MAS Jean-Louis
2020-Dec-18 14:15 UTC
[Samba] Users can't mount shares on a domain member file server
Le 16/12/2020 ? 18:25, Rowland penny via samba a ?crit?:> I think I might know what is the problem, but first, you do not need these: > > objectClass: posixAccount > objectClass: shadowAccount > objectClass: inetOrgPersonThose objectclass provides a lot of attributes we currently use, mostly for our Linux users. If I delete them, I guess our users will not be able to connect to Linux servers, which are not part of our Samba domain but use our AD for authentication (with nslcd mappings)> You have changed the primaryGroupID, why ?Old accounts, such as mine as been created like that, most of them has been changed to 'Domain users' times ago. Now my primaryGroupID is correct # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com sAMAccountName=jlmas | grep primaryGroupID primaryGroupID: 513 I checked our AD, and all our users have the right primaryGroupID> Windows expects that every users primary group is Domain Users and now > it is whatever '2906' is, this is what I think your problem is. Samba > also requires Domain Users, though to be honest I am unsure whether it > requires the name or the numeric ID, but it looks like which ever it is > that winbind does not like this.I have flushed the winbind cache Now uid and gid are OK, but unixHomeDirectory and loginShell are not $ getent passwd jlmas jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false I followed all the tips in the troubleshooting page : https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting The only wrong point came from 'net ads testjoin' # net ads testjoin kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: An invalid parameter was passed to a service or function. kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: An invalid parameter was passed to a service or function. Join to domain is not valid: An invalid parameter was passed to a service or function. same command with full debug (-d 10) we've got this just before the above logs gensec_update_done: gse_krb5[0x5642b959ab30]: NT_STATUS_INVALID_PARAMETER tevent_req[0x5642b95a6f70/../../source3/librpc/crypto/gse.c:843]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_gse_update_state (0x5642b95a7120)] timer[(nil)] finish[../../source3/librpc/crypto/gse.c:856] gensec_spnego_create_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for ldap/our-ad.example.com failed (next[(null)]): NT_STATUS_INVALID_PARAMETER gensec_update_done: spnego[0x5642b95a2780]: NT_STATUS_INVALID_PARAMETER tevent_req[0x5642b95a73d0/../../auth/gensec/spnego.c:1631]: state[3] error[-7963671676338569203 (0x917B5ACDC000000D)] state[struct gensec_spnego_update_state (0x5642b95a7580)] timer[(nil)] finish[../../auth/gensec/spnego.c:2038] Regards -- Jean Louis Mas
Rowland penny
2020-Dec-18 14:49 UTC
[Samba] Users can't mount shares on a domain member file server
On 18/12/2020 14:15, MAS Jean-Louis via samba wrote:> Le 16/12/2020 ? 18:25, Rowland penny via samba a ?crit?: > >> I think I might know what is the problem, but first, you do not need >> these: >> >> objectClass: posixAccount >> objectClass: shadowAccount >> objectClass: inetOrgPerson > > Those objectclass provides a lot of attributes we currently use, > mostly for our Linux users. > If I delete them, I guess our users will not be able to connect to > Linux servers, which are not part of our Samba domain but use our AD > for authentication (with nslcd mappings)Well, you would guess wrong ? posixAccount and shadowAccount are auxiliaryClasses of the 'user' objectclass and inetOrgPerson is a subclass of 'user' , so you don't need them to get the attributes.> >> You have changed the primaryGroupID, why ? > > Old accounts, such as mine as been created like that, most of them has > been changed to 'Domain users' times ago. Now my primaryGroupID is > correct > > # ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com > sAMAccountName=jlmas | grep primaryGroupID > > primaryGroupID: 513 > > I checked our AD, and all our users have the right primaryGroupID > >> Windows expects that every users primary group is Domain Users and >> now it is whatever '2906' is, this is what I think your problem is. >> Samba also requires Domain Users, though to be honest I am unsure >> whether it requires the name or the numeric ID, but it looks like >> which ever it is that winbind does not like this. > > I have flushed the winbind cache > > Now uid and gid are OK, but unixHomeDirectory and loginShell are not > > $ getent passwd jlmas > ?jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/falseYou have a line missing from your smb.conf: idmap config EXAMPLE : unix_nss_info = yes> The only wrong point came from 'net ads testjoin' > > # net ads testjoin > > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for > ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: > An invalid parameter was passed to a service or function. > kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for > ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: > An invalid parameter was passed to a service or function. > Join to domain is not valid: An invalid parameter was passed to a > service or function.Did you run the command as root, if not try again using root or sudo Rowland