BLINDAUER Emmanuel
2016-Aug-19 07:22 UTC
[Samba] multiple domain and winbind use default domain
Hello I'm preparing a new fileserver, based on jessie + sernet 4.2.10 packages. the server is bound to a forest, "AD" where users account are stored, and subdomains "PSI" for computers and some local accounts The Active directory forest is managed by 2008R2 servers, with rfc2307 attributs filled for accounts. I'm using "winbind use default domain" because users are also used on linux PC labs. So currently an user user1 from domain AD can request a ticket and access his share with smbclient -k //server/user1 wbinfo -i user1 gives correct values. But a user admin.eb from subdomain PSI can't access his share after requesting a ticket wbinfo -i admin.eb gives correct value: PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash but the smbd logs are saying: Adding homes service for user 'PSI+admin.eb' using home directory: '/psihome/admin/admin.eb' adding home's share [admin.eb] for user 'PSI+admin.eb' at '/psihome/admin/admin.eb' smb_pam_start: PAM: Init passed for user: PSI+admin.eb smb_pam_account: PAM: Account OK for User: PSI+admin.eb string_to_sid: SID admin.eb is not in a valid format user 'PSI+admin.eb' (from session setup) not permitted to access this share (admin.eb) looking in log.winbindd, winbindd try several names search: getpwnam psi+admin.eb getpwnam PSI+admin.eb getpwnam PSI+admin.eb lookupname AD+admin.eb Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED lookupname Unix User+admin.eb Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED getpwnam admin.eb Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED getpwnam ADMIN.EB Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED To be sure I verified the account on the server # getent passwd PSI+admin.eb PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash It seems that the domain is dropped. if I add a local user account in /etc/passwd: admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash it works fine Here the smb.conf: # Global parameters [global] workgroup = AD realm = AD.UNISTRA.FR server role = member server security = ADS map to guest = Bad User obey pam restrictions = Yes kerberos method = secrets and keytab syslog = 0 log file = /var/log/samba/log.%m max log size = 100000 panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind max domain connections = 100 idmap config psi : range = 5000-9998 idmap config psi : schema_mode = rfc2307 idmap config psi : backend = ad idmap config ad : schema_mode = rfc2307 idmap config ad : range = 9999-1000000 idmap config ad : default = yes idmap config ad : backend = ad idmap config * : range = 3000-4000 idmap config * : backend = tdb2 [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No
Rowland Penny
2016-Aug-19 07:46 UTC
[Samba] multiple domain and winbind use default domain
On Fri, 19 Aug 2016 09:22:50 +0200 BLINDAUER Emmanuel via samba <samba at lists.samba.org> wrote:> Hello > I'm preparing a new fileserver, based on jessie + sernet 4.2.10 > packages. the server is bound to a forest, "AD" where users account > are stored, and subdomains "PSI" for computers and some local accounts > The Active directory forest is managed by 2008R2 servers, with > rfc2307 attributs filled for accounts. > > I'm using "winbind use default domain" because users are also used on > linux PC labs. > > So currently an user user1 from domain AD can request a ticket and > access his share with smbclient -k //server/user1 > wbinfo -i user1 gives correct values. > > But a user admin.eb from subdomain PSI can't access his share after > requesting a ticket > wbinfo -i admin.eb gives correct value: > PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash > > but the smbd logs are saying: > > Adding homes service for user 'PSI+admin.eb' using home directory: > '/psihome/admin/admin.eb' > adding home's share [admin.eb] for user 'PSI+admin.eb' at > '/psihome/admin/admin.eb' > smb_pam_start: PAM: Init passed for user: PSI+admin.eb > smb_pam_account: PAM: Account OK for User: PSI+admin.eb > string_to_sid: SID admin.eb is not in a valid format > user 'PSI+admin.eb' (from session setup) not permitted to access > this share (admin.eb) > > > looking in log.winbindd, winbindd try several names search: > > getpwnam psi+admin.eb > getpwnam PSI+admin.eb > getpwnam PSI+admin.eb > lookupname AD+admin.eb > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > lookupname Unix User+admin.eb > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > getpwnam admin.eb > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > getpwnam ADMIN.EB > Could not convert sid S-0-0: NT_STATUS_NONE_MAPPED > > > To be sure I verified the account on the server > # getent passwd PSI+admin.eb > PSI+admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash > > > It seems that the domain is dropped. > if I add a local user account in /etc/passwd: > admin.eb:*:9994:5000::/psihome/admin/admin.eb:/bin/bash > > it works fine > > > > > > > Here the smb.conf: > > > # Global parameters > [global] > workgroup = AD > realm = AD.UNISTRA.FR > server role = member server > security = ADS > map to guest = Bad User > obey pam restrictions = Yes > kerberos method = secrets and keytab > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 100000 > panic action = /usr/share/samba/panic-action %d > winbind separator = + > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > winbind max domain connections = 100 > idmap config psi : range = 5000-9998 > idmap config psi : schema_mode = rfc2307 > idmap config psi : backend = ad > idmap config ad : schema_mode = rfc2307 > idmap config ad : range = 9999-1000000 > idmap config ad : default = yes > idmap config ad : backend = ad > idmap config * : range = 3000-4000 > idmap config * : backend = tdb2 > > > [homes] > comment = Home Directories > valid users = %S > read only = No > create mask = 0700 > directory mask = 0700 > browseable = No >try removing 'winbind use default domain = Yes', I think this could be your problem. Rowland
BLINDAUER Emmanuel
2016-Aug-19 08:24 UTC
[Samba] multiple domain and winbind use default domain
Le 19/08/2016 à 09:46, Rowland Penny via samba a écrit :> try removing 'winbind use default domain = Yes', I think this could be > your problem. > > Rowland > >I've tried, the problem is now present for both domains! example: smbclient -k //server/e.blindauer Domain=[AD] OS=[Windows 6.1] Server=[Samba 4.2.14-SerNet-Debian-11.jessie] tree connect failed: NT_STATUS_ACCESS_DENIED in the log: Adding homes service for user 'AD+e.blindauer' using home directory: '/adhome/e/eb/e.blindauer' adding home's share [e.blindauer] for user 'AD+e.blindauer' at '/adhome/e/eb/e.blindauer' smb_pam_start: PAM: Init user: AD+e.blindauer smb_pam_start: PAM: Init passed for user: AD+e.blindauer connect to service IPC$ initially as user AD+e.blindauer (uid=49531, gid=9999) (pid 3098) string_to_sid: SID e.blindauer is not in a valid format user 'AD+e.blindauer' (from session setup) not permitted to access this share (e.blindauer) create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
BLINDAUER Emmanuel
2016-Aug-19 08:35 UTC
[Samba] multiple domain and winbind use default domain
>> >> [homes] >> comment = Home Directories >> valid users = %SThis line is the problem If I use valid users = %U users can connect. What's the difference between %S and %U and why %S is proposed over %U ? Emmanuel