Ok, know from desktop logon apparently the user logon right, look user 'policia\gafranchello' granted access on the trace below, but still tel me "Invalid password please try again" Jul 2 16:15:03 samba-cliente polkitd(authority=local): Unregistered Authentication Agent for unix-session:c6 (system bus name :1.231, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm:session): session closed for user jmperrote Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm:session): pam_kwallet: pam_sm_close_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm:session): pam_kwallet5: pam_sm_close_session Jul 2 16:15:05 samba-cliente systemd-logind[635]: Removed session c6. Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:setcred): (null): pam_sm_setcred Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:setcred): (null): pam_sm_setcred Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm-greeter:session): session opened for user lightdm by (uid=0) Jul 2 16:15:05 samba-cliente systemd-logind[635]: New session c7 of user lightdm. Jul 2 16:15:05 samba-cliente systemd: pam_unix(systemd-user:session): session opened for user lightdm by (uid=0) Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:session): (null): pam_sm_open_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm-greeter:session): pam_kwallet: open_session called without kwallet_key Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:session): (null): pam_sm_open_session Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm-greeter:session): pam_kwallet5: open_session called without kwallet5_key Jul 2 16:15:25 samba-cliente lightdm: pam_winbind(lightdm:auth): getting password (0x00000000) Jul 2 16:15:28 samba-cliente lightdm: pam_winbind(lightdm:auth): user 'policia\gafranchello' granted access Jul 2 16:15:28 samba-cliente lightdm: pam_unix(lightdm:account): could not identify user (from getpwnam(gafranchello)) Jul 2 16:15:31 samba-cliente dbus[653]: [system] Failed to activate service 'org.bluez': timed out And from unix console not work , same error ul 2 16:20:41 samba-cliente sshd[13844]: Invalid user policia\\gafranchello from 172.33.10.1 Jul 2 16:20:41 samba-cliente sshd[13844]: input_userauth_request: invalid user policia\\\\gafranchello [preauth] Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): getting password (0x00000000) Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): user 'policia\gafranchello' denied access (incorrect password or invalid membership) Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): check pass; user unknown Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruserrhost=172.33.10.1 Jul 2 16:20:45 samba-cliente sshd[13844]: Failed password for invalid user policia\\gafranchello from 172.33.10.1 port 55002 ssh2 This commands work fine--> root at samba-cliente:/etc/samba# wbinfo -m BUILTIN SAMBA-CLIENTE POLICIA root at samba-cliente:/etc/samba# net rpc testjoin -U jmperrote Join to 'POLICIA' is OK root at samba-cliente:/etc/samba# net rpc info -U jmperrote Enter jmperrote's password: Domain Name: POLICIA Domain SID: S-1-5-21-2536628940-703160423-1994053749 Sequence number: 1593717825 Num users: 9469 Num domain groups: 82 Num local groups: 0 root at samba-cliente:/etc/samba# wbinfo -g | grep repar fs_dg2_repar root at samba-cliente:/etc/samba# getent group fs_dg2_repar fs_dg2_repar:x:10000036: root at samba-cliente:/etc/samba# wbinfo -N samba-cliente 10.11.37.149 samba-cliente root at samba-cliente:/etc/samba# id uid=0(root) gid=0(root) groups=0(root),15001(BUILTIN\users) But 'getent pass' and 'getent group' not work , running for a various second and only get users/groups locals. El jue., 2 jul. 2020 a las 15:46, Rowland penny via samba (< samba at lists.samba.org>) escribi?:> On 02/07/2020 18:27, jmpatagonia via samba wrote: > > 1) Does 'getent passwd policia\gafranchello' produce output when run on a > > Unix client ? > > If try to logon on unis console > > > > --> auth.log > > Jul 2 14:13:59 samba-cliente sshd[11654]: Invalid user > > POLICIA+gafranchello from 172.33.10.1 > > Try adding these lines to all of your Unix machines: > > client max protocol = NT1 > server max protocol = NT1 > > They will force your Samba machines to use SMBv1 and you need it for an > NT4-style domain (so yet another reason to upgrade) > > I take it that the machine is running headless, so can you log in via > ssh as a Unix user and run the getent command ? > > Until your users are known via 'getent' or 'id', then you will not get > Samba to work correctly. > > > The think is very complex because we have various products authenticating > > whith ldap squid/git/syspass/moodle/openfire/zentyal/etc and we are > > modified and adapted the ldap schema with some ldap entries for this > > products, the samba schema in the same schema (we have only one lsap > > schema), and we interactive with this via a ad hoc developed interface. > > Change or update samba to samba 4 AD implies that we have change the unis > > schema, receding the interface, proves, etc it is to much time. > Not half as much time as you will spend if your domain totally stops > working. Take smbldap-tools for instance, this isn't just EOL, it is > dead and disappeared, you cannot find the source code repository > anywhere on the internet, it is no longer maintained, so sooner or later > it will be removed by the distro's. > > We try once to implemente samba 4 AD and notice that the ldap schema are > > very different that we have, so many changes, that implies to many > > development on the interface. > Yes AD uses its own schema and must be extended differently from > openldap etc, but it can be extended. > > Know I thinking that is posible to make another ldap schema just for > samba > > 4 AD and continue using the other for rest of products, but this implies > to > > redising the interface to update users, groups on both schemas. > That is the problem with trying to maintain two ldap versions > > Another question: Thinking on samba 4 AD, when a user logon on desktop > > client, it can map o access direct to resources shared on samba server or > > need to authenticate almost at once ? Because actually on windows clients > > this is not needed, when a user logon on domain can map or access shared > > folders whitout authentication again. > > In this instance, a Samba AD client or server should work like a Windows > client or server. > > From the list of programs you listed above, I can not see one that > cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD. > > If you require help in upgrading, we are here to help you. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 02/07/2020 20:32, jmpatagonia via samba wrote:> Ok, know from desktop logon apparently the user logon right, look user > 'policia\gafranchello' granted access on the trace below, but still tel me > "Invalid password please try again" > > Jul 2 16:15:03 samba-cliente polkitd(authority=local): Unregistered > Authentication Agent for unix-session:c6 (system bus name :1.231, object > path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm:session): session > closed for user jmperrote > Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm:session): > pam_kwallet: pam_sm_close_session > Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm:session): > pam_kwallet5: pam_sm_close_session > Jul 2 16:15:05 samba-cliente systemd-logind[635]: Removed session c6. > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet(lightdm-greeter:setcred): (null): pam_sm_setcred > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet5(lightdm-greeter:setcred): (null): pam_sm_setcred > Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm-greeter:session): > session opened for user lightdm by (uid=0) > Jul 2 16:15:05 samba-cliente systemd-logind[635]: New session c7 of user > lightdm. > Jul 2 16:15:05 samba-cliente systemd: pam_unix(systemd-user:session): > session opened for user lightdm by (uid=0) > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet(lightdm-greeter:session): (null): pam_sm_open_session > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet(lightdm-greeter:session): pam_kwallet: open_session called > without kwallet_key > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet5(lightdm-greeter:session): (null): pam_sm_open_session > Jul 2 16:15:05 samba-cliente lightdm: > pam_kwallet5(lightdm-greeter:session): pam_kwallet5: open_session called > without kwallet5_key > Jul 2 16:15:25 samba-cliente lightdm: pam_winbind(lightdm:auth): getting > password (0x00000000) > Jul 2 16:15:28 samba-cliente lightdm: pam_winbind(lightdm:auth): user > 'policia\gafranchello' granted access > Jul 2 16:15:28 samba-cliente lightdm: pam_unix(lightdm:account): could not > identify user (from getpwnam(gafranchello)) > Jul 2 16:15:31 samba-cliente dbus[653]: [system] Failed to activate > service 'org.bluez': timed out > > And from unix console not work , same error > > ul 2 16:20:41 samba-cliente sshd[13844]: Invalid user > policia\\gafranchello from 172.33.10.1 > Jul 2 16:20:41 samba-cliente sshd[13844]: input_userauth_request: invalid > user policia\\\\gafranchello [preauth] > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): getting > password (0x00000000) > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), > NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): user > 'policia\gafranchello' denied access (incorrect password or invalid > membership) > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): check pass; > user unknown > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): > authentication failure; logname= uid=0 euid=0 tty=ssh ruser> rhost=172.33.10.1 > Jul 2 16:20:45 samba-cliente sshd[13844]: Failed password for invalid user > policia\\gafranchello from 172.33.10.1 port 55002 ssh2 > > This commands work fine--> > > root at samba-cliente:/etc/samba# wbinfo -m > BUILTIN > SAMBA-CLIENTE > POLICIA > > root at samba-cliente:/etc/samba# net rpc testjoin -U jmperrote > Join to 'POLICIA' is OK > > root at samba-cliente:/etc/samba# net rpc info -U jmperrote > Enter jmperrote's password: > Domain Name: POLICIA > Domain SID: S-1-5-21-2536628940-703160423-1994053749 > Sequence number: 1593717825 > Num users: 9469 > Num domain groups: 82 > Num local groups: 0 > > > root at samba-cliente:/etc/samba# wbinfo -g | grep repar > fs_dg2_repar > root at samba-cliente:/etc/samba# getent group fs_dg2_repar > fs_dg2_repar:x:10000036: > > root at samba-cliente:/etc/samba# wbinfo -N samba-cliente > 10.11.37.149 samba-cliente > > root at samba-cliente:/etc/samba# id > uid=0(root) gid=0(root) groups=0(root),15001(BUILTIN\users) > > But 'getent pass' and 'getent group' not work , running for a various > second and only get users/groups locals.It doesn't matter if 'getent passwd' and 'getent group' do not work, just so long that 'getent passwd a_username' and 'getent group a_groupname' do and the latter does, as shown above. Rowland
Hello Rowland, still not working, I try to use getent differents ways and not working, I believe we are try to update/migrate to samba 4 AD, for us this a big project because we have a lot of users (about 600) and there separated on different building, we need to keep the users password and we need to try that all PC working actually with windows xp/7 not join to domain again if not is a big work. We update from all version of samba since 4 years ago to the actually, and we need to redesign the interface that update ldap users, make some scripts to update users password, make some scripts to joined manually all pc again on the domain, making samba ldap laboratory, remake a login script that work with win/linux clients, take into account is not installing a fresh install and just work, we need migrate everything is done in a production environment and must work. We need to maintain all windows users almost just to migrate everyone to linux, so we need to work with two operating systems. OK we keep in contact for asking help for migrate to samba 4 AD. I would like to send me a good link where can start to install samba 4 AD with external ldap repository, when we try AD only built-in ldap it is possible, this is one of the things for discarded AD and other is that the schema change a lot and need to readapted very much . El jue., 2 jul. 2020 a las 16:59, Rowland penny via samba (< samba at lists.samba.org>) escribi?:> On 02/07/2020 20:32, jmpatagonia via samba wrote: > > Ok, know from desktop logon apparently the user logon right, look user > > 'policia\gafranchello' granted access on the trace below, but still tel > me > > "Invalid password please try again" > > > > Jul 2 16:15:03 samba-cliente polkitd(authority=local): Unregistered > > Authentication Agent for unix-session:c6 (system bus name :1.231, object > > path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > > (disconnected from bus) > > Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm:session): session > > closed for user jmperrote > > Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm:session): > > pam_kwallet: pam_sm_close_session > > Jul 2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm:session): > > pam_kwallet5: pam_sm_close_session > > Jul 2 16:15:05 samba-cliente systemd-logind[635]: Removed session c6. > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet(lightdm-greeter:setcred): (null): pam_sm_setcred > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet5(lightdm-greeter:setcred): (null): pam_sm_setcred > > Jul 2 16:15:05 samba-cliente lightdm: pam_unix(lightdm-greeter:session): > > session opened for user lightdm by (uid=0) > > Jul 2 16:15:05 samba-cliente systemd-logind[635]: New session c7 of user > > lightdm. > > Jul 2 16:15:05 samba-cliente systemd: pam_unix(systemd-user:session): > > session opened for user lightdm by (uid=0) > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet(lightdm-greeter:session): (null): pam_sm_open_session > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet(lightdm-greeter:session): pam_kwallet: open_session called > > without kwallet_key > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet5(lightdm-greeter:session): (null): pam_sm_open_session > > Jul 2 16:15:05 samba-cliente lightdm: > > pam_kwallet5(lightdm-greeter:session): pam_kwallet5: open_session called > > without kwallet5_key > > Jul 2 16:15:25 samba-cliente lightdm: pam_winbind(lightdm:auth): getting > > password (0x00000000) > > Jul 2 16:15:28 samba-cliente lightdm: pam_winbind(lightdm:auth): user > > 'policia\gafranchello' granted access > > Jul 2 16:15:28 samba-cliente lightdm: pam_unix(lightdm:account): could > not > > identify user (from getpwnam(gafranchello)) > > Jul 2 16:15:31 samba-cliente dbus[653]: [system] Failed to activate > > service 'org.bluez': timed out > > > > And from unix console not work , same error > > > > ul 2 16:20:41 samba-cliente sshd[13844]: Invalid user > > policia\\gafranchello from 172.33.10.1 > > Jul 2 16:20:41 samba-cliente sshd[13844]: input_userauth_request: > invalid > > user policia\\\\gafranchello [preauth] > > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): > getting > > password (0x00000000) > > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): > request > > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), > > NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password > > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): user > > 'policia\gafranchello' denied access (incorrect password or invalid > > membership) > > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): check > pass; > > user unknown > > Jul 2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): > > authentication failure; logname= uid=0 euid=0 tty=ssh ruser> > rhost=172.33.10.1 > > Jul 2 16:20:45 samba-cliente sshd[13844]: Failed password for invalid > user > > policia\\gafranchello from 172.33.10.1 port 55002 ssh2 > > > > This commands work fine--> > > > > root at samba-cliente:/etc/samba# wbinfo -m > > BUILTIN > > SAMBA-CLIENTE > > POLICIA > > > > root at samba-cliente:/etc/samba# net rpc testjoin -U jmperrote > > Join to 'POLICIA' is OK > > > > root at samba-cliente:/etc/samba# net rpc info -U jmperrote > > Enter jmperrote's password: > > Domain Name: POLICIA > > Domain SID: S-1-5-21-2536628940-703160423-1994053749 > > Sequence number: 1593717825 > > Num users: 9469 > > Num domain groups: 82 > > Num local groups: 0 > > > > > > root at samba-cliente:/etc/samba# wbinfo -g | grep repar > > fs_dg2_repar > > root at samba-cliente:/etc/samba# getent group fs_dg2_repar > > fs_dg2_repar:x:10000036: > > > > root at samba-cliente:/etc/samba# wbinfo -N samba-cliente > > 10.11.37.149 samba-cliente > > > > root at samba-cliente:/etc/samba# id > > uid=0(root) gid=0(root) groups=0(root),15001(BUILTIN\users) > > > > But 'getent pass' and 'getent group' not work , running for a various > > second and only get users/groups locals. > > It doesn't matter if 'getent passwd' and 'getent group' do not work, > just so long that 'getent passwd a_username' and 'getent group > a_groupname' do and the latter does, as shown above. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >