samba - Jun 2019 - setting up a new ADS infrastructure

On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
> On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via samba wrote:
>> <http://froehlich.priv.at/www/samba/>
> Always try your own links before posting them... it must be
> <http://froehlich.priv.at/samba/> of course, sorry.
>
No problem, I just refreshed the old page I had open ;-)

You have this on the DC:

controller:~# vi /etc/network/interfaces
iface enp1s0 inet static
 ??? address 192.168.1.11
 ??? broadcast 192.168.122.255
 ??? netmask 255.255.255.0
 ??? gateway 192.168.1.1

And this on the fileserver:

herakles:~# vi /etc/network/interfaces
iface enp1s0 inet static
 ??? address 192.168.122.12
 ??? broadcast 192.168.122.255
 ??? netmask 255.255.255.0
 ??? gateway 192.168.122.1

It might help if they were both in the same subnet.

I install these packages:

apt-get install samba acl attr winbind libpam-winbind libpam-krb5 
libnss-winbind krb5-config krb5-user ntp dnsutils ldb-tools

You do not seem to be setting up a time server.

At the bottom of the 'controller' page, you are creating the user test, 
you set the '--gid-number' to '100'. I take it you got this from
a DC. I
say this because this is the default from idmap.ldb on a DC. I would use 
the ID for Domain Users, '10000' in your case.

Rowland

On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba
wrote:
> On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
> >On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via samba
wrote:
> >><http://froehlich.priv.at/www/samba/>
> >Always try your own links before posting them... it must be
> ><http://froehlich.priv.at/samba/> of course, sorry.
> >
> No problem, I just refreshed the old page I had open ;-)
> 
> You have this on the DC: [...]
> And this on the fileserver: [...]
> 
> It might help if they were both in the same subnet.
Was a typo when migrating from my own test environment, thanks. I
changed that (and 2 others as well), name resolution is working now.
> You do not seem to be setting up a time server.
Changed that.
> At the bottom of the 'controller' page, you are creating the user
> test, you set the '--gid-number' to '100'. I take it you
got this
> from a DC. I say this because this is the default from idmap.ldb
> on a DC. I would use the ID for Domain Users, '10000' in your
> case.
Changed that as well.

The "username invalid" problem remains though. Interesting
observation, if I
enter a *wrong* password I get a different error message; in the log file
things start to be different here:

| [2019/06/24 13:32:03.026596,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:32:03.026634,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
|   Starting GENSEC submechanism ntlmssp
| [2019/06/24 13:32:03.026651,  3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
|   Got NTLMSSP neg_flags=0x62088215
|     NTLMSSP_NEGOTIATE_UNICODE
|     NTLMSSP_REQUEST_TARGET
|     NTLMSSP_NEGOTIATE_SIGN
|     NTLMSSP_NEGOTIATE_NTLM
|     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
|     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
|     NTLMSSP_NEGOTIATE_VERSION
|     NTLMSSP_NEGOTIATE_128
|     NTLMSSP_NEGOTIATE_KEY_EXCH

Whereas with the correct password this reads:

| [2019/06/24 13:33:06.220212,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.220255,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
|   Starting GENSEC submechanism gse_krb5
| [2019/06/24 13:33:06.220749,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220788,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220800,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220808,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220816,  5]
../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2019/06/24 13:33:06.220830,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.220850,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220873,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220883,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220890,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220898,  5]
../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2019/06/24 13:33:06.220906,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.221934,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.222005,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
|   Found account name from PAC: test [Max Mustermann]
| [2019/06/24 13:33:06.222024,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
|   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
| [2019/06/24 13:33:06.222044,  4] ../source3/auth/user_util.c:375(map_username)
|   Scanning username map /etc/samba/user.map
| [2019/06/24 13:33:06.222067,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
|   Finding user SYNTHESIS\test
| [2019/06/24 13:33:06.222076,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is synthesis\test
| [2019/06/24 13:33:06.222106,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
| [2019/06/24 13:33:06.222129,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
| [2019/06/24 13:33:06.222148,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
|   Checking combinations of 0 uppercase letters in synthesis\test
| [2019/06/24 13:33:06.222156,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
|   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
| [2019/06/24 13:33:06.222164,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
|   Finding user test
| [2019/06/24 13:33:06.222172,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is test
| [2019/06/24 13:33:06.223193,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as uppercase is TEST
| [2019/06/24 13:33:06.223734,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
|   Checking combinations of 0 uppercase letters in test
| [2019/06/24 13:33:06.223755,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
|   Get_Pwnam_internals didn't find user [test]!
| [2019/06/24 13:33:06.223970,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
|   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this
system
| [2019/06/24 13:33:06.223989,  3]
../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
|   auth3_generate_session_info_pac: Failed to map kerberos principal to system
user (NT_STATUS_LOGON_FAILURE)
| [2019/06/24 13:33:06.224023,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
|   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137

I have no idea where _Get_Pwnam() tries to look up usernames, but
it obviousley fails *after* the verification of the password (how
can this be verified without a valid username?).

There must be some rather basic mistake left, I suppose, but which...

Bye,
Stefan

-- 
Stefan - Liebe, die nimmerdar aalt.
Sloganizer, https://www.poetron-zone.de/

On 24/06/2019 12:41, Stefan Froehlich via samba wrote:
> On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba wrote:
>> On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
>>> On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via
samba wrote:
>>>> <http://froehlich.priv.at/www/samba/>
>>> Always try your own links before posting them... it must be
>>> <http://froehlich.priv.at/samba/> of course, sorry.
>>>
>> No problem, I just refreshed the old page I had open ;-)
>>
>> You have this on the DC: [...]
>> And this on the fileserver: [...]
>>
>> It might help if they were both in the same subnet.
> Was a typo when migrating from my own test environment, thanks. I
> changed that (and 2 others as well), name resolution is working now.
>
>> You do not seem to be setting up a time server.
> Changed that.
>
>> At the bottom of the 'controller' page, you are creating the
user
>> test, you set the '--gid-number' to '100'. I take it
you got this
>> from a DC. I say this because this is the default from idmap.ldb
>> on a DC. I would use the ID for Domain Users, '10000' in your
>> case.
> Changed that as well.
>
> The "username invalid" problem remains though. Interesting
observation, if I
> enter a *wrong* password I get a different error message; in the log file
> things start to be different here:
>
> | [2019/06/24 13:32:03.026596,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:32:03.026634,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism ntlmssp
> | [2019/06/24 13:32:03.026651,  3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> |   Got NTLMSSP neg_flags=0x62088215
> |     NTLMSSP_NEGOTIATE_UNICODE
> |     NTLMSSP_REQUEST_TARGET
> |     NTLMSSP_NEGOTIATE_SIGN
> |     NTLMSSP_NEGOTIATE_NTLM
> |     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> |     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> |     NTLMSSP_NEGOTIATE_VERSION
> |     NTLMSSP_NEGOTIATE_128
> |     NTLMSSP_NEGOTIATE_KEY_EXCH
>
> Whereas with the correct password this reads:
>
> | [2019/06/24 13:33:06.220212,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220255,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism gse_krb5
> | [2019/06/24 13:33:06.220749,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220788,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220800,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220808,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220816,  5]
../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220830,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220850,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220873,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220883,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220890,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220898,  5]
../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220906,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.221934,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.222005,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> |   Found account name from PAC: test [Max Mustermann]
> | [2019/06/24 13:33:06.222024,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> |   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> | [2019/06/24 13:33:06.222044,  4]
../source3/auth/user_util.c:375(map_username)
> |   Scanning username map /etc/samba/user.map
> | [2019/06/24 13:33:06.222067,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user SYNTHESIS\test
> | [2019/06/24 13:33:06.222076,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is synthesis\test
> | [2019/06/24 13:33:06.222106,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
> | [2019/06/24 13:33:06.222129,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
> | [2019/06/24 13:33:06.222148,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in synthesis\test
> | [2019/06/24 13:33:06.222156,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
> | [2019/06/24 13:33:06.222164,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user test
> | [2019/06/24 13:33:06.222172,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is test
> | [2019/06/24 13:33:06.223193,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is TEST
> | [2019/06/24 13:33:06.223734,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in test
> | [2019/06/24 13:33:06.223755,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [test]!
> | [2019/06/24 13:33:06.223970,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> |   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this
system
> | [2019/06/24 13:33:06.223989,  3]
../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> |   auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
> | [2019/06/24 13:33:06.224023,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> |   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
>
> I have no idea where _Get_Pwnam() tries to look up usernames, but
> it obviousley fails *after* the verification of the password (how
> can this be verified without a valid username?).
>
> There must be some rather basic mistake left, I suppose, but which...
>
> Bye,
> Stefan
>
Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test'
produce
output when run on the fileserver ?

Rowland