On 24/06/2019 12:41, Stefan Froehlich via samba wrote:> On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba wrote: >> On 24/06/2019 10:00, Stefan Froehlich via samba wrote: >>> On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via samba wrote: >>>> <http://froehlich.priv.at/www/samba/> >>> Always try your own links before posting them... it must be >>> <http://froehlich.priv.at/samba/> of course, sorry. >>> >> No problem, I just refreshed the old page I had open ;-) >> >> You have this on the DC: [...] >> And this on the fileserver: [...] >> >> It might help if they were both in the same subnet. > Was a typo when migrating from my own test environment, thanks. I > changed that (and 2 others as well), name resolution is working now. > >> You do not seem to be setting up a time server. > Changed that. > >> At the bottom of the 'controller' page, you are creating the user >> test, you set the '--gid-number' to '100'. I take it you got this >> from a DC. I say this because this is the default from idmap.ldb >> on a DC. I would use the ID for Domain Users, '10000' in your >> case. > Changed that as well. > > The "username invalid" problem remains though. Interesting observation, if I > enter a *wrong* password I get a different error message; in the log file > things start to be different here: > > | [2019/06/24 13:32:03.026596, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > | UNIX token of user 0 > | Primary group is 0 and contains 0 supplementary groups > | [2019/06/24 13:32:03.026634, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech) > | Starting GENSEC submechanism ntlmssp > | [2019/06/24 13:32:03.026651, 3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags) > | Got NTLMSSP neg_flags=0x62088215 > | NTLMSSP_NEGOTIATE_UNICODE > | NTLMSSP_REQUEST_TARGET > | NTLMSSP_NEGOTIATE_SIGN > | NTLMSSP_NEGOTIATE_NTLM > | NTLMSSP_NEGOTIATE_ALWAYS_SIGN > | NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > | NTLMSSP_NEGOTIATE_VERSION > | NTLMSSP_NEGOTIATE_128 > | NTLMSSP_NEGOTIATE_KEY_EXCH > > Whereas with the correct password this reads: > > | [2019/06/24 13:33:06.220212, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > | UNIX token of user 0 > | Primary group is 0 and contains 0 supplementary groups > | [2019/06/24 13:33:06.220255, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech) > | Starting GENSEC submechanism gse_krb5 > | [2019/06/24 13:33:06.220749, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > | pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > | [2019/06/24 13:33:06.220788, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > | push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > | [2019/06/24 13:33:06.220800, 4] ../source3/smbd/uid.c:558(push_conn_ctx) > | push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > | [2019/06/24 13:33:06.220808, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > | setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > | [2019/06/24 13:33:06.220816, 5] ../libcli/security/security_token.c:53(security_token_debug) > | Security token: (NULL) > | [2019/06/24 13:33:06.220830, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > | UNIX token of user 0 > | Primary group is 0 and contains 0 supplementary groups > | [2019/06/24 13:33:06.220850, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > | pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > | [2019/06/24 13:33:06.220873, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > | push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > | [2019/06/24 13:33:06.220883, 4] ../source3/smbd/uid.c:558(push_conn_ctx) > | push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > | [2019/06/24 13:33:06.220890, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > | setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > | [2019/06/24 13:33:06.220898, 5] ../libcli/security/security_token.c:53(security_token_debug) > | Security token: (NULL) > | [2019/06/24 13:33:06.220906, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > | UNIX token of user 0 > | Primary group is 0 and contains 0 supplementary groups > | [2019/06/24 13:33:06.221934, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > | pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > | [2019/06/24 13:33:06.222005, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) > | Found account name from PAC: test [Max Mustermann] > | [2019/06/24 13:33:06.222024, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > | Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] > | [2019/06/24 13:33:06.222044, 4] ../source3/auth/user_util.c:375(map_username) > | Scanning username map /etc/samba/user.map > | [2019/06/24 13:33:06.222067, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) > | Finding user SYNTHESIS\test > | [2019/06/24 13:33:06.222076, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) > | Trying _Get_Pwnam(), username as lowercase is synthesis\test > | [2019/06/24 13:33:06.222106, 5] ../source3/lib/username.c:128(Get_Pwnam_internals) > | Trying _Get_Pwnam(), username as given is SYNTHESIS\test > | [2019/06/24 13:33:06.222129, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) > | Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST > | [2019/06/24 13:33:06.222148, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) > | Checking combinations of 0 uppercase letters in synthesis\test > | [2019/06/24 13:33:06.222156, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) > | Get_Pwnam_internals didn't find user [SYNTHESIS\test]! > | [2019/06/24 13:33:06.222164, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) > | Finding user test > | [2019/06/24 13:33:06.222172, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) > | Trying _Get_Pwnam(), username as lowercase is test > | [2019/06/24 13:33:06.223193, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) > | Trying _Get_Pwnam(), username as uppercase is TEST > | [2019/06/24 13:33:06.223734, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) > | Checking combinations of 0 uppercase letters in test > | [2019/06/24 13:33:06.223755, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) > | Get_Pwnam_internals didn't find user [test]! > | [2019/06/24 13:33:06.223970, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > | get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system > | [2019/06/24 13:33:06.223989, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) > | auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > | [2019/06/24 13:33:06.224023, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) > | smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 > > I have no idea where _Get_Pwnam() tries to look up usernames, but > it obviousley fails *after* the verification of the password (how > can this be verified without a valid username?). > > There must be some rather basic mistake left, I suppose, but which... > > Bye, > Stefan >Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test' produce output when run on the fileserver ? Rowland
On Mon, Jun 24, 2019 at 12:56:28PM +0100, Rowland penny via samba wrote:> On 24/06/2019 12:41, Stefan Froehlich via samba wrote: > >| [2019/06/24 13:33:06.220212, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > >| UNIX token of user 0 > >| Primary group is 0 and contains 0 supplementary groups > >| [2019/06/24 13:33:06.220255, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech) > >| Starting GENSEC submechanism gse_krb5 > >| [2019/06/24 13:33:06.220749, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > >| [2019/06/24 13:33:06.220788, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > >| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > >| [2019/06/24 13:33:06.220800, 4] ../source3/smbd/uid.c:558(push_conn_ctx) > >| push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > >| [2019/06/24 13:33:06.220808, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > >| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > >| [2019/06/24 13:33:06.220816, 5] ../libcli/security/security_token.c:53(security_token_debug) > >| Security token: (NULL) > >| [2019/06/24 13:33:06.220830, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > >| UNIX token of user 0 > >| Primary group is 0 and contains 0 supplementary groups > >| [2019/06/24 13:33:06.220850, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > >| [2019/06/24 13:33:06.220873, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > >| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > >| [2019/06/24 13:33:06.220883, 4] ../source3/smbd/uid.c:558(push_conn_ctx) > >| push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > >| [2019/06/24 13:33:06.220890, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > >| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > >| [2019/06/24 13:33:06.220898, 5] ../libcli/security/security_token.c:53(security_token_debug) > >| Security token: (NULL) > >| [2019/06/24 13:33:06.220906, 5] ../source3/auth/token_util.c:866(debug_unix_user_token) > >| UNIX token of user 0 > >| Primary group is 0 and contains 0 supplementary groups > >| [2019/06/24 13:33:06.221934, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > >| [2019/06/24 13:33:06.222005, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac) > >| Found account name from PAC: test [Max Mustermann] > >| [2019/06/24 13:33:06.222024, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > >| Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN] > >| [2019/06/24 13:33:06.222044, 4] ../source3/auth/user_util.c:375(map_username) > >| Scanning username map /etc/samba/user.map > >| [2019/06/24 13:33:06.222067, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) > >| Finding user SYNTHESIS\test > >| [2019/06/24 13:33:06.222076, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) > >| Trying _Get_Pwnam(), username as lowercase is synthesis\test > >| [2019/06/24 13:33:06.222106, 5] ../source3/lib/username.c:128(Get_Pwnam_internals) > >| Trying _Get_Pwnam(), username as given is SYNTHESIS\test > >| [2019/06/24 13:33:06.222129, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) > >| Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST > >| [2019/06/24 13:33:06.222148, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) > >| Checking combinations of 0 uppercase letters in synthesis\test > >| [2019/06/24 13:33:06.222156, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) > >| Get_Pwnam_internals didn't find user [SYNTHESIS\test]! > >| [2019/06/24 13:33:06.222164, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc) > >| Finding user test > >| [2019/06/24 13:33:06.222172, 5] ../source3/lib/username.c:120(Get_Pwnam_internals) > >| Trying _Get_Pwnam(), username as lowercase is test > >| [2019/06/24 13:33:06.223193, 5] ../source3/lib/username.c:141(Get_Pwnam_internals) > >| Trying _Get_Pwnam(), username as uppercase is TEST > >| [2019/06/24 13:33:06.223734, 5] ../source3/lib/username.c:153(Get_Pwnam_internals) > >| Checking combinations of 0 uppercase letters in test > >| [2019/06/24 13:33:06.223755, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) > >| Get_Pwnam_internals didn't find user [test]! > >| [2019/06/24 13:33:06.223970, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info) > >| get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system > >| [2019/06/24 13:33:06.223989, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac) > >| auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE) > >| [2019/06/24 13:33:06.224023, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex) > >| smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137 > > > >I have no idea where _Get_Pwnam() tries to look up usernames, but > >it obviousley fails *after* the verification of the password (how > >can this be verified without a valid username?). > > > >There must be some rather basic mistake left, I suppose, but which... > > > Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test' > produce output when run on the fileserver ?Both of them, yes, and wbinfo(1) works as well: | sfroehli at herakles:~$ getent passwd test | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash | sfroehli at herakles:~$ getent passwd SYNTHESIS\\test | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash | sfroehli at herakles:~$ wbinfo --uid-info=10001 | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash | sfroehli at herakles:~$ wbinfo --user-info=test | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash I can also chown files to this user and pretty much everything. But as soon as I want to connect to the server (be it "-L" or be it a certain share) this failure occurs. Bye, Stefan -- Stefan, mit dem dussligen Geschrei der Dekadenz. Sloganizer, https://www.poetron-zone.de/
On 24/06/2019 13:34, Stefan Froehlich via samba wrote:> Both of them, yes, and wbinfo(1) works as well: > > | sfroehli at herakles:~$ getent passwd test > | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash > | sfroehli at herakles:~$ getent passwd SYNTHESIS\\test > | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash > | sfroehli at herakles:~$ wbinfo --uid-info=10001 > | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash > | sfroehli at herakles:~$ wbinfo --user-info=test > | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash > > I can also chown files to this user and pretty much everything. But > as soon as I want to connect to the server (be it "-L" or be it a > certain share) this failure occurs. >OK, I re-read the info for your fileserver and found another mistake: You have this in /etc/hosts: 192.168.122.12 herakles.synthesis.synth.intern herakles So the short hostname is 'herakles', but you have this in smb.conf: netbios name = AKTENSCHRANK That is a no-no, the 'netbios name' (if given) must be the short hostname in uppercase. Can I suggest you try this smb.conf: [global] server string = Aktenschrank workgroup = SYNTHESIS security = ADS realm = SYNTHESIS.SYNTH.INTERN preferred master = no domain master = no local master = no # extended ACL support vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes username map = /etc/samba/user.map # debugging debuglevel = 1 log file = /var/log/samba/log.%m max log size = 1000 logging = file idmap config *:backend = tdb idmap config *:range = 1000-9999 idmap config SYNTHESIS:backend = ad idmap config SYNTHESIS:schema_mode = rfc2307 idmap config SYNTHESIS:range = 10000-9999999 idmap config SYNTHESIS:unix_nss_info = yes winbind enum groups = yes winbind enum users = yes winbind use default domain = yes winbind refresh tickets = yes [users] comment = Home Directories path = /home browseable = no read only = no force create mode = 0600 force directory mode = 0700 [profiles] comment = User profiles path = /home/profiles browseable = no read only = no force create mode = 0600 force directory mode = 0700 Rowland