role = active directory domain controller > dns forwarder = 10.1.200.1 > idmap_ldb:use rfc2307 = yes > disable netbios = yes > nsupdate command = /usr/local/bin/samba-nsupdate -g > > [netlogon] > path = /var/db/samba4/sysvol/ad.nyingma.org/scripts > read only = No > > [sysvol] > path = /var/db/samba4/sysvol > read only = No > > ***Member Server*** > 10.1.200.98/32 > > # cat /etc/resolv.conf > nameserver 10.1.200.99 > search ad.nyingma.org > > # cat /usr/local/etc/smb4.conf > # cat /usr/local/etc/smb4.conf > [global] > netbios name = MS1 > workgroup = NYINGMA > security = ADS > realm = AD.NYINGMA.ORG > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config NYINGMA:backend = ad > idmap config NYINGMA:schema_mode = rfc2307 > idmap config NYINGMA:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > log level = 10 > > [demoshare] > path = /srv/samba/test > read only = no > > # wbinfo -u > administrator > krbtgt > guest > leeb > > # cat /etc/nsswitch.conf > # > # nsswitch.conf(5) - name service switch configuration file > # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb > $ > # > #group: compat > #group_compat: nis > hosts: files dns > networks: files > #passwd: compat > #passwd_compat: nis > shells: files > services: compat > services_compat: nis > protocols: files > rpc: files > > group: files winbind > user: files winbind > > # sockstat -4 > USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN > ADDRESS > root winbindd 52698 26 tcp4 10.1.200.98:37794 10.1.200.99:445 > root winbindd 52698 28 tcp4 10.1.200.98:37794 10.1.200.99:445 > root winbindd 52698 30 tcp4 10.1.200.98:59691 10.1.200.99:389 > root winbindd 52698 31 tcp4 10.1.200.98:59026 10.1.200.99:389 > root winbindd 52698 32 tcp4 10.1.200.98:49319 10.1.200.99:1024 > root smbd 52693 35 tcp4 10.1.200.98:445 *:* > root smbd 52693 36 tcp4 10.1.200.98:139 *:* > root nmbd 52689 16 udp4 10.1.200.98:137 *:* > root nmbd 52689 17 udp4 10.1.200.98:138 *:* > root nmbd 52689 18 udp4 10.1.200.98:137 *:* > root nmbd 52689 19 udp4 10.1.200.98:137 *:* > root nmbd 52689 20 udp4 10.1.200.98:138 *:* > root nmbd 52689 21 udp4 10.1.200.98:138 *:* > > # wbinfo -i leeb > leeb:*:10000:10000:lee:/home/leeb:/bin/sh > > # kinit leeb at AD.NYINGMA.ORG > leeb at AD.NYINGMA.ORG's Password: > # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: leeb at AD.NYINGMA.ORG > > Issued Expires Principal > Jul 10 20:03:32 2015 Jul 11 06:03:32 2015 krbtgt/ > AD.NYINGMA.ORG at AD.NYINGMA.ORG > > HOWEVER: > # getent passwd > does not list the above user > > The windows side gets an access denied. > With a debug level of 1: > > # tail log.smbd > [2015/07/10 20:01:31.573768, 0] > ../source3/lib/util_sock.c:455(open_socket_in) > open_socket_in(): socket() call failed: Protocol not supported > [2015/07/10 20:01:31.573832, 0] > ../source3/smbd/server.c:690(smbd_open_one_socket) > smbd_open_once_socket: open_socket_in: Protocol not supported > [2015/07/10 20:01:31.574017, 1] > ../source3/printing/printer_list.c:227(printer_list_get_last_refresh) > Failed to fetch record! > [2015/07/10 20:01:38.007082, 1] > ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > Username NYINGMA\leeb is invalid on this system > [2015/07/10 20:01:38.007103, 1] > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > > > Any clues to where to go next would be very much appreciated. > > -- leeHi, i recently set up a freebsd member server to test something and my setup was virtually the same as yours, only real differences I can see are, mine worked and I *didn't* use jails. Rowland
On 11/07/15 10:16, Rowland Penny wrote:> On 11/07/15 04:06, Lee Brown wrote: >> Hi Everyone, my first foray into Samba and AD both. >> >> Not sure if this is an OS or configuration problem. I've found similar >> issues, but nothing either recent enough (is related to samba 3) or >> close >> enough. >> >> FreeBSD-10.1-RELENG, Samba 4.2.2. >> >> I have the domain provisioned as rfc2307 >> I have joined a Win7-virtual machine to the domain >> I have created a new user with ADUC >> I have assigned 10000 to the Domain Users GID >> I have assigned 10000 to the new user >> I have logged in with the new user >> I have joined a member server to the domain >> I cannot access anything from the member server, it would appear it >> doesn't >> recognize any of the users. >> >> Both the DC and MS are jailed. >> >> ***Domain controller*** >> 10.1.200.99/32 >> >> #cat /etc/resolv.conf >> nameserver 10.1.200.99 >> search ad.nyingma.org >> >> #hostname >> dc1.ad.nyingma.org >> >> # cat /etc/krb5.conf >> [libdefaults] >> default_realm = AD.NYINGMA.ORG >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> #cat /usr/local/etc/smb4.conf >> [global] >> workgroup = NYINGMA >> realm = AD.NYINGMA.ORG >> netbios name = DC1 >> interfaces = 10.1.200.99 >> bind interfaces only = Yes >> server role = active directory domain controller >> dns forwarder = 10.1.200.1 >> idmap_ldb:use rfc2307 = yes >> disable netbios = yes >> nsupdate command = /usr/local/bin/samba-nsupdate -g >> >> [netlogon] >> path = /var/db/samba4/sysvol/ad.nyingma.org/scripts >> read only = No >> >> [sysvol] >> path = /var/db/samba4/sysvol >> read only = No >> >> ***Member Server*** >> 10.1.200.98/32 >> >> # cat /etc/resolv.conf >> nameserver 10.1.200.99 >> search ad.nyingma.org >> >> # cat /usr/local/etc/smb4.conf >> # cat /usr/local/etc/smb4.conf >> [global] >> netbios name = MS1 >> workgroup = NYINGMA >> security = ADS >> realm = AD.NYINGMA.ORG >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config NYINGMA:backend = ad >> idmap config NYINGMA:schema_mode = rfc2307 >> idmap config NYINGMA:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> log level = 10 >> >> [demoshare] >> path = /srv/samba/test >> read only = no >> >> # wbinfo -u >> administrator >> krbtgt >> guest >> leeb >> >> # cat /etc/nsswitch.conf >> # >> # nsswitch.conf(5) - name service switch configuration file >> # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z >> dougb >> $ >> # >> #group: compat >> #group_compat: nis >> hosts: files dns >> networks: files >> #passwd: compat >> #passwd_compat: nis >> shells: files >> services: compat >> services_compat: nis >> protocols: files >> rpc: files >> >> group: files winbind >> user: files winbind >> >> # sockstat -4 >> USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN >> ADDRESS >> root winbindd 52698 26 tcp4 10.1.200.98:37794 10.1.200.99:445 >> root winbindd 52698 28 tcp4 10.1.200.98:37794 10.1.200.99:445 >> root winbindd 52698 30 tcp4 10.1.200.98:59691 10.1.200.99:389 >> root winbindd 52698 31 tcp4 10.1.200.98:59026 10.1.200.99:389 >> root winbindd 52698 32 tcp4 10.1.200.98:49319 10.1.200.99:1024 >> root smbd 52693 35 tcp4 10.1.200.98:445 *:* >> root smbd 52693 36 tcp4 10.1.200.98:139 *:* >> root nmbd 52689 16 udp4 10.1.200.98:137 *:* >> root nmbd 52689 17 udp4 10.1.200.98:138 *:* >> root nmbd 52689 18 udp4 10.1.200.98:137 *:* >> root nmbd 52689 19 udp4 10.1.200.98:137 *:* >> root nmbd 52689 20 udp4 10.1.200.98:138 *:* >> root nmbd 52689 21 udp4 10.1.200.98:138 *:* >> >> # wbinfo -i leeb >> leeb:*:10000:10000:lee:/home/leeb:/bin/sh >> >> # kinit leeb at AD.NYINGMA.ORG >> leeb at AD.NYINGMA.ORG's Password: >> # klist >> Credentials cache: FILE:/tmp/krb5cc_0 >> Principal: leeb at AD.NYINGMA.ORG >> >> Issued Expires Principal >> Jul 10 20:03:32 2015 Jul 11 06:03:32 2015 krbtgt/ >> AD.NYINGMA.ORG at AD.NYINGMA.ORG >> >> HOWEVER: >> # getent passwd >> does not list the above user >> >> The windows side gets an access denied. >> With a debug level of 1: >> >> # tail log.smbd >> [2015/07/10 20:01:31.573768, 0] >> ../source3/lib/util_sock.c:455(open_socket_in) >> open_socket_in(): socket() call failed: Protocol not supported >> [2015/07/10 20:01:31.573832, 0] >> ../source3/smbd/server.c:690(smbd_open_one_socket) >> smbd_open_once_socket: open_socket_in: Protocol not supported >> [2015/07/10 20:01:31.574017, 1] >> ../source3/printing/printer_list.c:227(printer_list_get_last_refresh) >> Failed to fetch record! >> [2015/07/10 20:01:38.007082, 1] >> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) >> Username NYINGMA\leeb is invalid on this system >> [2015/07/10 20:01:38.007103, 1] >> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) >> Failed to map kerberos principal to system user >> (NT_STATUS_LOGON_FAILURE) >> >> >> Any clues to where to go next would be very much appreciated. >> >> -- lee > > Hi, i recently set up a freebsd member server to test something and my > setup was virtually the same as yours, only real differences I can see > are, mine worked and I *didn't* use jails. > > RowlandI also just noticed this in nsswitch.conf: group: files winbind user: files winbind 'user' should be 'passwd' Rowland