samba-4.6.8 on both DC and DM. 3 users were created as suggested: DC # samba-tool user create kamleitnerl Le26xxx --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl --uid-number=10070 --login-shell=/bin/false --gid-number=100 this user can login to a Windows PC, but not access/connect shares. log for the PC's IP: [2017/09/25 15:45:10.522051, 1] ../source3/auth/token_util.c:431(add_local_groups) SID S-1-5-21-2777655458-4002997014-749295002-3141 -> getpwuid(10070) failed [2017/09/25 15:45:10.522091, 1] ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) [2017/09/25 15:45:10.522120, 1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_ACCESS_DENIED on the DM I see the user like: main # wbinfo -S S-1-5-21-2777655458-4002997014-749295002-3141 10070 but why: # smbclient -L main -Ukamleitnerl%Le26xxx session setup failed: NT_STATUS_ACCESS_DENIED auth works: # wbinfo -a kamleitnerl%Le26xxx plaintext password authentication succeeded challenge/response password authentication succeeded wrong group? It is the same as for other users which work.
Hai Stefan, Can you try the following. Reboot the server, then reboot the pc, then login with the not working user. When/If that works, then login and login with the other users try then. And, i bet you checked it, but must ask, time in sync? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: maandag 25 september 2017 16:02 > Aan: samba > Onderwerp: [Samba] Domain member server: user access > > > samba-4.6.8 on both DC and DM. > > 3 users were created as suggested: > > DC # samba-tool user create kamleitnerl Le26xxx > --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl > --uid-number=10070 --login-shell=/bin/false --gid-number=100 > > this user can login to a Windows PC, but not access/connect shares. > > log for the PC's IP: > > [2017/09/25 15:45:10.522051, 1] > ../source3/auth/token_util.c:431(add_local_groups) > SID S-1-5-21-2777655458-4002997014-749295002-3141 -> > getpwuid(10070) failed > [2017/09/25 15:45:10.522091, 1] > ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) > Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) > [2017/09/25 15:45:10.522120, 1] > ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_ACCESS_DENIED > > > on the DM I see the user like: > > main # wbinfo -S S-1-5-21-2777655458-4002997014-749295002-3141 > 10070 > > but why: > > # smbclient -L main -Ukamleitnerl%Le26xxx session setup > failed: NT_STATUS_ACCESS_DENIED > > auth works: > > # wbinfo -a kamleitnerl%Le26xxx > plaintext password authentication succeeded > challenge/response password authentication succeeded > > wrong group? > > It is the same as for other users which work. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, 25 Sep 2017 16:01:59 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> > samba-4.6.8 on both DC and DM. > > 3 users were created as suggested: > > DC # samba-tool user create kamleitnerl Le26xxx > --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl > --uid-number=10070 --login-shell=/bin/false --gid-number=100 >Where did you get the GID '100' from ? Is this the gidNumber for Domain Users ? Can you please post the smb.conf from the DC and DM. Rowland
Am 2017-09-25 um 16:24 schrieb L.P.H. van Belle via samba:> Hai Stefan, > > Can you try the following. > Reboot the server, then reboot the pc, then login with the not working user. > When/If that works, then login and login with the other users try then.not now, users *work* right now! ;-)> And, i bet you checked it, but must ask, time in sync?sure, checked that - Recreating the user on the DC made this work now on DM: # smbclient -L main -Ukamleitnerl%Le26xxx OS=[Windows 6.1] Server=[Samba 4.6.8] Sharename Type Comment --------- ---- ------- Daten Disk Daten Scans_Plotter Disk Scans vom Plotter IPC$ IPC IPC Service (Samba 4.6.8) ... I am waiting for an OK from the admin there, he checks if shares get connected now on the PC. Right now they have maintenance of their firewall ... takes some time. -- I don't like those ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) they are in several logfiles for other PCs as well (but samba-shares work)
100 is debian default for users And as far i remember stefhan uses debian.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 25 september 2017 16:29 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member server: user access > > On Mon, 25 Sep 2017 16:01:59 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > > > samba-4.6.8 on both DC and DM. > > > > 3 users were created as suggested: > > > > DC # samba-tool user create kamleitnerl Le26xxx > > --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl > > --uid-number=10070 --login-shell=/bin/false --gid-number=100 > > > > Where did you get the GID '100' from ? > Is this the gidNumber for Domain Users ? > > Can you please post the smb.conf from the DC and DM. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba:>> DC # samba-tool user create kamleitnerl Le26xxx >> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl >> --uid-number=10070 --login-shell=/bin/false --gid-number=100 >> > > Where did you get the GID '100' from ? > Is this the gidNumber for Domain Users ?I think so: # wbinfo --gid-info=100 ARBEITSGRUPPE\domain users:x:100: ?> Can you please post the smb.conf from the DC and DM.Sure. We had both in an earlier thread, btw, but here again: DC: # samba-tool testparm Press enter to see a dump of your service definitions # Global parameters [global] netbios name = BACKUP realm = ARBEITSGRUPPE.MY.TLD workgroup = ARBEITSGRUPPE dns forwarder = 10.0.0.254 server role = active directory domain controller idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No DM: # testparm -s Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[Daten]" Processing section "[Scans_Plotter]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] realm = ARBEITSGRUPPE.MY.TLD workgroup = ARBEITSGRUPPE log file = /var/log/samba/%m.log load printers = No printcap name = /dev/null security = ADS username map = /etc/samba/user.map winbind nss info = rfc2307 winbind refresh tickets = Yes winbind use default domain = Yes idmap config arbeitsgruppe:schema_mode = rfc2307 idmap config arbeitsgruppe:range = 10000-9999999 idmap config arbeitsgruppe:backend = ad idmap config * : range = 2000-2999 idmap config * : backend = tdb ... thx, Stefan
Am 2017-09-25 um 16:35 schrieb L.P.H. van Belle via samba:> 100 is debian default for users > And as far i remember stefhan uses debian.DC: debian 9.1 with Louis' packages, yes. # apt-cache policy samba samba: Installiert: 2:4.6.8+nmu-1~deb9 Installationskandidat: 2:4.6.8+nmu-1~deb9 Versionstabelle: *** 2:4.6.8+nmu-1~deb9 500 500 http://apt.van-belle.nl/debian stretch/main amd64 Packages 100 /var/lib/dpkg/status DM: gentoo linux, samba-4.6.8
Arg.. wbinfo --gid-info=100 DC: Confirmed, DOMAIN\Domain Users Member: Fail. failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for gid 100 But both server show the same with : wbinfo -n "NTDOM\domain users" So imho, report bug if Rowland can confirm this with a samba from source. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: maandag 25 september 2017 16:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member server: user access > > Am 2017-09-25 um 16:29 schrieb Rowland Penny via samba: > > >> DC # samba-tool user create kamleitnerl Le26xxx > >> --nis-domain=arbeitsgruppe --unix-home=/home/kamleitnerl > >> --uid-number=10070 --login-shell=/bin/false --gid-number=100 > >> > > > > Where did you get the GID '100' from ? > > Is this the gidNumber for Domain Users ? > > I think so: > > # wbinfo --gid-info=100 > ARBEITSGRUPPE\domain users:x:100: > > ? > > > Can you please post the smb.conf from the DC and DM. > > Sure. We had both in an earlier thread, btw, but here again: > > DC: > > # samba-tool testparm > Press enter to see a dump of your service definitions > > # Global parameters > [global] > netbios name = BACKUP > realm = ARBEITSGRUPPE.MY.TLD > workgroup = ARBEITSGRUPPE > dns forwarder = 10.0.0.254 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/arbeitsgruppe.my.tld/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > DM: > > # testparm -s > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows > limit (16384) Processing section "[Daten]" > Processing section "[Scans_Plotter]" > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > realm = ARBEITSGRUPPE.MY.TLD > workgroup = ARBEITSGRUPPE > log file = /var/log/samba/%m.log > load printers = No > printcap name = /dev/null > security = ADS > username map = /etc/samba/user.map > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind use default domain = Yes > idmap config arbeitsgruppe:schema_mode = rfc2307 > idmap config arbeitsgruppe:range = 10000-9999999 > idmap config arbeitsgruppe:backend = ad > idmap config * : range = 2000-2999 > idmap config * : backend = tdb > > ... > > thx, Stefan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, 25 Sep 2017 16:35:52 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> 100 is debian default for users > And as far i remember stefhan uses debian. >Yes, I know that, but I also know that it is usually only used on a DC, is an xidNumber and wont work on a Unix domain member, unless, for some unknown reason, Domain Users id given the gidNumber '100' Rowland
Looks to me thats what the AD DC does, i think a automapping of Domain users to users. I can remember if i normaly see "domain User" Now, looking good at my config i say its a bug, explained below why. If i look at my "winadmin" user. ( on DC ) id admin uid=10000(NTDOM\admin) gid=100(users) groups=100(users),3000004(NTDOM\group policy creator owners),10001(NTDOM\domain admins),3000005(NTDOM\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) The member: uid=10000(admin) gid=10000(domain users) groups=10000(domain users),10001(domain admins),2001(BUILTIN\users),2000(BUILTIN\administrators) This one is the only correct one. BUILTIN\users should be mapped to users imo, but lets the devs tell us. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: maandag 25 september 2017 16:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member server: user access > > On Mon, 25 Sep 2017 16:35:52 +0200 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > 100 is debian default for users > > And as far i remember stefhan uses debian. > > > > Yes, I know that, but I also know that it is usually only > used on a DC, is an xidNumber and wont work on a Unix domain > member, unless, for some unknown reason, Domain Users id > given the gidNumber '100' > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >