thr3ads.net - samba - [Samba] Samba 4.4.8 AD member ads / nss fails to find group id [Mar 2019]

If this information is useful, please help other people find it:
Share via:

Thomas, David

2019-Mar-29 13:30 UTC

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

I have a Centos 7.6 server with samba 4.8.3  configured as a member of 
an AD domain using "ads' security and the "nss" idmap
backend.

Clients are unable to access the shares on the server - they repeatedly 
get asked for their credentials.

The smbd log shows the user authenticating and a mapping from the user's 
SID to their unix uid is found. However, it seems that access is denied 
after samba attempts and faile to find a mapping from the Domain Users 
group SID to a gid.

This all works on another server running samba 4.4.4.

smb.conf:

[global]
     workgroup = TESTDOM
     netbios name = member
     realm = TESTDOM.COM
     security = ads
     username map = /etc/samba/users.map
     idmap config TESTDOM: backend = nss
     idmap config TESTDOM: range = 1000-99999
     idmap config * : backend = tdb
     idmap config * : range = 100000-200000
     winbind use default domain = Yes
     hosts allow = ALL

     log level = 99

[projects]
     comment = Projects
     path = /projects
     read only = no
     create mask = 0775
     directory mask = 0775
     force group = defgrp


Log:

sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
[2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0, 0), 
class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)
   Adding cache entry with 
key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and 
timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the past)
[2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:1550(sid_to_gid)
   winbind failed to find a gid for sid 
S-1-5-21-11111111-222222222-333333333-513
[2019/03/28 10:24:24.098420,  4, pid=31159, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098443,  4, pid=31159, effective(0, 0), real(0, 0)] 
../source3/smbd/uid.c:491(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098465,  4, pid=31159, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098487,  5, pid=31159, effective(0, 0), real(0, 0)] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2019/03/28 10:24:24.098508,  5, pid=31159, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:810(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2019/03/28 10:24:24.098549,  4, pid=31159, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0, 0)] 
../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
   LEGACY: mapping failed for sid S-1-5-21-11111111-222222222-333333333-513
[2019/03/28 10:24:24.098600,  1, pid=31159, effective(0, 0), real(0, 0)] 
../source3/auth/token_util.c:1024(create_token_from_sid)
   sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
[2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
   create_local_token failed: NT_STATUS_NO_SUCH_USER*

*I have also tried the following settings in the global section (copied 
from the working server), but get the same result:*
*
     winbind enum users = yes
     winbind enum groups = yes
     use sendfile = Yes
     guest ok = no
     dos filetime resolution = yes
     nt acl support = no
     directory mask = 0775
     follow symlinks = yes
     wide links = yes
     unix extensions = no
     log level = 99
     lanman auth = no
     lm announce = no
     min protocol = NT1
     host msdfs = no

Am I missing something?
**
Thanks,
David

Rowland Penny

2019-Mar-29 13:59 UTC

head link

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

On Fri, 29 Mar 2019 09:30:13 -0400
"Thomas, David via samba" <samba at lists.samba.org> wrote:
> I have a Centos 7.6 server with samba 4.8.3  configured as a member
> of an AD domain using "ads' security and the "nss" idmap
backend.
> 
> Clients are unable to access the shares on the server - they
> repeatedly get asked for their credentials.
> 
> The smbd log shows the user authenticating and a mapping from the
> user's SID to their unix uid is found. However, it seems that access
> is denied after samba attempts and faile to find a mapping from the
> Domain Users group SID to a gid.
> 
> This all works on another server running samba 4.4.4.
> 
> smb.conf:
> 
> [global]
>      workgroup = TESTDOM
>      netbios name = member
>      realm = TESTDOM.COM
>      security = ads
>      username map = /etc/samba/users.map
>      idmap config TESTDOM: backend = nss
>      idmap config TESTDOM: range = 1000-99999
>      idmap config * : backend = tdb
>      idmap config * : range = 100000-200000
>      winbind use default domain = Yes
>      hosts allow = ALL
> 
>      log level = 99
> 
> [projects]
>      comment = Projects
>      path = /projects
>      read only = no
>      create mask = 0775
>      directory mask = 0775
>      force group = defgrp
> 
> 
> Log:
> 
> sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
> [2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)
>    Adding cache entry with 
> key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and 
> timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the
> past) [2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0),
> real(0, 0)] ../source3/passdb/lookup_sid.c:1550(sid_to_gid)
>    winbind failed to find a gid for sid 
> S-1-5-21-11111111-222222222-333333333-513
> [2019/03/28 10:24:24.098420,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098443,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098465,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098487,  5, pid=31159, effective(0, 0), real(0,
> 0)] ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2019/03/28 10:24:24.098508,  5, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:810(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2019/03/28 10:24:24.098549,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
>    LEGACY: mapping failed for sid
> S-1-5-21-11111111-222222222-333333333-513 [2019/03/28
> 10:24:24.098600,  1, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:1024(create_token_from_sid)
> sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
> [2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
> create_local_token failed: NT_STATUS_NO_SUCH_USER*
> 
> *I have also tried the following settings in the global section
> (copied from the working server), but get the same result:*
> *
>      winbind enum users = yes
>      winbind enum groups = yes
>      use sendfile = Yes
>      guest ok = no
>      dos filetime resolution = yes
>      nt acl support = no
>      directory mask = 0775
>      follow symlinks = yes
>      wide links = yes
>      unix extensions = no
>      log level = 99
>      lanman auth = no
>      lm announce = no
>      min protocol = NT1
>      host msdfs = no
> 
> Am I missing something?
> **
> Thanks,
> David
Why are you using a winbind backend that maps Unix users to domain
users in an AD domain, when you should be making your AD users into
Unix users with a backend like the 'rid' or 'ad' ones.

As for your problem, is winbind running ?

Rowland

Thomas, David

2019-Mar-29 16:19 UTC

head link

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

Rowland,

On 3/29/2019 9:59 AM, Rowland Penny via samba wrote:> Why are you using a winbind backend that maps Unix users to domain
> users in an AD domain, when you should be making your AD users into
> Unix users with a backend like the 'rid' or 'ad' ones.
>
> As for your problem, is winbind running ?
Yes, winbind is running.

Thanks for getting me to reconsider that 'rid' or 'ad' backends,
but I
don't think they work in my situation

I have been using the nss backend because:

- On the server that I am setting up Samba, I have existing Unix users 
with existing uids and associated data on the file server
- There is no usable uid information on the AD.
- I have no permissions to modify the AD to set up user information.

I understood that the nss backend was intended for this situation.

It worked on another server set up the same way but running Samba 4.4.4.


Thanks,
David.

Reasonably Related Threads

Search for more maybe matching threads

samba - Mar 2019 - Samba 4.4.8 AD member ads / nss fails to find group id

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id

Reasonably Related Threads