I am googling around for an issue and can't figure it out so far.
Status:
2 Debian 9.3 ADCs with samba-4.6.12 each.
1 Gentoo Samba Domain Member server "main",
Samba version 4.5.15 (we downgraded because of another issue a month ago
or so).
*one* AD user is able to log into his Windows10 PC, but doesn't get a
network share connected.
If I test that from the DM server or the DCs via smbclient it fails as well.
main # smbclient -L main -U kamleitnerl%hispw
session setup failed: NT_STATUS_UNSUCCESSFUL
maybe https://bugzilla.samba.org/show_bug.cgi?id=10604, I am not sure.
--- log on main:
Processing section "[global]"
doing parameter security = ADS
doing parameter workgroup = ARBEITSGRUPPE
doing parameter realm = arbeitsgruppe.hidden-tld.at
doing parameter log file = /var/log/samba/%m.log
doing parameter log level = 4
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 2000-3999
doing parameter idmap config ARBEITSGRUPPE:backend = ad
doing parameter idmap config ARBEITSGRUPPE:range = 10000-9999999
doing parameter idmap config ARBEITSGRUPPE:schema_mode = rfc2307
doing parameter winbind nss info = rfc2307
doing parameter username map = /etc/samba/user.map
doing parameter winbind use default domain = Yes
doing parameter winbind refresh tickets = Yes
doing parameter load printers = No
doing parameter printcap name = /dev/null
doing parameter vfs objects = acl_xattr
doing parameter map acl inherit = yes
doing parameter store dos attributes = yes
[2018/01/16 14:59:47.785383, 2]
../source3/param/loadparm.c:2685(lp_do_section)
Processing section "[Daten]"
doing parameter comment = Daten
doing parameter path = /mnt/daten
doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
doing parameter read only = No
doing parameter create mask = 0660
doing parameter directory mask = 0770
[2018/01/16 14:59:47.785477, 2]
../source3/param/loadparm.c:2685(lp_do_section)
Processing section "[Scans_Plotter]"
doing parameter comment = Scans vom Plotter
doing parameter path = /mnt/daten/Allgemeines/_Scans/Plotter
doing parameter valid users = @"ARBEITSGRUPPE\\domain users"
doing parameter read only = No
doing parameter create mask = 0660
doing parameter directory mask = 0770
[2018/01/16 14:59:47.785568, 4]
../source3/param/loadparm.c:3780(lp_load_ex)
pm_process() returned Yes
[2018/01/16 14:59:47.785588, 3]
../source3/param/loadparm.c:1585(lp_add_ipc)
adding IPC service
[2018/01/16 14:59:47.786003, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-2777655458-4002997014-749295002-3147 -> getpwuid(10072)
failed
[2018/01/16 14:59:47.786025, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
[2018/01/16 14:59:47.786035, 1]
../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac)
Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
[2018/01/16 14:59:47.786082, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134
[2018/01/16 14:59:47.786504, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786528, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786538, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786549, 4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/01/16 14:59:47.786663, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
-
main # wbinfo --sid-to-uid S-1-5-21-2777655458-4002997014-749295002-3147
10072
(works)
main # wbinfo -i kamleitnerl
kamleitnerl:*:10072:10513::/home/kamleitnerl:/bin/false
(works)
We created a 2nd user kamleitnerl2, with this user things work (but we
need the 1st one to be able to keep the windows profile etc)
-
for reference: smb.conf of DM:
[global]
security = ADS
workgroup = ARBEITSGRUPPE
realm = arbeitsgruppe.hidden-tld.at
log file = /var/log/samba/%m.log
log level = 4
idmap config * : backend = tdb
idmap config * : range = 2000-3999
idmap config ARBEITSGRUPPE:backend = ad
idmap config ARBEITSGRUPPE:range = 10000-9999999
# until 4.6.0
idmap config ARBEITSGRUPPE:schema_mode = rfc2307
winbind nss info = rfc2307
# new parameter:
# idmap config ARBEITSGRUPPE:unix_nss_info = yes
username map = /etc/samba/user.map
winbind use default domain = Yes
winbind refresh tickets = Yes
load printers = No
printcap name = /dev/null
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
-
Additional info:
same user worked fine until today
we restarted the DCs and winbindd on DM ... killed smbd etc etc
Am 2018-01-16 um 15:20 schrieb Stefan G. Weichinger via samba:> same user worked fine until todaynet cache flush on the DM made smbclient work again ... admin there tests from Windows now
Hi Stefan,> I am googling around for an issue and can't figure it out so far. > > Status: > > 2 Debian 9.3 ADCs with samba-4.6.12 each. > > 1 Gentoo Samba Domain Member server "main", > Samba version 4.5.15 (we downgraded because of another issue a month ago > or so). > > *one* AD user is able to log into his Windows10 PC, but doesn't get a > network share connected.when you specify win10, do you mean that it works properly for that same user on a win7 workstation?> If I test that from the DM server or the DCs via smbclient it fails as well. > > main # smbclient -L main -U kamleitnerl%hispw > session setup failed: NT_STATUS_UNSUCCESSFULIf you want to reproduce the same behavior as your workstation, you should first kinit and then smbclient with -k: kinit kamleitnerl smbclient -k -L main And by the way, until 4.7, smbclient was limited to SMB1 because of unix extensions. If you want to have a better simulation, you should also change the "client max protocol" parameter. Cheers, Denis> > > maybe https://bugzilla.samba.org/show_bug.cgi?id=10604, I am not sure. > > > --- log on main: > > Processing section "[global]" > doing parameter security = ADS > doing parameter workgroup = ARBEITSGRUPPE > doing parameter realm = arbeitsgruppe.hidden-tld.at > doing parameter log file = /var/log/samba/%m.log > doing parameter log level = 4 > doing parameter idmap config * : backend = tdb > doing parameter idmap config * : range = 2000-3999 > doing parameter idmap config ARBEITSGRUPPE:backend = ad > doing parameter idmap config ARBEITSGRUPPE:range = 10000-9999999 > doing parameter idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > doing parameter winbind nss info = rfc2307 > doing parameter username map = /etc/samba/user.map > doing parameter winbind use default domain = Yes > doing parameter winbind refresh tickets = Yes > doing parameter load printers = No > doing parameter printcap name = /dev/null > doing parameter vfs objects = acl_xattr > doing parameter map acl inherit = yes > doing parameter store dos attributes = yes > [2018/01/16 14:59:47.785383, 2] > ../source3/param/loadparm.c:2685(lp_do_section) > Processing section "[Daten]" > doing parameter comment = Daten > doing parameter path = /mnt/daten > doing parameter valid users = @"ARBEITSGRUPPE\\domain users" > doing parameter read only = No > doing parameter create mask = 0660 > doing parameter directory mask = 0770 > [2018/01/16 14:59:47.785477, 2] > ../source3/param/loadparm.c:2685(lp_do_section) > Processing section "[Scans_Plotter]" > doing parameter comment = Scans vom Plotter > doing parameter path = /mnt/daten/Allgemeines/_Scans/Plotter > doing parameter valid users = @"ARBEITSGRUPPE\\domain users" > doing parameter read only = No > doing parameter create mask = 0660 > doing parameter directory mask = 0770 > [2018/01/16 14:59:47.785568, 4] > ../source3/param/loadparm.c:3780(lp_load_ex) > pm_process() returned Yes > [2018/01/16 14:59:47.785588, 3] > ../source3/param/loadparm.c:1585(lp_add_ipc) > adding IPC service > [2018/01/16 14:59:47.786003, 1] > ../source3/auth/token_util.c:430(add_local_groups) > SID S-1-5-21-2777655458-4002997014-749295002-3147 -> getpwuid(10072) > failed > [2018/01/16 14:59:47.786025, 3] > ../source3/auth/token_util.c:316(create_local_nt_token_from_info3) > Failed to finalize nt token > [2018/01/16 14:59:47.786035, 1] > ../source3/auth/auth_generic.c:172(auth3_generate_session_info_pac) > Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL) > [2018/01/16 14:59:47.786082, 3] > ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:134 > [2018/01/16 14:59:47.786504, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/01/16 14:59:47.786528, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/01/16 14:59:47.786538, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/01/16 14:59:47.786549, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2018/01/16 14:59:47.786663, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > - > > main # wbinfo --sid-to-uid S-1-5-21-2777655458-4002997014-749295002-3147 > 10072 > > (works) > > main # wbinfo -i kamleitnerl > kamleitnerl:*:10072:10513::/home/kamleitnerl:/bin/false > > (works) > > We created a 2nd user kamleitnerl2, with this user things work (but we > need the 1st one to be able to keep the windows profile etc) > > - > > for reference: smb.conf of DM: > > [global] > security = ADS > workgroup = ARBEITSGRUPPE > realm = arbeitsgruppe.hidden-tld.at > log file = /var/log/samba/%m.log > log level = 4 > > idmap config * : backend = tdb > idmap config * : range = 2000-3999 > > idmap config ARBEITSGRUPPE:backend = ad > idmap config ARBEITSGRUPPE:range = 10000-9999999 > > # until 4.6.0 > idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > winbind nss info = rfc2307 > # new parameter: > # idmap config ARBEITSGRUPPE:unix_nss_info = yes > > username map = /etc/samba/user.map > > winbind use default domain = Yes > winbind refresh tickets = Yes > > load printers = No > printcap name = /dev/null > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > - > > Additional info: > > same user worked fine until today > > we restarted the DCs and winbindd on DM ... killed smbd etc etc >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Am 2018-01-16 um 15:47 schrieb Denis Cardon:>> *one* AD user is able to log into his Windows10 PC, but doesn't get a >> network share connected. > > when you specify win10, do you mean that it works properly for that same > user on a win7 workstation?No. No win7 tested.>> If I test that from the DM server or the DCs via smbclient it fails as >> well. >> >> main # smbclient -L main -U kamleitnerl%hispw >> session setup failed: NT_STATUS_UNSUCCESSFUL > > If you want to reproduce the same behavior as your workstation, you > should first kinit and then smbclient with -k: > kinit kamleitnerl > smbclient -k -L mainAh, I see ... Does every kinit change the current user context for the following "smbclient -k" ? As mentioned "net cache flush" made it work again. Unsure what was the reason, though!> And by the way, until 4.7, smbclient was limited to SMB1 because of unix > extensions. If you want to have a better simulation, you should also > change the "client max protocol" parameter.Unfortunately gentoo linux doesn't bring me samba-4.7 as "stable" package, in their portage package system they provide 4.5.10 as stable and 4.6 and 4.7 as unstable. So I have to decide if to stay with stable packages in terms of gentoo or in terms of upstream samba project. And this in the context of having the DCs on debian, with LPH packages ... always difficult for me to decide between "latest release" and "stable environment".