Patrick G. Stoesser
2016-Apr-16 17:08 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
Hello everybody,
I've bin running Samba as a AD member server for ages (Debian stable).
After the last update to 4.2, I just can't get it to work.
Symptoms: unable to map AD user / groups.
After two days of successlessly fiddling (and moving all data to another
server with still Samba 3.6, which I will definitely NOT update at the
moment), I decided to purge my Installation and start over again like
described in
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
So now my setup is (all names and IPs are masked, but are correct here):
********************************************************************
smb.conf
********************************************************************
[global]
netbios name = test-fileserver3
security = ADS
workgroup = AD
realm = AD.test.loc
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-95000
winbind nss info = template
# template shell = /sbin/nologin
# template homedir = /home/%U
********************************************************************
********************************************************************
nsswitch.conf
********************************************************************
passwd: files winbind
group: files winbind
hosts: files dns.
shadow: files winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
********************************************************************
My krb5.keytab has been generated correctly. I also have a krb5.conf:
********************************************************************
krb5.conf
********************************************************************
[libdefaults]
default_realm = AD.TEST.LOC
clockskew = 900
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
TEST.TEST.LOC = {
kdc = dc.ad.test.loc
kdc = dc1.ad.test.loc
kdc = dc2.ad.test.loc
kdc = dc3.ad.test.loc
admin_server = dc.test.loc
}
[domain_realm]
.test.loc = AD.TEST.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
********************************************************************
libpam.winbind and libnss.winbind are installed.
Name resolution works (as before...):
host -t A dc.ad.test.loc
dc.ad.test.loc has address 123.456.789.208
getent hosts
127.0.0.1 localhost
123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
Time is synchronized (as before...)
net join ads -U "Domainadmin" worked.
smbd, nmbd, winbind start sucessfully.
wbinfo -t and -p are successful.
But still no resolution. wbinfo -g and -u give no result. Also, getent
passwd delivers only local accounts.
Log says (as expected) "Username AD\ps-15-16 is invalid on this system
[2016/04/16 18:52:45.713298, 3]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)"
I tried, as read in the list, to change idmap config AD:backend = ad to
rid. No change in results.
Anyone any idea? I'm momentarily at the end of mine.
Rowland penny
2016-Apr-16 18:34 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
On 16/04/16 18:08, Patrick G. Stoesser wrote:> Hello everybody, > > I've bin running Samba as a AD member server for ages (Debian stable). > After the last update to 4.2, I just can't get it to work. > > Symptoms: unable to map AD user / groups. > > After two days of successlessly fiddling (and moving all data to > another server with still Samba 3.6, which I will definitely NOT > update at the moment), I decided to purge my Installation and start > over again like described in > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > > So now my setup is (all names and IPs are masked, but are correct here): > > ******************************************************************** > smb.conf > ******************************************************************** > [global] > > netbios name = test-fileserver3 > security = ADS > workgroup = AD > realm = AD.test.loc > > log file = /var/log/samba/%m.log > log level = 3 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 10000-95000 > > winbind nss info = template > # template shell = /sbin/nologin > # template homedir = /home/%U > ******************************************************************** > > > > ******************************************************************** > nsswitch.conf > ******************************************************************** > passwd: files winbind > group: files winbind > hosts: files dns. > shadow: files winbindTry removing 'winbind' from the shadow line, I have never used it, another user a few days ago was using it and was having similar problems to you, he removed windbind and reported back that everything was now working ok.> > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > ******************************************************************** > > > > My krb5.keytab has been generated correctly. I also have a krb5.conf: > > ******************************************************************** > krb5.conf > ******************************************************************** > > [libdefaults] > default_realm = AD.TEST.LOC > clockskew = 900 > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > TEST.TEST.LOC = { > kdc = dc.ad.test.loc > kdc = dc1.ad.test.loc > kdc = dc2.ad.test.loc > kdc = dc3.ad.test.loc > admin_server = dc.test.loc > } > > [domain_realm] > .test.loc = AD.TEST.LOC > > [login] > krb4_convert = true > krb4_get_tickets = false > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > ******************************************************************** > > libpam.winbind and libnss.winbind are installed. > > > Name resolution works (as before...): > > host -t A dc.ad.test.loc > dc.ad.test.loc has address 123.456.789.208 > > getent hosts > 127.0.0.1 localhost > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3 > > Time is synchronized (as before...) > > net join ads -U "Domainadmin" worked. > > smbd, nmbd, winbind start sucessfully. > wbinfo -t and -p are successful. > > But still no resolution. wbinfo -g and -u give no result. Also, getent > passwd delivers only local accounts. > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system > [2016/04/16 18:52:45.713298, 3] > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user > (NT_STATUS_LOGON_FAILURE)" > > I tried, as read in the list, to change idmap config AD:backend = ad > to rid. No change in results.the 'ad' backend only works if your users have a unique uidNumber attribute, this number must be inside the range you set in smb.conf. Domain Users must also have a gidNumber. 'rid' is different, you do not have to add anything to AD Rowland> > Anyone any idea? I'm momentarily at the end of mine. > > > > > >
L.P.H. van Belle
2016-Apr-16 20:11 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
> nsswitch.conf > ******************************************************************** > passwd: files winbind > group: files winbind > hosts: files dns.The dot after dns, do check if its in the config file please ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G. > Stoesser > Verzonden: zaterdag 16 april 2016 19:08 > Aan: samba at lists.samba.org > Onderwerp: [Samba] After Update to 4.2, Samba is unusuable as member > server / No user and goup resolution > > Hello everybody, > > I've bin running Samba as a AD member server for ages (Debian stable). > After the last update to 4.2, I just can't get it to work. > > Symptoms: unable to map AD user / groups. > > After two days of successlessly fiddling (and moving all data to another > server with still Samba 3.6, which I will definitely NOT update at the > moment), I decided to purge my Installation and start over again like > described in > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > > So now my setup is (all names and IPs are masked, but are correct here): > > ******************************************************************** > smb.conf > ******************************************************************** > [global] > > netbios name = test-fileserver3 > security = ADS > workgroup = AD > realm = AD.test.loc > > log file = /var/log/samba/%m.log > log level = 3 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 10000-95000 > > winbind nss info = template > # template shell = /sbin/nologin > # template homedir = /home/%U > ******************************************************************** > > > > ******************************************************************** > nsswitch.conf > ******************************************************************** > passwd: files winbind > group: files winbind > hosts: files dns. > shadow: files winbind > > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > ******************************************************************** > > > > My krb5.keytab has been generated correctly. I also have a krb5.conf: > > ******************************************************************** > krb5.conf > ******************************************************************** > > [libdefaults] > default_realm = AD.TEST.LOC > clockskew = 900 > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > TEST.TEST.LOC = { > kdc = dc.ad.test.loc > kdc = dc1.ad.test.loc > kdc = dc2.ad.test.loc > kdc = dc3.ad.test.loc > admin_server = dc.test.loc > } > > [domain_realm] > .test.loc = AD.TEST.LOC > > [login] > krb4_convert = true > krb4_get_tickets = false > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > ******************************************************************** > > libpam.winbind and libnss.winbind are installed. > > > Name resolution works (as before...): > > host -t A dc.ad.test.loc > dc.ad.test.loc has address 123.456.789.208 > > getent hosts > 127.0.0.1 localhost > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3 > > Time is synchronized (as before...) > > net join ads -U "Domainadmin" worked. > > smbd, nmbd, winbind start sucessfully. > wbinfo -t and -p are successful. > > But still no resolution. wbinfo -g and -u give no result. Also, getent > passwd delivers only local accounts. > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system > [2016/04/16 18:52:45.713298, 3] > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user > (NT_STATUS_LOGON_FAILURE)" > > I tried, as read in the list, to change idmap config AD:backend = ad to > rid. No change in results. > > Anyone any idea? I'm momentarily at the end of mine. > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-Apr-16 20:23 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
Try it with a simple krb5.conf, or you have errors there, or you change to much to anonimize.. Like : [libdefaults] default_realm = AD.TEST.LOC dns_lookup_kdc = true dns_lookup_realm = false greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny> Verzonden: zaterdag 16 april 2016 20:34> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member> server / No user and goup resolution>> On 16/04/16 18:08, Patrick G. Stoesser wrote:> > Hello everybody,> >> > I've bin running Samba as a AD member server for ages (Debian stable).> > After the last update to 4.2, I just can't get it to work.> >> > Symptoms: unable to map AD user / groups.> >> > After two days of successlessly fiddling (and moving all data to> > another server with still Samba 3.6, which I will definitely NOT> > update at the moment), I decided to purge my Installation and start> > over again like described in> > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>> >> > So now my setup is (all names and IPs are masked, but are correct here):> >> > ********************************************************************> > smb.conf> > ********************************************************************> > [global]> >> > netbios name = test-fileserver3> > security = ADS> > workgroup = AD> > realm = AD.test.loc> >> > log file = /var/log/samba/%m.log> > log level = 3> >> > dedicated keytab file = /etc/krb5.keytab> > kerberos method = secrets and keytab> > winbind refresh tickets = yes> >> > winbind trusted domains only = no> > winbind use default domain = yes> > winbind enum users = yes> > winbind enum groups = yes> >> > idmap config *:backend = tdb> > idmap config *:range = 2000-9999> >> > idmap config AD:backend = ad> > idmap config AD:schema_mode = rfc2307> > idmap config AD:range = 10000-95000> >> > winbind nss info = template> > # template shell = /sbin/nologin> > # template homedir = /home/%U> > ********************************************************************> >> >> >> > ********************************************************************> > nsswitch.conf> > ********************************************************************> > passwd: files winbind> > group: files winbind> > hosts: files dns.> > shadow: files winbind>> Try removing 'winbind' from the shadow line, I have never used it,> another user a few days ago was using it and was having similar problems> to you, he removed windbind and reported back that everything was now> working ok.>> >> > networks: files> >> > protocols: db files> > services: db files> > ethers: db files> > rpc: db files> >> > netgroup: nis> > ********************************************************************> >> >> >> > My krb5.keytab has been generated correctly. I also have a krb5.conf:> >> > ********************************************************************> > krb5.conf> > ********************************************************************> >> > [libdefaults]> > default_realm = AD.TEST.LOC> > clockskew = 900> >> > # The following libdefaults parameters are only for Heimdal Kerberos.> > v4_instance_resolve = false> > v4_name_convert = {> > host = {> > rcmd = host> > ftp = ftp> > }> > plain = {> > something = something-else> > }> > }> > fcc-mit-ticketflags = true> >> > [realms]> > TEST.TEST.LOC = {> > kdc = dc.ad.test.loc> > kdc = dc1.ad.test.loc> > kdc = dc2.ad.test.loc> > kdc = dc3.ad.test.loc> > admin_server = dc.test.loc> > }> >> > [domain_realm]> > .test.loc = AD.TEST.LOC> >> > [login]> > krb4_convert = true> > krb4_get_tickets = false> >> > [logging]> > kdc = FILE:/var/log/krb5/krb5kdc.log> > admin_server = FILE:/var/log/krb5/kadmind.log> > default = SYSLOG:NOTICE:DAEMON> > ********************************************************************> >> > libpam.winbind and libnss.winbind are installed.> >> >> > Name resolution works (as before...):> >> > host -t A dc.ad.test.loc> > dc.ad.test.loc has address 123.456.789.208> >> > getent hosts> > 127.0.0.1 localhost> > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3> >> > Time is synchronized (as before...)> >> > net join ads -U "Domainadmin" worked.> >> > smbd, nmbd, winbind start sucessfully.> > wbinfo -t and -p are successful.> >> > But still no resolution. wbinfo -g and -u give no result. Also, getent> > passwd delivers only local accounts.> >> > Log says (as expected) "Username AD\ps-15-16 is invalid on this system> > [2016/04/16 18:52:45.713298, 3]> > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)> > Failed to map kerberos principal to system user> > (NT_STATUS_LOGON_FAILURE)"> >> > I tried, as read in the list, to change idmap config AD:backend = ad> > to rid. No change in results.>> the 'ad' backend only works if your users have a unique uidNumber> attribute, this number must be inside the range you set in smb.conf.> Domain Users must also have a gidNumber.>> 'rid' is different, you do not have to add anything to AD>> Rowland>> >> > Anyone any idea? I'm momentarily at the end of mine.> >> >> >> >> >> >>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Patrick G. Stoesser
2016-Apr-16 21:18 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
Hello again, no change here. But in the menatime I looked through the logfiles. Sorry, many of those lines are just cryptic to me. But maybe someone has an idea. Thank you. Again anonymized (domain names and IPs). Samba machine specific log seel below. Connecting the passwd server and WINS seems to work. Appearently errors: Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR ads reopen failed after error Time limit exceeded enum_dom_groups ads_search: Time limit exceeded Negative name query response, rcode 0x03: The name requested does not exist. ************************************************************************ log.wb-AD ************************************************************************ Reopening ads connection to realm 'AD.TEST.LOC' after error Time limit exceeded [2016/04/16 22:54:21.289277, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:54:21.290348, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server 129.206.15.144 [2016/04/16 22:54:21.290447, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:54:21.290578, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:54:21.292312, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server 129.206.15.144 [2016/04/16 22:54:21.292408, 3] ../source3/libads/ldap.c:584(ads_connect) Connected to LDAP server dc5.ad.test.loc [2016/04/16 22:54:21.294816, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 [2016/04/16 22:54:21.294856, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 [2016/04/16 22:54:21.294878, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 [2016/04/16 22:54:21.294898, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 [2016/04/16 22:54:21.513455, 3] ../source3/libads/ldap.c:904(ads_do_paged_search_args) ads_do_paged_search_args: ldap_search_with_timeout((&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1))))) -> Time limit exceeded [2016/04/16 22:54:21.513684, 1] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal) ads reopen failed after error Time limit exceeded [2016/04/16 22:54:21.513710, 1] ../source3/winbindd/winbindd_ads.c:479(enum_dom_groups) enum_dom_groups ads_search: Time limit exceeded [2016/04/16 22:54:51.549243, 3] ../source3/winbindd/winbindd_cm.c:1947(connection_ok) connection_ok: Connection to dc5.ad.test.loc for domain AD is not connected [2016/04/16 22:54:51.549486, 3] ../source3/lib/util_sock.c:636(open_socket_out_send) Connecting to 129.206.15.144 at port 445 [2016/04/16 22:54:51.551095, 3] ../source3/libsmb/cliconnect.c:1817(cli_session_setup_spnego_send) Doing spnego session setup (blob length=108) [2016/04/16 22:54:51.551188, 3] ../source3/libsmb/cliconnect.c:1844(cli_session_setup_spnego_send) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 [2016/04/16 22:54:51.551240, 3] ../source3/libsmb/cliconnect.c:1854(cli_session_setup_spnego_send) got principal=not_defined_in_RFC4178 at please_ignore [2016/04/16 22:54:51.551269, 3] ../source3/libsmb/cliconnect.c:1721(cli_session_setup_get_principal) cli_session_setup_spnego: using target hostname not SPNEGO principal [2016/04/16 22:54:51.551298, 3] ../source3/libsmb/cliconnect.c:1736(cli_session_setup_get_principal) cli_session_setup_spnego: guessed server principal=cifs/dc5.ad.test.loc at AD.test.loc [2016/04/16 22:58:01.571796, 3] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=AD\ROOT [2016/04/16 22:58:01.571853, 3] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] AD\ROOT for domain AD [2016/04/16 22:58:01.575599, 3] ../source3/lib/util_sock.c:636(open_socket_out_send) Connecting to 129.206.15.144 at port 135 [2016/04/16 22:58:01.577977, 3] ../source3/lib/util_sock.c:636(open_socket_out_send) Connecting to 129.206.15.144 at port 49155 [2016/04/16 22:58:01.580495, 3] ../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups) [2016/04/16 22:58:01.580495, 3] ../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups) ads: lookup_usergroups [2016/04/16 22:58:01.580522, 3] ../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached) : lookup_usergroups_cached [2016/04/16 22:58:01.580783, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:01.580844, 3] ../source3/libsmb/namequery.c:2296(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20> [2016/04/16 22:58:01.580862, 3] ../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr) resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20> [2016/04/16 22:58:01.580933, 3] ../source3/libsmb/namequery.c:2163(resolve_wins_send) resolve_wins: using WINS server 123.456.789.208 and tag '*' [2016/04/16 22:58:01.580976, 3] ../source3/libsmb/namequery.c:2163(resolve_wins_send) resolve_wins: using WINS server 129.206.15.144 and tag '*' [2016/04/16 22:58:01.581009, 3] ../lib/util/charset/convert_string.c:305(convert_string_handle) E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 - 'DC5.AD.test.loc' [2016/04/16 22:58:03.582397, 3] ../lib/util/charset/convert_string.c:305(convert_string_handle) E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 - 'DC5.AD.test.loc' [2016/04/16 22:58:03.583259, 3] ../source3/libsmb/namequery.c:1328(name_query_validator) Negative name query response, rcode 0x03: The name requested does not exist. [2016/04/16 22:58:03.583338, 3] ../source3/libsmb/namequery.c:2353(resolve_hosts) resolve_hosts: Attempting host lookup for name dc5.ad.test.loc<0x20> [2016/04/16 22:58:03.585184, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server 129.206.15.144 [2016/04/16 22:58:03.585288, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:03.585394, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:03.586266, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:03.587052, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server 129.206.15.144 [2016/04/16 22:58:03.587140, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:03.587240, 3] ../source3/libsmb/namequery.c:3133(get_dc_list) get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc" [2016/04/16 22:58:03.588712, 3] ../source3/libads/ldap.c:541(ads_connect) Successfully contacted LDAP server 129.206.15.144 [2016/04/16 22:58:03.588814, 3] ../source3/libads/ldap.c:584(ads_connect) Connected to LDAP server dc5.ad.test.loc [2016/04/16 22:58:03.591107, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 [2016/04/16 22:58:03.591153, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 [2016/04/16 22:58:03.591176, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 [2016/04/16 22:58:03.591197, 3] ../source3/libads/sasl.c:723(ads_sasl_spnego_bind) ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 [2016/04/16 22:58:03.606696, 1] ../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit) Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR [2016/04/16 22:58:03.871767, 3] ../source3/winbindd/winbindd_ads.c:1132(lookup_usergroups) ads lookup_usergroups (tokenGroups) succeeded for sid=S-1-5-21-977923109-2952828257-175163757-50444 [2016/04/16 22:59:18.328783, 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) [ 3313]: list trusted domains [2016/04/16 22:59:18.328860, 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads: trusted_domains [2016/04/16 23:04:18.428994, 3] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) [ 3313]: list trusted domains [2016/04/16 23:04:18.429092, 3] ../source3/winbindd/winbindd_ads.c:1456(trusted_domains) ads: trusted_domains **************************************************************************************** And here is what happens, when a user tries to connect (Samba machine specific log). Appearently fails to match the user to the AD. **************************************************************************************** Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24 len2=402 [2016/04/16 17:59:20.159563, 3] ../source3/param/loadparm.c:3636(lp_load_ex) lp_load_ex: refreshing parameters [2016/04/16 17:59:20.159609, 3] ../source3/param/loadparm.c:527(init_globals) Initialising global parameters [2016/04/16 17:59:20.159675, 3] ../source3/param/loadparm.c:2579(lp_do_section) Processing section "[global]" [2016/04/16 17:59:20.159848, 3] ../source3/param/loadparm.c:1476(lp_add_ipc) adding IPC service [2016/04/16 17:59:20.160041, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [AD]\[ur067]@[DWIRT-WISO-183] with the new password interface [2016/04/16 17:59:20.160055, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183] [2016/04/16 17:59:20.162558, 3] ../source3/auth/auth_util.c:1229(check_account) Failed to find authenticated user AD\ur067 via getpwnam(), denying access. [2016/04/16 17:59:20.162578, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [ur067] -> [ur067] FAILED with error NT_STATUS_NO_SUCH_USER [2016/04/16 17:59:20.162597, 2] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/04/16 17:59:20.198682, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2016/04/16 17:59:20.199641, 3] ../auth/ntlmssp/ntlmssp_server.c:449(ntlmssp_server_preauth) Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24 len2=402 [2016/04/16 17:59:20.199682, 3] ../source3/param/loadparm.c:3636(lp_load_ex) lp_load_ex: refreshing parameters [2016/04/16 17:59:20.199727, 3] ../source3/param/loadparm.c:527(init_globals) Initialising global parameters [2016/04/16 17:59:20.199793, 3] ../source3/param/loadparm.c:2579(lp_do_section) Processing section "[global]" [2016/04/16 17:59:20.199965, 3] ../source3/param/loadparm.c:1476(lp_add_ipc) adding IPC service [2016/04/16 17:59:20.200158, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [AD]\[ur067]@[DWIRT-WISO-183] with the new password interface [2016/04/16 17:59:20.200171, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183] [2016/04/16 17:59:20.202567, 3] ../source3/auth/auth_util.c:1229(check_account) Failed to find authenticated user AD\ur067 via getpwnam(), denying access. [2016/04/16 17:59:20.202595, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [ur067] -> [ur067] FAILED with error NT_STATUS_NO_SUCH_USER [2016/04/16 17:59:20.202614, 2] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER ****************************************************************************************
Patrick G. Stoesser
2016-Apr-19 10:21 UTC
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
Hello, a reply in debianforum.de led me to: client ldap sasl wrapping = plain and with that setting at least wbinfo works. But still my problems are not completely gone: On the filesystem level, AD users and groups are still not resolved. "Invalid user". But kinit "USER" works. Still have to try... Regards, pgs Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:> Hello everybody, > > I've bin running Samba as a AD member server for ages (Debian stable). > After the last update to 4.2, I just can't get it to work. > > Symptoms: unable to map AD user / groups. > > After two days of successlessly fiddling (and moving all data to another > server with still Samba 3.6, which I will definitely NOT update at the > moment), I decided to purge my Installation and start over again like > described in > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > > So now my setup is (all names and IPs are masked, but are correct here): > > ******************************************************************** > smb.conf > ******************************************************************** > [global] > > netbios name = test-fileserver3 > security = ADS > workgroup = AD > realm = AD.test.loc > > log file = /var/log/samba/%m.log > log level = 3 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > idmap config AD:backend = ad > idmap config AD:schema_mode = rfc2307 > idmap config AD:range = 10000-95000 > > winbind nss info = template > # template shell = /sbin/nologin > # template homedir = /home/%U > ******************************************************************** > > > > ******************************************************************** > nsswitch.conf > ******************************************************************** > passwd: files winbind > group: files winbind > hosts: files dns. > shadow: files winbind > > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > ******************************************************************** > > > > My krb5.keytab has been generated correctly. I also have a krb5.conf: > > ******************************************************************** > krb5.conf > ******************************************************************** > > [libdefaults] > default_realm = AD.TEST.LOC > clockskew = 900 > > # The following libdefaults parameters are only for Heimdal Kerberos. > v4_instance_resolve = false > v4_name_convert = { > host = { > rcmd = host > ftp = ftp > } > plain = { > something = something-else > } > } > fcc-mit-ticketflags = true > > [realms] > TEST.TEST.LOC = { > kdc = dc.ad.test.loc > kdc = dc1.ad.test.loc > kdc = dc2.ad.test.loc > kdc = dc3.ad.test.loc > admin_server = dc.test.loc > } > > [domain_realm] > .test.loc = AD.TEST.LOC > > [login] > krb4_convert = true > krb4_get_tickets = false > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > ******************************************************************** > > libpam.winbind and libnss.winbind are installed. > > > Name resolution works (as before...): > > host -t A dc.ad.test.loc > dc.ad.test.loc has address 123.456.789.208 > > getent hosts > 127.0.0.1 localhost > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3 > > Time is synchronized (as before...) > > net join ads -U "Domainadmin" worked. > > smbd, nmbd, winbind start sucessfully. > wbinfo -t and -p are successful. > > But still no resolution. wbinfo -g and -u give no result. Also, getent > passwd delivers only local accounts. > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system > [2016/04/16 18:52:45.713298, 3] > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > Failed to map kerberos principal to system user > (NT_STATUS_LOGON_FAILURE)" > > I tried, as read in the list, to change idmap config AD:backend = ad to > rid. No change in results. > > Anyone any idea? I'm momentarily at the end of mine. > > > > > >
L.P.H. van Belle
2016-Apr-19 10:47 UTC
[Samba] FW: Domain member seems to work, wbinfo -u not (update7)
@Patrick Thanks, that helped. @Mathias, only 10.000 objects.>> client ldap sasl wrapping = plain <<I've tested that on my members. 4.2.10 4.3.8 4.4.1 4.4.2 wbinfo -u now work. Ok tested all 3 options of that settings. Tested als in the order, plain seal sign Samba 4.2.10 (debian stable) client ldap sasl wrapping = plain wbinfo -u works. client ldap sasl wrapping = seal wbinfo -u fails client ldap sasl wrapping = sign wbinfo -u fails only plain works, en keeps working. Other server. Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 ) Default it fails, now the funny part. ( default samba setting is sign ) We start with a NOT working wbinfo -u. Test with following changes. Try1) client ldap sasl wrapping = plain wbinfo -u works. Try2) client ldap sasl wrapping = seal wbinfo -u also works now. Try3) client ldap sasl wrapping = sign wbinfo -u also works now. Only the 4.4.2 now keeps working independed of the setting. Lunch first, i'll test the 4.3.8 also. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G. > Stoesser > Verzonden: dinsdag 19 april 2016 12:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member > server / No user and goup resolution > > Hello, > > a reply in debianforum.de led me to: > > client ldap sasl wrapping = plain > > and with that setting at least wbinfo works. > > But still my problems are not completely gone: On the filesystem level, > AD users and groups are still not resolved. "Invalid user". But kinit > "USER" works. Still have to try... > > Regards, pgs > > > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser: > > Hello everybody, > > > > I've bin running Samba as a AD member server for ages (Debian stable). > > After the last update to 4.2, I just can't get it to work. > > > > Symptoms: unable to map AD user / groups. > > > > After two days of successlessly fiddling (and moving all data to another > > server with still Samba 3.6, which I will definitely NOT update at the > > moment), I decided to purge my Installation and start over again like > > described in > > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > > > > So now my setup is (all names and IPs are masked, but are correct here): > > > > ******************************************************************** > > smb.conf > > ******************************************************************** > > [global] > > > > netbios name = test-fileserver3 > > security = ADS > > workgroup = AD > > realm = AD.test.loc > > > > log file = /var/log/samba/%m.log > > log level = 3 > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > > > idmap config AD:backend = ad > > idmap config AD:schema_mode = rfc2307 > > idmap config AD:range = 10000-95000 > > > > winbind nss info = template > > # template shell = /sbin/nologin > > # template homedir = /home/%U > > ******************************************************************** > > > > > > > > ******************************************************************** > > nsswitch.conf > > ******************************************************************** > > passwd: files winbind > > group: files winbind > > hosts: files dns. > > shadow: files winbind > > > > networks: files > > > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > > > netgroup: nis > > ******************************************************************** > > > > > > > > My krb5.keytab has been generated correctly. I also have a krb5.conf: > > > > ******************************************************************** > > krb5.conf > > ******************************************************************** > > > > [libdefaults] > > default_realm = AD.TEST.LOC > > clockskew = 900 > > > > # The following libdefaults parameters are only for Heimdal Kerberos. > > v4_instance_resolve = false > > v4_name_convert = { > > host = { > > rcmd = host > > ftp = ftp > > } > > plain = { > > something = something-else > > } > > } > > fcc-mit-ticketflags = true > > > > [realms] > > TEST.TEST.LOC = { > > kdc = dc.ad.test.loc > > kdc = dc1.ad.test.loc > > kdc = dc2.ad.test.loc > > kdc = dc3.ad.test.loc > > admin_server = dc.test.loc > > } > > > > [domain_realm] > > .test.loc = AD.TEST.LOC > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > > > [logging] > > kdc = FILE:/var/log/krb5/krb5kdc.log > > admin_server = FILE:/var/log/krb5/kadmind.log > > default = SYSLOG:NOTICE:DAEMON > > ******************************************************************** > > > > libpam.winbind and libnss.winbind are installed. > > > > > > Name resolution works (as before...): > > > > host -t A dc.ad.test.loc > > dc.ad.test.loc has address 123.456.789.208 > > > > getent hosts > > 127.0.0.1 localhost > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3 > > > > Time is synchronized (as before...) > > > > net join ads -U "Domainadmin" worked. > > > > smbd, nmbd, winbind start sucessfully. > > wbinfo -t and -p are successful. > > > > But still no resolution. wbinfo -g and -u give no result. Also, getent > > passwd delivers only local accounts. > > > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system > > [2016/04/16 18:52:45.713298, 3] > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > > Failed to map kerberos principal to system user > > (NT_STATUS_LOGON_FAILURE)" > > > > I tried, as read in the list, to change idmap config AD:backend = ad to > > rid. No change in results. > > > > Anyone any idea? I'm momentarily at the end of mine. > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-Apr-19 13:11 UTC
[Samba] FW: Domain member seems to work, wbinfo -u not (update8)( solved maybe?)
Ok. New test, debian samba 4.2.10 ( all stock debian packages ) So others with 4.2.10 stock debian packages, please test also if below works. The file server on which (wbinfo -u) worked saterday, and not on Sunday until now. None of these three settings below are in the config and wbinfo -u fails. Now adding these settings !! one at the time !! And i reloaded samba and restarted winbind every time. client ldap sasl wrapping = plain client ldap sasl wrapping = seal client ldap sasl wrapping = sign Result in the end. I started with plain, wbinfo -u works, but first time a long delay before i see the output, ( long is +4-5 sec) Changed it to seal, wbinfo -u works And back to the samba default "sign" which now also works. So seems fixed now. Strange.. Removed the client ldap sasl wrapping from the config. All still works. I'll check this server tomorrow again. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle> Verzonden: dinsdag 19 april 2016 12:48> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not> (update7)>> @Patrick Thanks, that helped.> @Mathias, only 10.000 objects.>> >> client ldap sasl wrapping = plain <<>> I've tested that on my members.> 4.2.10> 4.3.8> 4.4.1> 4.4.2> wbinfo -u now work.>> Ok tested all 3 options of that settings.> Tested als in the order, plain seal sign>> Samba 4.2.10 (debian stable)> client ldap sasl wrapping = plain wbinfo -u works.> client ldap sasl wrapping = seal wbinfo -u fails> client ldap sasl wrapping = sign wbinfo -u fails> only plain works, en keeps working.>>> Other server.> Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )> Default it fails, now the funny part.> ( default samba setting is sign )> We start with a NOT working wbinfo -u.>> Test with following changes.> Try1) client ldap sasl wrapping = plain wbinfo -u works.> Try2) client ldap sasl wrapping = seal wbinfo -u also works now.> Try3) client ldap sasl wrapping = sign wbinfo -u also works now.>> Only the 4.4.2 now keeps working independed of the setting.> Lunch first, i'll test the 4.3.8 also.>>> Greetz,>> Louis>>>> > -----Oorspronkelijk bericht-----> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.> > Stoesser> > Verzonden: dinsdag 19 april 2016 12:21> > Aan: samba at lists.samba.org> > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member> > server / No user and goup resolution> >> > Hello,> >> > a reply in debianforum.de led me to:> >> > client ldap sasl wrapping = plain> >> > and with that setting at least wbinfo works.> >> > But still my problems are not completely gone: On the filesystem level,> > AD users and groups are still not resolved. "Invalid user". But kinit> > "USER" works. Still have to try...> >> > Regards, pgs> >> >> > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:> > > Hello everybody,> > >> > > I've bin running Samba as a AD member server for ages (Debian stable).> > > After the last update to 4.2, I just can't get it to work.> > >> > > Symptoms: unable to map AD user / groups.> > >> > > After two days of successlessly fiddling (and moving all data to> another> > > server with still Samba 3.6, which I will definitely NOT update at the> > > moment), I decided to purge my Installation and start over again like> > > described in> > > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>> > >> > > So now my setup is (all names and IPs are masked, but are correct> here):> > >> > > ********************************************************************> > > smb.conf> > > ********************************************************************> > > [global]> > >> > > netbios name = test-fileserver3> > > security = ADS> > > workgroup = AD> > > realm = AD.test.loc> > >> > > log file = /var/log/samba/%m.log> > > log level = 3> > >> > > dedicated keytab file = /etc/krb5.keytab> > > kerberos method = secrets and keytab> > > winbind refresh tickets = yes> > >> > > winbind trusted domains only = no> > > winbind use default domain = yes> > > winbind enum users = yes> > > winbind enum groups = yes> > >> > > idmap config *:backend = tdb> > > idmap config *:range = 2000-9999> > >> > > idmap config AD:backend = ad> > > idmap config AD:schema_mode = rfc2307> > > idmap config AD:range = 10000-95000> > >> > > winbind nss info = template> > > # template shell = /sbin/nologin> > > # template homedir = /home/%U> > > ********************************************************************> > >> > >> > >> > > ********************************************************************> > > nsswitch.conf> > > ********************************************************************> > > passwd: files winbind> > > group: files winbind> > > hosts: files dns.> > > shadow: files winbind> > >> > > networks: files> > >> > > protocols: db files> > > services: db files> > > ethers: db files> > > rpc: db files> > >> > > netgroup: nis> > > ********************************************************************> > >> > >> > >> > > My krb5.keytab has been generated correctly. I also have a krb5.conf:> > >> > > ********************************************************************> > > krb5.conf> > > ********************************************************************> > >> > > [libdefaults]> > > default_realm = AD.TEST.LOC> > > clockskew = 900> > >> > > # The following libdefaults parameters are only for Heimdal Kerberos.> > > v4_instance_resolve = false> > > v4_name_convert = {> > > host = {> > > rcmd = host> > > ftp = ftp> > > }> > > plain = {> > > something = something-else> > > }> > > }> > > fcc-mit-ticketflags = true> > >> > > [realms]> > > TEST.TEST.LOC = {> > > kdc = dc.ad.test.loc> > > kdc = dc1.ad.test.loc> > > kdc = dc2.ad.test.loc> > > kdc = dc3.ad.test.loc> > > admin_server = dc.test.loc> > > }> > >> > > [domain_realm]> > > .test.loc = AD.TEST.LOC> > >> > > [login]> > > krb4_convert = true> > > krb4_get_tickets = false> > >> > > [logging]> > > kdc = FILE:/var/log/krb5/krb5kdc.log> > > admin_server = FILE:/var/log/krb5/kadmind.log> > > default = SYSLOG:NOTICE:DAEMON> > > ********************************************************************> > >> > > libpam.winbind and libnss.winbind are installed.> > >> > >> > > Name resolution works (as before...):> > >> > > host -t A dc.ad.test.loc> > > dc.ad.test.loc has address 123.456.789.208> > >> > > getent hosts> > > 127.0.0.1 localhost> > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3> > >> > > Time is synchronized (as before...)> > >> > > net join ads -U "Domainadmin" worked.> > >> > > smbd, nmbd, winbind start sucessfully.> > > wbinfo -t and -p are successful.> > >> > > But still no resolution. wbinfo -g and -u give no result. Also, getent> > > passwd delivers only local accounts.> > >> > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system> > > [2016/04/16 18:52:45.713298, 3]> > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)> > > Failed to map kerberos principal to system user> > > (NT_STATUS_LOGON_FAILURE)"> > >> > > I tried, as read in the list, to change idmap config AD:backend = ad> to> > > rid. No change in results.> > >> > > Anyone any idea? I'm momentarily at the end of mine.> > >> > >> > >> > >> > >> > >> >> >> > --> > To unsubscribe from this list go to the following URL and read the> > instructions: https://lists.samba.org/mailman/options/samba>>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
- [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely
- Member server does not show users from trusted domain
- Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED
- After Update to 4.2, Samba is unusuable as member server / No user and goup resolution