samba - Jun 2019 - setting up a new ADS infrastructure

On 24/06/2019 12:41, Stefan Froehlich via samba wrote:
> On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba wrote:
>> On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
>>> On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via
samba wrote:
>>>> <http://froehlich.priv.at/www/samba/>
>>> Always try your own links before posting them... it must be
>>> <http://froehlich.priv.at/samba/> of course, sorry.
>>>
>> No problem, I just refreshed the old page I had open ;-)
>>
>> You have this on the DC: [...]
>> And this on the fileserver: [...]
>>
>> It might help if they were both in the same subnet.
> Was a typo when migrating from my own test environment, thanks. I
> changed that (and 2 others as well), name resolution is working now.
>
>> You do not seem to be setting up a time server.
> Changed that.
>
>> At the bottom of the 'controller' page, you are creating the
user
>> test, you set the '--gid-number' to '100'. I take it
you got this
>> from a DC. I say this because this is the default from idmap.ldb
>> on a DC. I would use the ID for Domain Users, '10000' in your
>> case.
> Changed that as well.
>
> The "username invalid" problem remains though. Interesting
observation, if I
> enter a *wrong* password I get a different error message; in the log file
> things start to be different here:
>
> | [2019/06/24 13:32:03.026596,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:32:03.026634,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism ntlmssp
> | [2019/06/24 13:32:03.026651,  3]
../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> |   Got NTLMSSP neg_flags=0x62088215
> |     NTLMSSP_NEGOTIATE_UNICODE
> |     NTLMSSP_REQUEST_TARGET
> |     NTLMSSP_NEGOTIATE_SIGN
> |     NTLMSSP_NEGOTIATE_NTLM
> |     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> |     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> |     NTLMSSP_NEGOTIATE_VERSION
> |     NTLMSSP_NEGOTIATE_128
> |     NTLMSSP_NEGOTIATE_KEY_EXCH
>
> Whereas with the correct password this reads:
>
> | [2019/06/24 13:33:06.220212,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220255,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism gse_krb5
> | [2019/06/24 13:33:06.220749,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220788,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220800,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220808,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220816,  5]
../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220830,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220850,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220873,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220883,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220890,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220898,  5]
../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220906,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.221934,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.222005,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> |   Found account name from PAC: test [Max Mustermann]
> | [2019/06/24 13:33:06.222024,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> |   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> | [2019/06/24 13:33:06.222044,  4]
../source3/auth/user_util.c:375(map_username)
> |   Scanning username map /etc/samba/user.map
> | [2019/06/24 13:33:06.222067,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user SYNTHESIS\test
> | [2019/06/24 13:33:06.222076,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is synthesis\test
> | [2019/06/24 13:33:06.222106,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
> | [2019/06/24 13:33:06.222129,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
> | [2019/06/24 13:33:06.222148,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in synthesis\test
> | [2019/06/24 13:33:06.222156,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
> | [2019/06/24 13:33:06.222164,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user test
> | [2019/06/24 13:33:06.222172,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is test
> | [2019/06/24 13:33:06.223193,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is TEST
> | [2019/06/24 13:33:06.223734,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in test
> | [2019/06/24 13:33:06.223755,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [test]!
> | [2019/06/24 13:33:06.223970,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> |   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this
system
> | [2019/06/24 13:33:06.223989,  3]
../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> |   auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
> | [2019/06/24 13:33:06.224023,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> |   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
>
> I have no idea where _Get_Pwnam() tries to look up usernames, but
> it obviousley fails *after* the verification of the password (how
> can this be verified without a valid username?).
>
> There must be some rather basic mistake left, I suppose, but which...
>
> Bye,
> Stefan
>
Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test'
produce
output when run on the fileserver ?

Rowland

On Mon, Jun 24, 2019 at 12:56:28PM +0100, Rowland penny via samba
wrote:
> On 24/06/2019 12:41, Stefan Froehlich via samba wrote:
> >| [2019/06/24 13:33:06.220212,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> >|   UNIX token of user 0
> >|   Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.220255,  5]
../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >|   Starting GENSEC submechanism gse_krb5
> >| [2019/06/24 13:33:06.220749,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220788,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220800,  4]
../source3/smbd/uid.c:558(push_conn_ctx)
> >|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220808,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220816,  5]
../libcli/security/security_token.c:53(security_token_debug)
> >|   Security token: (NULL)
> >| [2019/06/24 13:33:06.220830,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> >|   UNIX token of user 0
> >|   Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.220850,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220873,  4]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220883,  4]
../source3/smbd/uid.c:558(push_conn_ctx)
> >|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220890,  4]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220898,  5]
../libcli/security/security_token.c:53(security_token_debug)
> >|   Security token: (NULL)
> >| [2019/06/24 13:33:06.220906,  5]
../source3/auth/token_util.c:866(debug_unix_user_token)
> >|   UNIX token of user 0
> >|   Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.221934,  4]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.222005,  3]
../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> >|   Found account name from PAC: test [Max Mustermann]
> >| [2019/06/24 13:33:06.222024,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> >|   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> >| [2019/06/24 13:33:06.222044,  4]
../source3/auth/user_util.c:375(map_username)
> >|   Scanning username map /etc/samba/user.map
> >| [2019/06/24 13:33:06.222067,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> >|   Finding user SYNTHESIS\test
> >| [2019/06/24 13:33:06.222076,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> >|   Trying _Get_Pwnam(), username as lowercase is synthesis\test
> >| [2019/06/24 13:33:06.222106,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
> >|   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
> >| [2019/06/24 13:33:06.222129,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> >|   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
> >| [2019/06/24 13:33:06.222148,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> >|   Checking combinations of 0 uppercase letters in synthesis\test
> >| [2019/06/24 13:33:06.222156,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> >|   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
> >| [2019/06/24 13:33:06.222164,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
> >|   Finding user test
> >| [2019/06/24 13:33:06.222172,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
> >|   Trying _Get_Pwnam(), username as lowercase is test
> >| [2019/06/24 13:33:06.223193,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
> >|   Trying _Get_Pwnam(), username as uppercase is TEST
> >| [2019/06/24 13:33:06.223734,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
> >|   Checking combinations of 0 uppercase letters in test
> >| [2019/06/24 13:33:06.223755,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
> >|   Get_Pwnam_internals didn't find user [test]!
> >| [2019/06/24 13:33:06.223970,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> >|   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on
this system
> >| [2019/06/24 13:33:06.223989,  3]
../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> >|   auth3_generate_session_info_pac: Failed to map kerberos principal
to system user (NT_STATUS_LOGON_FAILURE)
> >| [2019/06/24 13:33:06.224023,  3]
../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> >|   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> >
> >I have no idea where _Get_Pwnam() tries to look up usernames, but
> >it obviousley fails *after* the verification of the password (how
> >can this be verified without a valid username?).
> >
> >There must be some rather basic mistake left, I suppose, but which...
> >
> Does 'getent passwd test' or 'getent passwd
SYNTHESIS\\test'
> produce output when run on the fileserver ?
Both of them, yes, and wbinfo(1) works as well:

| sfroehli at herakles:~$ getent passwd test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ getent passwd SYNTHESIS\\test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ wbinfo --uid-info=10001
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ wbinfo --user-info=test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash

I can also chown files to this user and pretty much everything. But
as soon as I want to connect to the server (be it "-L" or be it a
certain share) this failure occurs.

Bye,
  Stefan

-- 
Stefan, mit dem dussligen Geschrei der Dekadenz.
Sloganizer, https://www.poetron-zone.de/

On 24/06/2019 13:34, Stefan Froehlich via samba wrote:
> Both of them, yes, and wbinfo(1) works as well:
>
> | sfroehli at herakles:~$ getent passwd test
> | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
> | sfroehli at herakles:~$ getent passwd SYNTHESIS\\test
> | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
> | sfroehli at herakles:~$ wbinfo --uid-info=10001
> | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
> | sfroehli at herakles:~$ wbinfo --user-info=test
> | test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
>
> I can also chown files to this user and pretty much everything. But
> as soon as I want to connect to the server (be it "-L" or be it a
> certain share) this failure occurs.
>
OK, I re-read the info for your fileserver and found another mistake:

You have this in /etc/hosts:

192.168.122.12 herakles.synthesis.synth.intern herakles

So the short hostname is 'herakles', but you have this in smb.conf:

netbios name = AKTENSCHRANK

That is a no-no, the 'netbios name' (if given) must be the short 
hostname in uppercase.

Can I suggest you try this smb.conf:

[global]
server string = Aktenschrank
workgroup = SYNTHESIS
security = ADS
realm = SYNTHESIS.SYNTH.INTERN

preferred master = no
domain master = no
local master = no

# extended ACL support
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

username map = /etc/samba/user.map

# debugging
debuglevel = 1
log file = /var/log/samba/log.%m
max log size = 1000
logging = file

idmap config *:backend = tdb
idmap config *:range = 1000-9999
idmap config SYNTHESIS:backend = ad
idmap config SYNTHESIS:schema_mode = rfc2307
idmap config SYNTHESIS:range = 10000-9999999
idmap config SYNTHESIS:unix_nss_info = yes

winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind refresh tickets = yes

[users]
comment = Home Directories
path = /home
browseable = no
read only = no
force create mode = 0600
force directory mode = 0700

[profiles]
comment = User profiles
path = /home/profiles
browseable = no
read only = no
force create mode = 0600
force directory mode = 0700

Rowland