Gaeseric Vandal
2018-Jul-25 02:20 UTC
[Samba] Unable to contact active directory or verify claim types
I am running several Solaris 11 file servers with samba 4.7.6. This is
an AD domain but the domain controllers are Win 2008 R2 and Windows 2012 R2.
All users and groups in AD have unix uidNumbers and gidNumbers assigned.
On one file server, I am having problems where some users can not access
files , via windows, to which they should have access as the group member.
For example, G:\ITDepartment\Project1 directory is owned by me , with the
project group of "IT." The file permissions are generally set in Unix
for
user and group to have rwx access. Some of the users cannot get into the
Project1 subdirectory even though I think they can get into the
G:\ITDepartment directory. So I don't think it is a problem with samba
ignoring group privileges.
The "wbinfo -n" and "wbinfo -s" are able to resolve user
names and group
names to SID's and back to names. The "getent passwd" command is
showing
all users. The "getent passwd myname" and "getent passwd
MYDOMAIN\myname" both show the same unix UserIDNumber and GroupIDNumber so
no
I am keeping permissions really simple - one owner, one group. I am
typically working from a Windows 7 Pro client but sometimes I will RDP into
one of several Win 2012 R2 servers (either as myself or an administrator.)
If I right click a network folder in Windows 7 (logged in as myself) , then
select properties -> security -> advanced. the permissions in windows
look
AOK. I can select an access entry and click "change permissions.)
If I right click a folder in Win 2012 (logged in as myself or an admin ) ,
then select properties -> security -> advanced. the permissions in
windows
look AOK. However if I select an access entry and click edit, I get the
warning "Unable to contact active directory or verify claim types."
I do
NOT see this error message on when looking at folder properties on other
samba servers. It seems to be something unique to this one.
I tried querying group lists with "net" which pointed to the max
server
protocol being a possible factor.
root at weirdserver:~# net groupmember list IT -U Administrator
Enter Administrator's password:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[127.0.0.1]
root at weirdserver:~# testparm -v
.
server max protocol = SMB3
.
root at okserver:~# net groupmember list IT -U Administrator
Enter Administrator's password:
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[127.0.0.1]
root at okserver:~# testparm -v
.
server max protocol = SMB2
.
I ran into issues in the past with SMB3 , specifically between Windows 10
and Samba so I had switched back to SMB2 as the max. But few months ago
switched back to SMB3 on this particular server. I don't know if this is
related.
Appreciate any feedback.
Gaeseric Vandal
2018-Jul-25 02:59 UTC
[Samba] Unable to contact active directory or verify claim types
I set "server min protocol = SMB2" and "server max protocol =
SMB2" .
Which then resulted in the Win 2012 R2 server being unable to access the
Samba server as \\weirdserver <file://weirdserver> . But I can access via
\\weirdserver.mydomain.com <file://weirdserver.mydomain.com> or
\\ipaddres
<file://ipaddres> .
Logs on samba server for that client shows "bad SMB2 signing."
[2018/07/24 22:34:19.865792, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2447
[2018/07/24 22:34:19.867152, 3] ../lib/util/access.c:365(allow_access)
Allowed connection from 192.168.x.x. (192.168.x.x)
[2018/07/24 22:34:19.867325, 3]
../source3/smbd/service.c:595(make_connection_snum)
Connect path is 'xxxxfor service [users]
[2018/07/24 22:34:19.867420, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2018/07/24 22:34:19.867502, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2018/07/24 22:34:19.867556, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [zfsacl]
[2018/07/24 22:34:19.867918, 2]
../source3/smbd/service.c:841(make_connection_snum)
192.168.3.225 (ipv4:192.168.3.225:60275) connect to service users
initially as user MYDOMAIN\someuser (uid=xxxx, gid=xxx) (pid 6264)
[2018/07/24 22:34:19.868642, 0]
../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu)
Bad SMB2 signature for message
[2018/07/24 22:34:19.868723, 0] ../lib/util/util.c:515(dump_data)
[0000] F7 44 6E EC BE 8F A2 B3 5F 45 D0 82 44 7E 3C D1 -Dn-.--
_E-.D~<-
[2018/07/24 22:34:19.868795, 0] ../lib/util/util.c:515(dump_data)
[0000] 67 29 61 2A 76 DD D8 8E 91 9C 03 D2 E6 A2 51 0F g)a*v--.
...--Q.
[2018/07/24 22:34:19.868862, 3]
../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_server.c:2447
Reenableing "server max protocol = SMB3" didn't help - tho I
presume this is
because the Win 2012 R2 server didn't try to connect with SMB3. I would
probably have to reboot but that isn't an option at the moment.
Appreciate any advice.
Thanks
From: Gaeseric Vandal <gaiseric.vandal at gmail.com>
Sent: Tuesday, July 24, 2018 10:20 PM
To: samba at lists.samba.org
Subject: Unable to contact active directory or verify claim types
I am running several Solaris 11 file servers with samba 4.7.6. This is
an AD domain but the domain controllers are Win 2008 R2 and Windows 2012 R2.
All users and groups in AD have unix uidNumbers and gidNumbers assigned.
On one file server, I am having problems where some users can not access
files , via windows, to which they should have access as the group member.
For example, G:\ITDepartment\Project1 directory is owned by me , with the
project group of "IT." The file permissions are generally set in Unix
for
user and group to have rwx access. Some of the users cannot get into the
Project1 subdirectory even though I think they can get into the
G:\ITDepartment directory. So I don't think it is a problem with samba
ignoring group privileges.
The "wbinfo -n" and "wbinfo -s" are able to resolve user
names and group
names to SID's and back to names. The "getent passwd" command is
showing
all users. The "getent passwd myname" and "getent passwd
MYDOMAIN\myname" both show the same unix UserIDNumber and GroupIDNumber so
no
I am keeping permissions really simple - one owner, one group. I am
typically working from a Windows 7 Pro client but sometimes I will RDP into
one of several Win 2012 R2 servers (either as myself or an administrator.)
If I right click a network folder in Windows 7 (logged in as myself) , then
select properties -> security -> advanced. the permissions in windows
look
AOK. I can select an access entry and click "change permissions.)
If I right click a folder in Win 2012 (logged in as myself or an admin ) ,
then select properties -> security -> advanced. the permissions in
windows
look AOK. However if I select an access entry and click edit, I get the
warning "Unable to contact active directory or verify claim types."
I do
NOT see this error message on when looking at folder properties on other
samba servers. It seems to be something unique to this one.
I tried querying group lists with "net" which pointed to the max
server
protocol being a possible factor.
root at weirdserver:~# net groupmember list IT -U Administrator
Enter Administrator's password:
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[127.0.0.1]
root at weirdserver:~# testparm -v
:
server max protocol = SMB3
:
root at okserver:~# net groupmember list IT -U Administrator
Enter Administrator's password:
smb1cli_req_writev_submit: called for dialect[SMB2_10] server[127.0.0.1]
root at okserver:~# testparm -v
:
server max protocol = SMB2
:
I ran into issues in the past with SMB3 , specifically between Windows 10
and Samba so I had switched back to SMB2 as the max. But few months ago
switched back to SMB3 on this particular server. I don't know if this is
related.
Appreciate any feedback.
Rowland Penny
2018-Jul-25 07:37 UTC
[Samba] Unable to contact active directory or verify claim types
On Tue, 24 Jul 2018 22:59:42 -0400 Gaeseric Vandal via samba <samba at lists.samba.org> wrote:> I set "server min protocol = SMB2" and "server max protocol = SMB2" . > > > Which then resulted in the Win 2012 R2 server being unable to access > the Samba server as \\weirdserver <file://weirdserver> . But I can > access via \\weirdserver.mydomain.com > <file://weirdserver.mydomain.com> or \\ipaddres <file://ipaddres> . > > > > > > Logs on samba server for that client shows "bad SMB2 signing." > > > > > > [2018/07/24 22:34:19.865792, 3] > ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || > at ../source3/smbd/smb2_server.c:2447 > > [2018/07/24 22:34:19.867152, > 3] ../lib/util/access.c:365(allow_access) > > Allowed connection from 192.168.x.x. (192.168.x.x) > > [2018/07/24 22:34:19.867325, 3] > ../source3/smbd/service.c:595(make_connection_snum) > > Connect path is 'xxxxfor service [users] > > [2018/07/24 22:34:19.867420, > 3] ../source3/smbd/vfs.c:113(vfs_init_default) > > Initialising default vfs hooks > > [2018/07/24 22:34:19.867502, > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > > Initialising custom vfs hooks from [/[Default VFS]/] > > [2018/07/24 22:34:19.867556, > 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > > Initialising custom vfs hooks from [zfsacl] > > [2018/07/24 22:34:19.867918, 2] > ../source3/smbd/service.c:841(make_connection_snum) > > 192.168.3.225 (ipv4:192.168.3.225:60275) connect to service users > initially as user MYDOMAIN\someuser (uid=xxxx, gid=xxx) (pid 6264) > > [2018/07/24 22:34:19.868642, 0] > ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu) > > Bad SMB2 signature for message > > [2018/07/24 22:34:19.868723, 0] ../lib/util/util.c:515(dump_data) > > [0000] F7 44 6E EC BE 8F A2 B3 5F 45 D0 82 44 7E 3C D1 -Dn-.-- > _E-.D~<- > > [2018/07/24 22:34:19.868795, 0] ../lib/util/util.c:515(dump_data) > > [0000] 67 29 61 2A 76 DD D8 8E 91 9C 03 D2 E6 A2 51 0F g)a*v--. > ...--Q. > > [2018/07/24 22:34:19.868862, 3] > ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) > > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || > at ../source3/smbd/smb2_server.c:2447 > > Reenableing "server max protocol = SMB3" didn't help - tho I presume > this is because the Win 2012 R2 server didn't try to connect with > SMB3. I would probably have to reboot but that isn't an option at > the moment. > > Appreciate any feedback.You seem to told us everything except the vital thing, what is in your smb.conf ? Rowland
Rowland Penny
2018-Jul-25 16:44 UTC
[Samba] Unable to contact active directory or verify claim types
On Wed, 25 Jul 2018 12:14:30 -0400 Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:> My partial smb.conf and nsswitch.conf is as follows. FYI the user in > question is able to access directories via ssh so the permissions and > group membership seems correct - at least on the unix level. > > > root at weirdserver:~# getent passwd | grep myname > myname:x:123:999::/home/myname:/bin/bash > MYDOMAIN\myname:*:123:999:My Name:/home/MYDOMAIN/myname:/bin/false > root at weirdserver:~# > > Rebooting the Win 2012 R2 server did fix the network share access > caused by changing the max protocol. > > Thanks > > > > > ___________________________________________________________________________________________________________________________________________ > > #smb.conf > > [global] > > > server min protocol = SMB2 > > server max protocol = SMB3 > > smb ports = 445 > > disable netbios = yes > > > syslog = 3 > > log level=3 > > > > > workgroup = MYDOMAIN > > realm = MYDOMAIN.COM > > security = ads > > include system krb5 conf = no > > winbind nss info = rfc2307 > > kerberos method = system keytab > > > > #ID MAPPING > > > idmap config *:backend = tdb > > idmap config *:range = 2000-2999 > > > idmap config MYDOMAIN:backend = ad > > idmap config MYDOMAIN:schema_mode = rfc2307 > > idmap config MYDOMAIN:range = 100-1999 > > > > name resolve order = host wins bcast > > > # server string is the equivalent of the NT Description field > > server string = weirdserver > > winbind enum users = Yes > > winbind enum groups = Yes > > domain master = no > > domain logons = no > > wins server = w.z.y.z > > dns proxy = no > > > > #============================ Share Definitions > =============================> > > [dept] > > msdfs root = yes > > path = /Disk1/Dept > > read only = No > > hide special files = Yes > > map archive = No > > inherit permissions = Yes > > inherit acls = Yes > > vfs objects = zfsacl > > nfs4:acedup = merge > > nfs4:chown = yes > > nfs4: mode = special > > mapread only = no > > ea support = yes > > store dos attributes = yes > > create mask = 0770 > > force create mode = 0600 > > directory mask = 0775 > > force directory mode = 0600 > > zfsacl: acesort = dontcare > > > > > > ___________________________________________________________________________________________________________________________________________ > > > > > Partial /etc/nsswitch.conf > > > passwd: files ldap winbind > group: files ldap winbind > hosts: files dns > > > ___________________________________________________________________________________________________________________________________________ > > > > On 07/25/18 03:37, Rowland Penny via samba wrote: > > On Tue, 24 Jul 2018 22:59:42 -0400 > > Gaeseric Vandal via samba <samba at lists.samba.org> wrote: > > > >> I set "server min protocol = SMB2" and "server max protocol > >> SMB2" . > >> > >> > >> Which then resulted in the Win 2012 R2 server being unable to > >> access the Samba server as \\weirdserver <file://weirdserver> . > >> But I can access via \\weirdserver.mydomain.com > >> <file://weirdserver.mydomain.com> or \\ipaddres > >> <file://ipaddres> . > >> > >> > >> > >> > >> > >> Logs on samba server for that client shows "bad SMB2 signing." > >> > >> > >> > >> > >> > >> [2018/07/24 22:34:19.865792, 3] > >> ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) > >> > >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >> status[NT_STATUS_ACCESS_DENIED] || > >> at ../source3/smbd/smb2_server.c:2447 > >> > >> [2018/07/24 22:34:19.867152, > >> 3] ../lib/util/access.c:365(allow_access) > >> > >> Allowed connection from 192.168.x.x. (192.168.x.x) > >> > >> [2018/07/24 22:34:19.867325, 3] > >> ../source3/smbd/service.c:595(make_connection_snum) > >> > >> Connect path is 'xxxxfor service [users] > >> > >> [2018/07/24 22:34:19.867420, > >> 3] ../source3/smbd/vfs.c:113(vfs_init_default) > >> > >> Initialising default vfs hooks > >> > >> [2018/07/24 22:34:19.867502, > >> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > >> > >> Initialising custom vfs hooks from [/[Default VFS]/] > >> > >> [2018/07/24 22:34:19.867556, > >> 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > >> > >> Initialising custom vfs hooks from [zfsacl] > >> > >> [2018/07/24 22:34:19.867918, 2] > >> ../source3/smbd/service.c:841(make_connection_snum) > >> > >> 192.168.3.225 (ipv4:192.168.3.225:60275) connect to service > >> users initially as user MYDOMAIN\someuser (uid=xxxx, gid=xxx) (pid > >> 6264) > >> > >> [2018/07/24 22:34:19.868642, 0] > >> ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu) > >> > >> Bad SMB2 signature for message > >> > >> [2018/07/24 22:34:19.868723, 0] ../lib/util/util.c:515(dump_data) > >> > >> [0000] F7 44 6E EC BE 8F A2 B3 5F 45 D0 82 44 7E 3C D1 > >> -Dn-.-- _E-.D~<- > >> > >> [2018/07/24 22:34:19.868795, 0] ../lib/util/util.c:515(dump_data) > >> > >> [0000] 67 29 61 2A 76 DD D8 8E 91 9C 03 D2 E6 A2 51 0F > >> g)a*v--. ...--Q. > >> > >> [2018/07/24 22:34:19.868862, 3] > >> ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex) > >> > >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > >> status[NT_STATUS_ACCESS_DENIED] || > >> at ../source3/smbd/smb2_server.c:2447 > >> > >> Reenableing "server max protocol = SMB3" didn't help - tho I > >> presume this is because the Win 2012 R2 server didn't try to > >> connect with SMB3. I would probably have to reboot but that isn't > >> an option at the moment. > >> > >> Appreciate any feedback. > > You seem to told us everything except the vital thing, what is in > > your smb.conf ? > > > > Rowland > > >First thing I would do is to read man smb.conf and remove any default settings. Secondly I would ask myself why I have 'ldap' in the nsswitch.conf lines ;-) Rowland