Martin Decker
2017-Aug-21 15:25 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Dear Rowland, our windows admin assured me that they have set uidNumber and gidNumber in the range. I have requested screenshots for confirmation. Now we are one step further: "getent passwd | grep mdecker" now lists the AD account. mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false With "getent passwd mdecker" however, it shows "NT_STATUS_NO_SUCH_USER". getent passwd mdecker winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER Also not working: getnet passwd mdecker getent passwd "MYDOM\\mdecker" What is working though is when i give REALM Suffix ".ADS" getent passwd "MYDOM.ADS\\mdecker" mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false For "getent group" currently, the issue is: "rejecting getgrsid()", altough the Group "DOMAIN USERS" was sucessfully resolved from name to SID. getent group "MYDOM\\DOMÄNEN-BENUTZER" wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER -> S-1-5-21-1585417398-3384821309-2524188735-513 (NT_STATUS_OK) winbindd_getgrsid: My domain -- rejecting getgrsid() for S-1-5-21-1585417398-3384821309-2524188735-513 Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513: NT_STATUS_NO_SUCH_GROUP Is there anything else to set up on Windows side in order for getgrsid to work? With wbinfo, i can do these sucessfully: wbinfo --sid-to-uid "S-1-5-21-1585417398-3384821309-2524188735-13667" 13667 root at solaris1:/# wbinfo --uid-info=13667 mdecker:*:13667:7142::/home/MYDOM/mdecker:/bin/false ... but "wbinfo -r" does not work: root at solaris1:/# wbinfo -r mdecker failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND Could not get groups for user mdecker Testing access to a Solaris SMB Share from Windows, reports this error when trying to mount the share: [2017/08/21 17:19:44.281527, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [mdecker at MYDOM.ADS] [2017/08/21 17:19:44.281680, 10] auth/user_krb5.c:82(get_user_from_kerberos_info) Domain is [MYDOM] (using PAC) [2017/08/21 17:19:44.281747, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user MYDOM\mdecker [2017/08/21 17:19:44.281805, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is MYDOM\mdecker [2017/08/21 17:19:44.283946, 5] lib/username.c:123(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is MYDOM\mdecker [2017/08/21 17:19:44.284685, 5] lib/username.c:133(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is MYDOM\MDECKER [2017/08/21 17:19:44.285073, 5] lib/username.c:142(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in MYDOM\mdecker [2017/08/21 17:19:44.285150, 5] lib/username.c:148(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [MYDOM\mdecker]! [2017/08/21 17:19:44.285222, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user mdecker [2017/08/21 17:19:44.285323, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is mdecker [2017/08/21 17:19:44.285755, 5] lib/username.c:133(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is MDECKER [2017/08/21 17:19:44.286128, 5] lib/username.c:142(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in mdecker [2017/08/21 17:19:44.286197, 5] lib/username.c:148(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [mdecker]! [2017/08/21 17:19:44.287762, 1] auth/user_krb5.c:161(get_user_from_kerberos_info) Username MYDOM\mdecker is invalid on this system [2017/08/21 17:19:44.287963, 3] smbd/error.c:77(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Any ideas? Best regards, Martin 2017-08-18 17:48 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Fri, 18 Aug 2017 17:32:34 +0200 > Martin Decker via samba <samba at lists.samba.org> wrote: > > > Thank you for your feedback. I have changed the parameters, but still > > no success. > > > > winbind use default domain = yes > > idmap config * : range = 1000000-1999999 > > idmap config MYDOM : range = 100-999999 > > > > You are using the winbind 'ad' backend, so do your AD domain users > have a uidNumber attribute containing a unique number inside the range > '100-999999' AND does 'Domain Users' have a gidNumber attribute > containing a number in the same range. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- -- Martin Decker
Rowland Penny
2017-Aug-21 16:15 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
On Mon, 21 Aug 2017 17:25:31 +0200 Martin Decker via samba <samba at lists.samba.org> wrote:> Dear Rowland, > > our windows admin assured me that they have set uidNumber and > gidNumber in the range. I have requested screenshots for confirmation. > > Now we are one step further: "getent passwd | grep mdecker" now lists > the AD account. > > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false > > With "getent passwd mdecker" however, it shows > "NT_STATUS_NO_SUCH_USER". > > getent passwd mdecker > > winbindd_getpwnam: My domain -- rejecting getpwnam() for > MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER > > Also not working: > > getnet passwd mdecker > getent passwd "MYDOM\\mdecker" > > What is working though is when i give REALM Suffix ".ADS" > > getent passwd "MYDOM.ADS\\mdecker" > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false >If I run: getent passwd rowland getent passwd "SAMDOM\rowland" getent passwd "SAMDOM.EXAMPLE.COM\rowland" They all produce the same output: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Lets step back a bit here, is this just one Unix fileserver? It also looks like you will not be using most of the RFC2307 attributes, just UidNumber & gidNumber. if this is the case, have you considered the rid backend ? With this, you do not need anything in AD, it uses the RID to calculate the users or groups ID. If you change: idmap config * :backend = tdb idmap config * : range = 1000000-1999999 idmap config MYDOM : backend = ad idmap config MYDOM : range = 100-999999 idmap config MYDOM : schema_mode = rfc2307 To: idmap config * :backend = tdb idmap config * : range = 1000000-1999999 idmap config MYDOM : backend = rid idmap config MYDOM : range = 100-999999 You should get everything to work. If it does, it proves that the problem is in AD If it doesn't, then there must be a problem on your Unix domain member. Rowland
Martin Decker
2017-Aug-22 09:58 UTC
[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Thanks Rowland and Louis, after changing from ad to rid, i get all users listed with "getent passwd", not just the ones with uidNumber - which is good. But "getent passwd MYDOM\\mdecker" still does not resolve. In addition, no groups are listed with "getent group". Looking at winbindd debug, it seems that after trying getgrsid on the very first group "Exchange All Hosted Organizations", it stops to retrieve other groups. out: struct wbint_QueryGroupList groups : * groups: struct wbint_Principals num_principals : 545 principals: ARRAY(545) principals: struct wbint_Principal sid : S-1-5-21-1585417398-3384821309-2524188735-2571 type : SID_NAME_DOM_GRP (2) name : * name : 'Exchange All Hosted Organizations' winbindd_getgrsid: My domain -- rejecting getgrsid() for S-1-5-21-1585417398-3384821309-2524188735-2571 getgrent failed: NT_STATUS_NO_SUCH_GROUP wb_request_done[13813:GETGRENT]: NT_STATUS_NO_SUCH_GROUP winbind_client_response_written[13813:GETGRENT]: delivered response to client process_request: Handling async request 13813:ENDGRENT This is the current smb.conf: [global] workgroup = MYDOM realm = MYDOM.ADS server string = Samba Server security = ADS log level = 1 smb:10 passdb:10 auth:10 winbind:10 idmap:10 log file = /var/samba/log/log.%m max log size = 50 unix extensions = No client signing = Yes local master = No domain master = No dns proxy = No winbind enum users = Yes winbind enum groups = Yes # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid winbind use default domain = yes winbind trusted domains only = Yes idmap config * : backend = tdb idmap config * : range = 1000000-1999999 idmap config MYDOM : backend = rid idmap config MYDOM : range = 100-999999 winbind nss info = template template shell = /bin/bash template homedir = /home/%U inherit permissions = Yes map acl inherit = Yes # We do not run NETBIOS disable netbios = Yes # Printers load printers = no Authentication on windows to access share (connect network drive) is still not possible. getpwnam MDECKER winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\MDECKER. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER wb_request_done[14662:GETPWNAM]: NT_STATUS_NO_SUCH_USER Authentication with "kinit at MYDOM.ADS" is working. This is after "net cache flush" and restarting winbind and samba multiple times.... Best regards, Martin 2017-08-21 18:15 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 21 Aug 2017 17:25:31 +0200 > Martin Decker via samba <samba at lists.samba.org> wrote: > > > Dear Rowland, > > > > our windows admin assured me that they have set uidNumber and > > gidNumber in the range. I have requested screenshots for confirmation. > > > > Now we are one step further: "getent passwd | grep mdecker" now lists > > the AD account. > > > > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false > > > > With "getent passwd mdecker" however, it shows > > "NT_STATUS_NO_SUCH_USER". > > > > getent passwd mdecker > > > > winbindd_getpwnam: My domain -- rejecting getpwnam() for > > MYDOM\mdecker. Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER > > > > Also not working: > > > > getnet passwd mdecker > > getent passwd "MYDOM\\mdecker" > > > > What is working though is when i give REALM Suffix ".ADS" > > > > getent passwd "MYDOM.ADS\\mdecker" > > mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false > > > > If I run: > getent passwd rowland > getent passwd "SAMDOM\rowland" > getent passwd "SAMDOM.EXAMPLE.COM\rowland" > > They all produce the same output: > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Lets step back a bit here, is this just one Unix fileserver? > It also looks like you will not be using most of the RFC2307 > attributes, just UidNumber & gidNumber. > > if this is the case, have you considered the rid backend ? > With this, you do not need anything in AD, it uses the RID to calculate > the users or groups ID. > > If you change: > > idmap config * :backend = tdb > idmap config * : range = 1000000-1999999 > idmap config MYDOM : backend = ad > idmap config MYDOM : range = 100-999999 > idmap config MYDOM : schema_mode = rfc2307 > > To: > idmap config * :backend = tdb > idmap config * : range = 1000000-1999999 > idmap config MYDOM : backend = rid > idmap config MYDOM : range = 100-999999 > > You should get everything to work. > If it does, it proves that the problem is in AD > If it doesn't, then there must be a problem on your Unix domain member. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- -- Martin Decker
Possibly Parallel Threads
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
- Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users