On Tue, 11 Jul 2017 10:36:08 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > [2017/07/11 10:28:51.553290, 3] > ../source3/auth/auth.c:249(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [mueller] > succeeded [2017/07/11 10:28:51.553324, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [mueller] -> [mueller] > -> [mueller] succeeded > [2017/07/11 10:28:51.553493, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> > getpwuid(11029) failed > [2017/07/11 10:28:51.553518, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > [2017/07/11 10:28:51.553552, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2017/07/11 10:28:51.553562, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2017/07/11 10:28:51.553601, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2017/07/11 10:28:51.553611, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62088215 > [2017/07/11 10:28:51.553782, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2940660672-4062535256-4144655499-1029 -> > getpwuid(11029) failed > [2017/07/11 10:28:51.553808, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > [2017/07/11 10:28:51.553818, 1] > ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_UNSUCCESSFUL > [2017/07/11 10:28:51.553864, 3] > ../source3/smbd/error.c:82(error_packet_set) > NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 > (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL > [2017/07/11 10:28:51.554117, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (failed to receive smb request) > > > > --- > > > getpwuid(11029) fails, local group 11029 does not exist. > > the SID looks like:# net ads sid > S-1-5-21-2940660672-4062535256-4144655499-1029 > Got 1 replies > > cn: mueller > instanceType: 4 > whenCreated: 20170524093910.0Z > uSNCreated: 4231 > name: mueller > objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029 > sAMAccountName: mueller > sAMAccountType: 805306368 > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at > pwdLastSet: 130414131350000000 > accountExpires: 137303967990000000 > lastLogoff: 137303967990000000 > userAccountControl: 512 > uidNumber: 1070 > objectClass: top > objectClass: posixAccount > objectClass: person > objectClass: organizationalPerson > objectClass: user > unixHomeDirectory: /home/mueller > loginShell: /bin/bash > gidNumber: 1070 > msSFU30NisDomain: buero > lastLogonTimestamp: 131439211510194450 > whenChanged: 20170707171231.0Z > uSNChanged: 6300 > memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at > lastLogon: 131442246304847030 > logonCount: 14 > distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at > > > created a local group "rettung" with GID 11029 ... no changeRemove this local Unix group, you cannot have a group (or a user) in AD and /etc/group> > I don't find that 11029 in the SID infos ...Probably because '11029' isn't a 'RID', it will be a uidNumber. Try running this on your DC: ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub "(&(objectclass=group)(gidnumber=11029))" Rowland
Stefan G. Weichinger
2017-Jul-11 10:05 UTC
[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Am 2017-07-11 um 11:57 schrieb Rowland Penny:> Remove this local Unix group, you cannot have a group (or a user) in AD > and /etc/groupok, done> Probably because '11029' isn't a 'RID', it will be a uidNumber. > > Try running this on your DC: > > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub > "(&(objectclass=group)(gidnumber=11029))"# Referral ref: ldap://secret.at/CN=Configuration,DC=secret,DC=at # Referral ref: ldap://secret.at/DC=DomainDnsZones,DC=secret,DC=at # Referral ref: ldap://secret.at/DC=ForestDnsZones,DC=secret,DC=at # returned 3 records # 0 entries # 3 referrals so not there ....
On Tue, 11 Jul 2017 12:05:28 +0200 "Stefan G. Weichinger" <lists at xunil.at> wrote:> Am 2017-07-11 um 11:57 schrieb Rowland Penny: > > > Remove this local Unix group, you cannot have a group (or a user) > > in AD and /etc/group > > ok, done > > > Probably because '11029' isn't a 'RID', it will be a uidNumber. > > > > Try running this on your DC: > > > > ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub > > "(&(objectclass=group)(gidnumber=11029))" > > > # Referral > ref: ldap://secret.at/CN=Configuration,DC=secret,DC=at > > # Referral > ref: ldap://secret.at/DC=DomainDnsZones,DC=secret,DC=at > > # Referral > ref: ldap://secret.at/DC=ForestDnsZones,DC=secret,DC=at > > # returned 3 records > # 0 entries > # 3 referrals > > so not there ....Try running this: ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub "(&(objectclass=user)(uidnumber=11029))" This will check if it is a user. Can you post the smb.conf from the DM (and the DC) Rowland