On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote:> No need to be sorry - most likely I'll the whole setup from scratch.Did so (I am following a script by now, so it does not take too long), but I feel more and more lost - there must be always something different I do wrong: Now I configured DNS the other way round, pointing every host to the DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of the world. Problem is that DC does not forward anything (no packets are leaving the controller on port 53) and answers all external questions with an empty result set. Is there anything I could have missed? And another annoying issue popped up: At the fileserver I can wbinfo(1) my test account by name and by uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it and work at the CLI. But if I want to connect to a share: | ~# smbclient //herakles/profiles/ -Utest | Enter SYNTHESIS\test's password: | session setup failed: NT_STATUS_ACCESS_DENIED The log file contains: | [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) | Found account name from PAC: test [Max Mustermann] | [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) | Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] | [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) | get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system | [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) | auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) | [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) | smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 | [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common) | Server exit (NT_STATUS_END_OF_FILE) How can the username be "invalid", if I can use it for anything else? The debug info is at <http://froehlich.priv.at/www/samba/> again. Bye, Stefan -- Laune mit Stefan, standhaft und bl?d! Sloganizer, https://www.poetron-zone.de/
On 24/06/2019 08:39, Stefan Froehlich via samba wrote:> On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via samba wrote: >> No need to be sorry - most likely I'll the whole setup from scratch. > Did so (I am following a script by now, so it does not take too > long), but I feel more and more lost - there must be always > something different I do wrong:Can I see your script ? You may be doing something wrong.> > Now I configured DNS the other way round, pointing every host to the > DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of > the world. Problem is that DC does not forward anything (no packets > are leaving the controller on port 53) and answers all external > questions with an empty result set. Is there anything I could have > missed?Which dns server are you using ?> > > And another annoying issue popped up: > > At the fileserver I can wbinfo(1) my test account by name and by > uid, I can chown(1) files to it, I can even su(1) or ssh(1) to it > and work at the CLI. But if I want to connect to a share: > > | ~# smbclient //herakles/profiles/ -Utest > | Enter SYNTHESIS\test's password: > | session setup failed: NT_STATUS_ACCESS_DENIED > > The log file contains: > > | [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) > | Found account name from PAC: test [Max Mustermann] > | [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > | Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] > | [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > | get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system > | [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) > | auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > | [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) > | smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 > | [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common) > | Server exit (NT_STATUS_END_OF_FILE) > > How can the username be "invalid", if I can use it for anything else? > > The debug info is at <http://froehlich.priv.at/www/samba/> again. > > Bye, > Stefan >Is the 'acl' package installed ? Rowland
On Mon, Jun 24, 2019 at 09:12:00AM +0100, Rowland penny via samba wrote:> On 24/06/2019 08:39, Stefan Froehlich via samba wrote: > >On Sun, Jun 23, 2019 at 03:34:08PM +0200, Stefan Froehlich via > >samba wrote: (I am following a script by now, so it does not take > >too long) > > Can I see your script ? > > You may be doing something wrong.These are only informal scripts and I doubt they will help clearing this. But you can find them at <http://froehlich.priv.at/www/samba/> now.> > > >Now I configured DNS the other way round, pointing every host to the > >DC and using "dns forwarder = 8.8.8.8" there to resolve the rest of > >the world. Problem is that DC does not forward anything (no packets > >are leaving the controller on port 53) and answers all external > >questions with an empty result set. Is there anything I could have > >missed? > Which dns server are you using ?I tried my own dns first and switched to 8.8.8.8 afterwards. But as there are not even udp packets leaving the DC, there must be something else.> >| ~# smbclient //herakles/profiles/ -Utest > >| Enter SYNTHESIS\test's password: > >| session setup failed: NT_STATUS_ACCESS_DENIED > > > >The log file contains: > > > >| [2019/06/24 09:28:03.876063, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) > >| Found account name from PAC: test [Max Mustermann] > >| [2019/06/24 09:28:03.876091, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > >| Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] > >| [2019/06/24 09:28:03.877874, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > >| get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system > >| [2019/06/24 09:28:03.877895, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) > >| auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > >| [2019/06/24 09:28:03.877937, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) > >| smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 > >| [2019/06/24 09:28:03.878357, 3] ../source3/smbd/server_exit.c:237(exit_server_common) > >| Server exit (NT_STATUS_END_OF_FILE) > > > >How can the username be "invalid", if I can use it for anything else? > >The debug info is at <http://froehlich.priv.at/www/samba/> again.> Is the 'acl' package installed ?No, but it does not make any difference if I install it (and it was not installed last week either when this issue did not occur). I hate it when IT feels non-deterministic :-( Bye, Stefan -- Stefan. F?r schlimme Blinddaerme in gelben Galaxien! Sloganizer, https://www.poetron-zone.de/