francis picabia
2016-Aug-08 13:24 UTC
[Samba] why does add_local_groups come up in only one system's logs?
I have a couple of Debian 8.5 systems set up in similar manner. Samba is
version 4.2.10-Debian
Here is the essential config...
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
valid users = %U at mydom
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems. The first one allows a connection
to the homes. Here is a tail on the log file:
[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN1] with the new password interface
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1]
[2016/08/08 09:42:49.961548, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username]
->
[username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'
The second server fails with the add_local_groups and getpwuid:
[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN2] with the new password interface
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2]
[2016/08/08 09:53:55.150852, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username]
->
[username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
I am so far unable to find why the getpwuid for add_local_groups matters,
or why only one system even mentions it in the logfile trace. The default
group ID is listed in /etc/group for the user and the home directory with
ls -ld looks fine with 700 chmod
for the home directory in both servers.
Rowland Penny
2016-Aug-08 13:54 UTC
[Samba] why does add_local_groups come up in only one system's logs?
On Mon, 8 Aug 2016 10:24:03 -0300 francis picabia <fpicabia at gmail.com> wrote:> I have a couple of Debian 8.5 systems set up in similar manner. > Samba is version 4.2.10-Debian > > Here is the essential config... > > # testparm /etc/samba/smb.conf > Load smb config files from /etc/samba/smb.conf > Processing section "[homes]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = MYDOM > realm = AD.MYDOM.CA > server string = debian2 Server > security = ADS > log file = /var/log/samba/%m.log > max log size = 50 > unix extensions = No > load printers = No > printcap name = /dev/null > disable spoolss = Yes > dns proxy = No > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > idmap config * : range = 1000-1999999 > idmap config * : backend = tdb > nt acl support = No > printing = bsd > > > [homes] > comment = Home Directories > path = %H > valid users = %U at mydom > read only = No > create mask = 0700 > directory mask = 0700 > browseable = No > wide links = Yes > > /etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same > configuration on both systems. The first one allows a connection > to the homes. Here is a tail on the log file: > > [2016/08/08 09:42:49.956619, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [MYDOM]\[username]@[DEBIAN1] with the new password interface > [2016/08/08 09:42:49.956656, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1] > [2016/08/08 09:42:49.961548, 3] > ../source3/auth/auth.c:249(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [username] > succeeded [2016/08/08 09:42:49.961610, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [username] -> > [username] -> [username] succeeded > [2016/08/08 09:42:49.961671, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2016/08/08 09:42:49.961699, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2016/08/08 09:42:49.961748, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2016/08/08 09:42:49.961772, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2016/08/08 09:42:50.271337, 3] > ../source3/param/loadparm.c:1427(lp_add_home) > adding home's share [username] for user 'username' at '%H' > > The second server fails with the add_local_groups and getpwuid: > > [2016/08/08 09:53:55.146840, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [MYDOM]\[username]@[DEBIAN2] with the new password interface > [2016/08/08 09:53:55.146867, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2] > [2016/08/08 09:53:55.150852, 3] > ../source3/auth/auth.c:249(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [username] > succeeded [2016/08/08 09:53:55.150902, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [username] -> > [username] -> [username] succeeded > [2016/08/08 09:53:55.150960, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2016/08/08 09:53:55.150978, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2016/08/08 09:53:55.151024, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2016/08/08 09:53:55.151036, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2016/08/08 09:53:55.151321, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-82194667-1315141139-1877560073-12331 -> > getpwuid(16777216) failed > [2016/08/08 09:53:55.151348, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > > > I am so far unable to find why the getpwuid for add_local_groups > matters, or why only one system even mentions it in the logfile > trace. The default group ID is listed in /etc/group for the user and > the home directory with ls -ld looks fine with 700 chmod > for the home directory in both servers.Are you using sssd ? If not, where are you storing the users & groups ? Rowland
francis picabia
2016-Aug-08 14:48 UTC
[Samba] why does add_local_groups come up in only one system's logs?
On Mon, Aug 8, 2016 at 10:54 AM, Rowland Penny <rpenny at samba.org> wrote:> On Mon, 8 Aug 2016 10:24:03 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > I have a couple of Debian 8.5 systems set up in similar manner. > > Samba is version 4.2.10-Debian > > > > Here is the essential config... > > > > # testparm /etc/samba/smb.conf > > Load smb config files from /etc/samba/smb.conf > > Processing section "[homes]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > workgroup = MYDOM > > realm = AD.MYDOM.CA > > server string = debian2 Server > > security = ADS > > log file = /var/log/samba/%m.log > > max log size = 50 > > unix extensions = No > > load printers = No > > printcap name = /dev/null > > disable spoolss = Yes > > dns proxy = No > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > idmap config * : range = 1000-1999999 > > idmap config * : backend = tdb > > nt acl support = No > > printing = bsd > > > > > > [homes] > > comment = Home Directories > > path = %H > > valid users = %U at mydom > > read only = No > > create mask = 0700 > > directory mask = 0700 > > browseable = No > > wide links = Yes > > > > /etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same > > configuration on both systems. The first one allows a connection > > to the homes. Here is a tail on the log file: > > > > [2016/08/08 09:42:49.956619, 3] > > ../source3/auth/auth.c:178(auth_check_ntlm_password) > > check_ntlm_password: Checking password for unmapped user > > [MYDOM]\[username]@[DEBIAN1] with the new password interface > > [2016/08/08 09:42:49.956656, 3] > > ../source3/auth/auth.c:181(auth_check_ntlm_password) > > check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1] > > [2016/08/08 09:42:49.961548, 3] > > ../source3/auth/auth.c:249(auth_check_ntlm_password) > > check_ntlm_password: winbind authentication for user [username] > > succeeded [2016/08/08 09:42:49.961610, 2] > > ../source3/auth/auth.c:305(auth_check_ntlm_password) > > check_ntlm_password: authentication for user [username] -> > > [username] -> [username] succeeded > > [2016/08/08 09:42:49.961671, 3] > > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2016/08/08 09:42:49.961699, 3] > > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62088215 > > [2016/08/08 09:42:49.961748, 3] > > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2016/08/08 09:42:49.961772, 3] > > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62088215 > > [2016/08/08 09:42:50.271337, 3] > > ../source3/param/loadparm.c:1427(lp_add_home) > > adding home's share [username] for user 'username' at '%H' > > > > The second server fails with the add_local_groups and getpwuid: > > > > [2016/08/08 09:53:55.146840, 3] > > ../source3/auth/auth.c:178(auth_check_ntlm_password) > > check_ntlm_password: Checking password for unmapped user > > [MYDOM]\[username]@[DEBIAN2] with the new password interface > > [2016/08/08 09:53:55.146867, 3] > > ../source3/auth/auth.c:181(auth_check_ntlm_password) > > check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2] > > [2016/08/08 09:53:55.150852, 3] > > ../source3/auth/auth.c:249(auth_check_ntlm_password) > > check_ntlm_password: winbind authentication for user [username] > > succeeded [2016/08/08 09:53:55.150902, 2] > > ../source3/auth/auth.c:305(auth_check_ntlm_password) > > check_ntlm_password: authentication for user [username] -> > > [username] -> [username] succeeded > > [2016/08/08 09:53:55.150960, 3] > > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2016/08/08 09:53:55.150978, 3] > > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62088215 > > [2016/08/08 09:53:55.151024, 3] > > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > > NTLMSSP Sign/Seal - Initialising with flags: > > [2016/08/08 09:53:55.151036, 3] > > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x62088215 > > [2016/08/08 09:53:55.151321, 1] > > ../source3/auth/token_util.c:430(add_local_groups) > > SID S-1-5-21-82194667-1315141139-1877560073-12331 -> > > getpwuid(16777216) failed > > [2016/08/08 09:53:55.151348, 3] > > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > > Failed to finalize nt token > > > > > > I am so far unable to find why the getpwuid for add_local_groups > > matters, or why only one system even mentions it in the logfile > > trace. The default group ID is listed in /etc/group for the user and > > the home directory with ls -ld looks fine with 700 chmod > > for the home directory in both servers. > > Are you using sssd ? > If not, where are you storing the users & groups ? > >I've never used sssd anywhere before nor here. We're just trying to make this work as it has before with Samba 3.x and security=ads with Active Directory on MS Windows. We have /etc/passwd and /etc/group on each system. They are not identical. If I run: 'net ads group -U username | sort' on each system and compare, they show identical groups coming back from AD. The Group ID on Linux is in the 500 range on the system which works OK, and in the 1000 range on the system which does not work. Same AD user is tested with both systems. We also use winbind on ssh authentication and this works fine on both systems.