samba - Aug 2016 - multiple domain and winbind use default domain

Hello
I'm preparing a new fileserver, based on jessie + sernet 4.2.10 
packages. the server is bound to a forest, "AD" where users account
are
stored, and subdomains "PSI" for computers and some local accounts
The Active directory forest is managed by 2008R2  servers, with rfc2307 
attributs filled for accounts.

I'm using "winbind use default domain" because users are also used
on
linux PC labs.

So currently an user user1 from domain AD can request a ticket and 
access his share with smbclient -k //server/user1
wbinfo -i user1 gives correct values.

But a user admin.eb from subdomain PSI can't access his share after 
requesting a ticket
wbinfo -i admin.eb gives correct value:
PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash

but the smbd logs are saying:

   Adding homes service for user 'PSI+admin.eb' using home directory: 
'/psihome/admin/admin.eb'
   adding home's share [admin.eb] for user 'PSI+admin.eb' at 
'/psihome/admin/admin.eb'
   smb_pam_start: PAM: Init passed for user: PSI+admin.eb
   smb_pam_account: PAM: Account OK for User: PSI+admin.eb
   string_to_sid: SID admin.eb is not in a valid format
   user 'PSI+admin.eb' (from session setup) not permitted to access this
share (admin.eb)


looking in log.winbindd, winbindd try several names search:

   getpwnam psi+admin.eb
   getpwnam PSI+admin.eb
   getpwnam PSI+admin.eb
   lookupname AD+admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   lookupname Unix User+admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   getpwnam admin.eb
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
   getpwnam ADMIN.EB
   Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED


To be sure I verified the account on the server
# getent passwd PSI+admin.eb
PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash


It seems that the domain is dropped.
if I add a local user account in /etc/passwd:
admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash

it works fine






Here the smb.conf:


# Global parameters
[global]
         workgroup = AD
         realm = AD.UNISTRA.FR
         server role = member server
         security = ADS
         map to guest = Bad User
         obey pam restrictions = Yes
         kerberos method = secrets and keytab
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 100000
         panic action = /usr/share/samba/panic-action %d
         winbind separator = +
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind nss info = rfc2307
         winbind max domain connections = 100
         idmap config psi : range = 5000-9998
         idmap config psi : schema_mode = rfc2307
         idmap config psi : backend = ad
         idmap config ad : schema_mode = rfc2307
         idmap config ad : range = 9999-1000000
         idmap config ad : default = yes
         idmap config ad : backend = ad
         idmap config * : range = 3000-4000
         idmap config * : backend = tdb2


[homes]
         comment = Home Directories
         valid users = %S
         read only = No
         create mask = 0700
         directory mask = 0700
         browseable = No

On Fri, 19 Aug 2016 09:22:50 +0200
BLINDAUER Emmanuel via samba <samba at lists.samba.org> wrote:
> Hello
> I'm preparing a new fileserver, based on jessie + sernet 4.2.10 
> packages. the server is bound to a forest, "AD" where users
account
> are stored, and subdomains "PSI" for computers and some local
accounts
> The Active directory forest is managed by 2008R2  servers, with
> rfc2307 attributs filled for accounts.
> 
> I'm using "winbind use default domain" because users are also
used on
> linux PC labs.
> 
> So currently an user user1 from domain AD can request a ticket and 
> access his share with smbclient -k //server/user1
> wbinfo -i user1 gives correct values.
> 
> But a user admin.eb from subdomain PSI can't access his share after 
> requesting a ticket
> wbinfo -i admin.eb gives correct value:
> PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
> 
> but the smbd logs are saying:
> 
>    Adding homes service for user 'PSI+admin.eb' using home
directory:
> '/psihome/admin/admin.eb'
>    adding home's share [admin.eb] for user 'PSI+admin.eb' at 
> '/psihome/admin/admin.eb'
>    smb_pam_start: PAM: Init passed for user: PSI+admin.eb
>    smb_pam_account: PAM: Account OK for User: PSI+admin.eb
>    string_to_sid: SID admin.eb is not in a valid format
>    user 'PSI+admin.eb' (from session setup) not permitted to access
> this share (admin.eb)
> 
> 
> looking in log.winbindd, winbindd try several names search:
> 
>    getpwnam psi+admin.eb
>    getpwnam PSI+admin.eb
>    getpwnam PSI+admin.eb
>    lookupname AD+admin.eb
>    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>    lookupname Unix User+admin.eb
>    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>    getpwnam admin.eb
>    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
>    getpwnam ADMIN.EB
>    Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED
> 
> 
> To be sure I verified the account on the server
> # getent passwd PSI+admin.eb
> PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
> 
> 
> It seems that the domain is dropped.
> if I add a local user account in /etc/passwd:
> admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash
> 
> it works fine
> 
> 
> 
> 
> 
> 
> Here the smb.conf:
> 
> 
> # Global parameters
> [global]
>          workgroup = AD
>          realm = AD.UNISTRA.FR
>          server role = member server
>          security = ADS
>          map to guest = Bad User
>          obey pam restrictions = Yes
>          kerberos method = secrets and keytab
>          syslog = 0
>          log file = /var/log/samba/log.%m
>          max log size = 100000
>          panic action = /usr/share/samba/panic-action %d
>          winbind separator = +
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind nss info = rfc2307
>          winbind max domain connections = 100
>          idmap config psi : range = 5000-9998
>          idmap config psi : schema_mode = rfc2307
>          idmap config psi : backend = ad
>          idmap config ad : schema_mode = rfc2307
>          idmap config ad : range = 9999-1000000
>          idmap config ad : default = yes
>          idmap config ad : backend = ad
>          idmap config * : range = 3000-4000
>          idmap config * : backend = tdb2
> 
> 
> [homes]
>          comment = Home Directories
>          valid users = %S
>          read only = No
>          create mask = 0700
>          directory mask = 0700
>          browseable = No
> 
try removing 'winbind use default domain = Yes', I think this could be
your problem.

Rowland

Le 19/08/2016 à 09:46, Rowland Penny via samba a écrit :
> try removing 'winbind use default domain = Yes', I think this could
be
> your problem.
>
> Rowland
>
>
I've tried, the problem is now present for both domains!

example:

smbclient  -k //server/e.blindauer
Domain=[AD] OS=[Windows 6.1] Server=[Samba 4.2.14-SerNet-Debian-11.jessie]
tree connect failed: NT_STATUS_ACCESS_DENIED

in the log:

   Adding homes service for user 'AD+e.blindauer' using home directory: 
'/adhome/e/eb/e.blindauer'
   adding home's share [e.blindauer] for user 'AD+e.blindauer' at 
'/adhome/e/eb/e.blindauer'
   smb_pam_start: PAM: Init user: AD+e.blindauer
   smb_pam_start: PAM: Init passed for user: AD+e.blindauer
   connect to service IPC$ initially as user AD+e.blindauer (uid=49531, 
gid=9999) (pid 3098)
   string_to_sid: SID e.blindauer is not in a valid format
   user 'AD+e.blindauer' (from session setup) not permitted to access 
this share (e.blindauer)
   create_connection_session_info failed: NT_STATUS_ACCESS_DENIED

>>
>> [homes]
>>          comment = Home Directories
>>          valid users = %S
This line is the problem

If I use
            valid users = %U

users can connect.

What's the difference between %S and %U and why %S is proposed over %U ?


Emmanuel