Arne Zachlod
2018-Feb-14 18:05 UTC
[Samba] getpwuid failed for single user on single file share
Hello, I have a problem with my samba installation I can not get my head around, maybe some of you have a good idea about what is going on. I have a file share called "adfs02" and an AD DC called "addc02" in the same site. The error occurs only with this one user, and it worked til the last password change of that user two days ago. Here are the outputs of my test case (both on done on adfs02): root at adfs02:~# smbclient -L localhost -U brokenuser at int.domain Enter brokenuser at int.domain's password: session setup failed: NT_STATUS_UNSUCCESSFUL root at magneto:~# smbclient -L localhost -U arne at int.domain Enter arne at int.domain's password: Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] ... root at magneto:~# smbclient -L addc02.int.becit.de -U brokenuser at int.domain Enter brokenuser at int.domain's password: Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] ... So, as we can see, the broken user is only broken on the domain member, but not on the AD DC, how can that be? I tried deleting /var/lib/samba/wimbindd_cache.tdb, but it didn't change anything. I also checked all the DCs with "samba-tool checkdb", but no errors where detected. The configs of both, addc02 and adfs02 are attached to this mail. I would greatly appreciate any help or ideas. Arne -------------- next part -------------- [global] netbios name = ADFS02 security = ADS workgroup = DOMAIN realm = INT.DOMAIN logfile = /var/log/samba/%m.log log level = 1 # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain DOMAIN idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes # fileshare options vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # test share [test] path = /srv/samba/test read only = no -------------- next part -------------- # Global parameters [global] workgroup = DOMAIN realm = int.domain netbios name = ADDC02 server role = active directory domain controller server signing = Auto dns forwarder = 10.2.1.1 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/int.domain/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
Rowland Penny
2018-Feb-14 18:46 UTC
[Samba] getpwuid failed for single user on single file share
On Wed, 14 Feb 2018 19:05:34 +0100 Arne Zachlod via samba <samba at lists.samba.org> wrote:> Hello, > > I have a problem with my samba installation I can not get my head > around, maybe some of you have a good idea about what is going on. > > I have a file share called "adfs02" and an AD DC called "addc02" in > the same site. The error occurs only with this one user, and it > worked til the last password change of that user two days ago. > > Here are the outputs of my test case (both on done on adfs02): > > root at adfs02:~# smbclient -L localhost -U brokenuser at int.domain > Enter brokenuser at int.domain's password: > session setup failed: NT_STATUS_UNSUCCESSFUL > > root at magneto:~# smbclient -L localhost -U arne at int.domain > Enter arne at int.domain's password: > Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] > ... > > root at magneto:~# smbclient -L addc02.int.becit.de -U > brokenuser at int.domain Enter brokenuser at int.domain's password: > Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] > ... > > So, as we can see, the broken user is only broken on the domain > member, but not on the AD DC, how can that be? I tried deleting > /var/lib/samba/wimbindd_cache.tdb, but it didn't change anything. > I also checked all the DCs with "samba-tool checkdb", but no errors > where detected. >I take it that the DCs real name is 'magneto' (HINT: if you are going to sanitize things, please be consistent) If you run 'smbclient -L adfs02.int.becit.de -U brokenuser at int.domain' on 'adfs02', does this work Does 'getent passwd brokenuser' produce any output when run on 'adfs02' ? Have you tried changing the password again ? Rowland
Arne Zachlod
2018-Feb-14 19:43 UTC
[Samba] getpwuid failed for single user on single file share
On 02/14/2018 07:46 PM, Rowland Penny via samba wrote:> On Wed, 14 Feb 2018 19:05:34 +0100 > Arne Zachlod via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I have a problem with my samba installation I can not get my head >> around, maybe some of you have a good idea about what is going on. >> >> I have a file share called "adfs02" and an AD DC called "addc02" in >> the same site. The error occurs only with this one user, and it >> worked til the last password change of that user two days ago. >> >> Here are the outputs of my test case (both on done on adfs02): >> >> root at adfs02:~# smbclient -L localhost -U brokenuser at int.domain >> Enter brokenuser at int.domain's password: >> session setup failed: NT_STATUS_UNSUCCESSFUL >> >> root at magneto:~# smbclient -L localhost -U arne at int.domain >> Enter arne at int.domain's password: >> Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] >> ... >> >> root at magneto:~# smbclient -L addc02.int.becit.de -U >> brokenuser at int.domain Enter brokenuser at int.domain's password: >> Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu] >> ... >> >> So, as we can see, the broken user is only broken on the domain >> member, but not on the AD DC, how can that be? I tried deleting >> /var/lib/samba/wimbindd_cache.tdb, but it didn't change anything. >> I also checked all the DCs with "samba-tool checkdb", but no errors >> where detected. >> > > I take it that the DCs real name is 'magneto' (HINT: if you are going > to sanitize things, please be consistent)yes, did overlook that, damn.> If you run 'smbclient -L adfs02.int.becit.de -U brokenuser at int.domain' > on 'adfs02', does this workno, same error: root at adfs02:~# smbclient -L adfs02.int.domain -U brokenuser at int.domain Enter brokenuser at int.domain's password: session setup failed: NT_STATUS_UNSUCCESSFUL but I forgot the most important part, in /var/log/samba/__1.log on adfs02 it says: [2018/02/14 18:51:29.614082, 1] ../source3/auth/token_util.c:430(add_local_groups) SID S-1-5-21-456140246-2344957557-3140247660-1174 -> getpwuid(10026) failed [2018/02/14 18:51:29.614128, 1] ../source3/smbd/sesssetup.c:282(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL> Does 'getent passwd brokenuser' produce any output when run on 'adfs02' > ?root at adfs02:~# getent passwd brokenuser brokenuser:*:10026:10000::/home/brokenuser:/bin/sh> Have you tried changing the password again ?I don't know exactly what the user did, but I changed the password afterwards (as in after the bug report) and it works on our other fileshares, just not on adfs02. Arne