Rowland Penny
2023-Jul-28 18:53 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
On 28/07/2023 19:18, Himanshi Yadav wrote:> Hi?Rowland, > > Thanks for the prompt response. I changed the SSSD authentication from > NSS db to sssd to check the issue yesterday. reverted again from sssd to > nss. But still have the same issue. It was working perfectly before > rebooted the machine with nss. I can?t identify the issue with NSS db too.I have never understood why anyone would use the nss idmap backend with AD, it requires local unix users and idmap backends like 'ad', 'rid' and 'autorid' backends make AD users into Unix users without being in /etc/passwd, but that is your decision.> > Pasted output here after reverted to NSS db. > > [root at midway3-dm1 samba]# testparm /etc/samba/smb.conf > > Load smb config files from /etc/samba/smb.conf > > lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is > deprecated > > Loaded services file OK. > > Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > # Global parameters > > [global] > ??????? clustering = Yes > ??????? idmap cache time = 1 > ??????? idmap negative cache time = 1 > ??????? kerberos method = system keytab > ??????? log file = /var/log/samba/log.%m > ??????? max log size = 50 > ??????? netbios name = DMCIFS > ??????? realm =?AD.UCHICAGO.EDU > ??????? security = ADS > ??????? server min protocol = SMB3_02 > ??????? server string = Samba Server Version %v > ??????? winbind cache time = 1 > ??????? workgroup = AD > ??????? fruit:delete_empty_adfiles = yes > ??????? fruit:wipe_intentionally_left_blank_rfork = yes > ??????? fruit:veto_appledouble = no > ??????? fruit:posix_rename = yes > ??????? fruit:model = MacSamba > ??????? fruit:metadata = stream > ??????? fileid:algorithm = fsname > ??????? idmap config ad : range = 1401-2147483647 > ??????? idmap config ad : backend = nss > ??????? idmap config * : range = 2147483648-3000000000 > ??????? idmap config * : backend = tdb2 > ??????? hosts allow = 127. 128.135.0.0/255.255.0.0 > 205.208.0.0/255.255.128.0 10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0 > ??????? invalid users = root bin daemon adm lp sync shutdown halt mail > operator games ftp nobody dbus systemd-coredump systemd-resolve tss > polkitd geoclue rtkit pulse pipewire libstoragemgmt qemu usbmuxd unbound > rpc gluster chrony setroubleshoot saslauth dnsmasq radvd clevis > cockpit-ws cockpit-wsinstance sssd flatpak colord gdm rpcuser > gnome-initial-setup sshd pesign avahi rngd tcpdump munge > ??????? kernel oplocks = Yes > > > > [root at midway3-dm1 samba]# systemctl status sssd > ? sssd.service - System Security Services Daemon > ?? Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; > vendor preset: enabled) > ?? Active: inactive (dead) since Fri 2023-07-28 13:02:11 CDT; 2min 22s ago > ? Process: 1092096 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER} > (code=exited, status=0/SUCCESS) > > Main PID: 1092096 (code=exited, status=0/SUCCESS) > > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_be[1092099]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_nss[1092100]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local sssd_pam[1092101]: Starting up > Jul 28 09:37:35 midway3-dm1.rcc.local systemd[1]: Started System > Security Services Daemon. > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopping System > Security Services Daemon... > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_pam[1092101]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_be[1092099]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local sssd_nss[1092100]: Shutting down > (status = 0) > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: sssd.service: Succeeded. > > Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopped System > Security Services Daemon. > > [root at midway3-dm1 samba]# id dgmartin > > uid=2088466063(dgmartin) gid=2088466063(dgmartin) > groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli) > > [root at midway3-dm1 samba]# grep -v "#" /etc/nsswitch.conf > > passwd:???? db files? systemd > group:????? db files? systemdIs winbind installed and running, it should be and you need 'winbind' in the 'passwd' and 'group' lines> netgroup:?? db? files > > automount:?? files > > services:??? files > > shadow:???? db files sssI suggest you remove 'sss' from the 'shadow' line> > hosts:????? files dns myhostname > > aliases:??? files > > ethers:???? files > > gshadow:??? files > > networks:?? files dns > > protocols:? files > > publickey:? files > > rpc:??????? files > > > still have the ?same error :-- > > [root at midway3-dm1 samba]# tail -f log.128.135.186.8 > > [2023/07/28 13:09:51.101676,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin])As I said earlier, '2147483648' is in the default '*' range, your DOMAIN appears to be 'AD' but the user with the RID '304562' appears to be from the 'ADLOCAL' domain/workgroup. If this user is in the REALM 'AD.UCHICAGO.EDU', it should have a uidNumber attribute containing a number in the '1401-2147483647' range.> > [2023/07/28 13:09:53.110963,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:53.117397,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:55.127351,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:55.135854,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:57.179610,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin]) > > [2023/07/28 13:09:57.186094,? 0] > ../../source3/auth/auth_util.c:1936(check_account) > > ? check_account: Failed to find local account with UID 2147483648 for > SID S-1-5-21-1644491937-1604221776-725345543-304562 > (dom_user[ADLOCAL\dgmartin])Rowland
Himanshi Yadav
2023-Jul-28 19:55 UTC
[Samba] check_account: Failed to find local account with UID" issue / The university of Chicago
Hi Rowland,
Thanks for the suggestion.
Answering your questions
Is winbind installed and running, it should be and you need 'winbind' in
the 'passwd' and 'group' lines
Yes, Winbind service running and added service into nssswitch file and removed
sss from shadow section. Restarted the smb service.
[root at midway3-dm1 samba]# systemctl status winbind.service
? winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor
preset: disabled)
Active: active (running) since Thu 2023-07-27 17:49:34 CDT; 20h ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 3487531 (winbindd)
Status: "winbindd: ready to serve connections..."
Tasks: 6 (limit: 1233751)
Memory: 11.2M
CGroup: /system.slice/winbind.service
??1057211 /usr/sbin/winbindd --foreground --no-process-group
??3487531 /usr/sbin/winbindd --foreground --no-process-group
??3487534 /usr/sbin/winbindd --foreground --no-process-group
??3487536 /usr/sbin/winbindd --foreground --no-process-group
??3487583 /usr/sbin/winbindd --foreground --no-process-group
??3508272 /usr/sbin/winbindd --foreground --no-process-group
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #15
/lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fbf521f6ca7]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #16
/lib64/libtevent.so.0(+0xed2f) [0x7fbf521fcd2f]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #17
/lib64/libtevent.so.0(+0xcf5b) [0x7fbf521faf5b]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #18
/lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fbf521f59b5]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #19
/usr/sbin/winbindd(main+0xd34) [0x56316272a2f4]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #20
/lib64/libc.so.6(__libc_start_main+0xe5) [0x7fbf51865d85]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: #21
/usr/sbin/winbindd(_start+0x2e) [0x56316272ae8e]
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: [2023/07/28
09:18:51.432424, 0] ../../source3/lib/dumpcore.c:318(dump_core)
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]: coredump is handled
by helper binary specified at /proc/sys/kernel/core_pattern
Jul 28 09:18:51 midway3-dm1.rcc.local winbindd[1056745]:
[root at midway3-dm1 samba]# grep -v "#" /etc/nsswitch.conf
passwd: db files winbind systemd
group: db files winbind systemd
netgroup: db files
automount: files
services: files
shadow: db files
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files
As I said earlier, '2147483648' is in the default '*' range,
your DOMAIN
appears to be 'AD' but the user with the RID '304562' appears to
be from
the 'ADLOCAL' domain/workgroup. If this user is in the REALM
'AD.UCHICAGO.EDU', it should have a uidNumber attribute containing a
number in the '1401-2147483647' range.
[root at midway3-dm1 ~]# getent passwd 2147483649
ADLOCAL\pjoshi:*:2147483649:2147483831::/home/ADLOCAL/pjoshi:/bin/false
[root at midway3-dm1 ~]# id pjoshi
uid=82959(pjoshi) gid=82959(pjoshi)
groups=82959(pjoshi),10627(lumerical),10906(pi-sbking),10008(rcc)
[root at midway3-dm1 ~]# getent passwd dgmartin
dgmartin:x:2088466063:2088466063:David Gilles Paul
Martin:/home/dgmartin:/bin/bash
[root at midway3-dm1 ~]# getent passwd 2147483673
ADLOCAL\jamesrna:*:2147483673:2147483831::/home/ADLOCAL/jamesrna:/bin/false
[root at midway3-dm1 ~]# getent passwd 2147483673
ADLOCAL\jamesrna:*:2147483673:2147483831::/home/ADLOCAL/jamesrna:/bin/false
[root at midway3-dm1 ~]# getent passwd 2147483673
ADLOCAL\jamesrna:*:2147483673:2147483831::/home/ADLOCAL/jamesrna:/bin/false
[root at midway3-dm1 ~]# getent passwd 2147483649
ADLOCAL\pjoshi:*:2147483649:2147483831::/home/ADLOCAL/pjoshi:/bin/false
Now it?s showing some progress here. But still can?t connect to samba service.
[root at midway3-dm1 samba]# smbstatus
Samba version 4.18.3
PID Username Group Machine
Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
0:1694585 ADLOCAL\jamesrna ADLOCAL\domain users 128.135.29.99
(ipv4:128.135.29.99:61478) SMB3_11 -
partial(AES-128-CMAC)
Service pid Machine Connected at Encryption
Signing
---------------------------------------------------------------------------------------------
project 0:1694585 128.135.29.99 Fri Jul 28 02:37:04 PM 2023 CDT -
-
midway3-scratch 0:1694585 128.135.29.99 Fri Jul 28 02:37:04 PM 2023 CDT -
-
Locked files:
Pid User(ID) DenyMode Access R/W Oplock
SharePath Name Time
--------------------------------------------------------------------------------------------------
0:1694585 2147483673 DENY_NONE 0x100081 RDONLY NONE
/scratch/midway3 . Fri Jul 28 14:37:04 2023
0:1694585 2147483673 DENY_NONE 0x100080 RDONLY NONE
/scratch/midway3 . Fri Jul 28 14:37:04 2023
0:1694585 2147483673 DENY_NONE 0x100081 RDONLY NONE
/project . Fri Jul 28 14:37:04 2023
0:1694585 2147483673 DENY_NONE 0x100080 RDONLY NONE
/project . Fri Jul 28 14:37:04 2023
No previously error reported on log file. Is still somethings missing here?
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny
via samba <samba at lists.samba.org>
Date: Friday, July 28, 2023 at 1:53 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] check_account: Failed to find local account with UID"
issue / The university of Chicago
On 28/07/2023 19:18, Himanshi Yadav wrote:> Hi Rowland,
>
> Thanks for the prompt response. I changed the SSSD authentication from
> NSS db to sssd to check the issue yesterday. reverted again from sssd to
> nss. But still have the same issue. It was working perfectly before
> rebooted the machine with nss. I can?t identify the issue with NSS db too.
I have never understood why anyone would use the nss idmap backend with
AD, it requires local unix users and idmap backends like 'ad',
'rid' and
'autorid' backends make AD users into Unix users without being in
/etc/passwd, but that is your decision.
>
> Pasted output here after reverted to NSS db.
>
> [root at midway3-dm1 samba]# testparm /etc/samba/smb.conf
>
> Load smb config files from /etc/samba/smb.conf
>
> lpcfg_do_global_parameter: WARNING: The "encrypt passwords"
option is
> deprecated
>
> Loaded services file OK.
>
> Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
>
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
>
> [global]
> clustering = Yes
> idmap cache time = 1
> idmap negative cache time = 1
> kerberos method = system keytab
> log file = /var/log/samba/log.%m
> max log size = 50
> netbios name = DMCIFS
> realm = AD.UCHICAGO.EDU
> security = ADS
> server min protocol = SMB3_02
> server string = Samba Server Version %v
> winbind cache time = 1
> workgroup = AD
> fruit:delete_empty_adfiles = yes
> fruit:wipe_intentionally_left_blank_rfork = yes
> fruit:veto_appledouble = no
> fruit:posix_rename = yes
> fruit:model = MacSamba
> fruit:metadata = stream
> fileid:algorithm = fsname
> idmap config ad : range = 1401-2147483647
> idmap config ad : backend = nss
> idmap config * : range = 2147483648-3000000000
> idmap config * : backend = tdb2
> hosts allow = 127. 128.135.0.0/255.255.0.0
> 205.208.0.0/255.255.128.0 10.0.0.0/255.0.0.0 192.170.192.0/255.255.224.0
> invalid users = root bin daemon adm lp sync shutdown halt mail
> operator games ftp nobody dbus systemd-coredump systemd-resolve tss
> polkitd geoclue rtkit pulse pipewire libstoragemgmt qemu usbmuxd unbound
> rpc gluster chrony setroubleshoot saslauth dnsmasq radvd clevis
> cockpit-ws cockpit-wsinstance sssd flatpak colord gdm rpcuser
> gnome-initial-setup sshd pesign avahi rngd tcpdump munge
> kernel oplocks = Yes
>
>
>
> [root at midway3-dm1 samba]# systemctl status sssd
> ? sssd.service - System Security Services Daemon
> Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled;
> vendor preset: enabled)
> Active: inactive (dead) since Fri 2023-07-28 13:02:11 CDT; 2min 22s ago
> Process: 1092096 ExecStart=/usr/sbin/sssd -i ${DEBUG_LOGGER}
> (code=exited, status=0/SUCCESS)
>
> Main PID: 1092096 (code=exited, status=0/SUCCESS)
>
> Jul 28 09:37:35 midway3-dm1.rcc.local sssd_be[1092099]: Starting up
> Jul 28 09:37:35 midway3-dm1.rcc.local sssd_nss[1092100]: Starting up
> Jul 28 09:37:35 midway3-dm1.rcc.local sssd_pam[1092101]: Starting up
> Jul 28 09:37:35 midway3-dm1.rcc.local systemd[1]: Started System
> Security Services Daemon.
>
> Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopping System
> Security Services Daemon...
>
> Jul 28 13:02:11 midway3-dm1.rcc.local sssd_pam[1092101]: Shutting down
> (status = 0)
>
> Jul 28 13:02:11 midway3-dm1.rcc.local sssd_be[1092099]: Shutting down
> (status = 0)
>
> Jul 28 13:02:11 midway3-dm1.rcc.local sssd_nss[1092100]: Shutting down
> (status = 0)
>
> Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: sssd.service: Succeeded.
>
> Jul 28 13:02:11 midway3-dm1.rcc.local systemd[1]: Stopped System
> Security Services Daemon.
>
> [root at midway3-dm1 samba]# id dgmartin
>
> uid=2088466063(dgmartin) gid=2088466063(dgmartin)
> groups=2088466063(dgmartin),10008(rcc),10741(pi-vitelli)
>
> [root at midway3-dm1 samba]# grep -v "#" /etc/nsswitch.conf
>
> passwd: db files systemd
> group: db files systemd
Is winbind installed and running, it should be and you need 'winbind' in
the 'passwd' and 'group' lines
> netgroup: db files
>
> automount: files
>
> services: files
>
> shadow: db files sss
I suggest you remove 'sss' from the 'shadow' line
>
> hosts: files dns myhostname
>
> aliases: files
>
> ethers: files
>
> gshadow: files
>
> networks: files dns
>
> protocols: files
>
> publickey: files
>
> rpc: files
>
>
> still have the same error :--
>
> [root at midway3-dm1 samba]# tail -f log.128.135.186.8
>
> [2023/07/28 13:09:51.101676, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
As I said earlier, '2147483648' is in the default '*' range,
your DOMAIN
appears to be 'AD' but the user with the RID '304562' appears to
be from
the 'ADLOCAL' domain/workgroup. If this user is in the REALM
'AD.UCHICAGO.EDU', it should have a uidNumber attribute containing a
number in the '1401-2147483647' range.
>
> [2023/07/28 13:09:53.110963, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
>
> [2023/07/28 13:09:53.117397, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
>
> [2023/07/28 13:09:55.127351, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
>
> [2023/07/28 13:09:55.135854, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
>
> [2023/07/28 13:09:57.179610, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
>
> [2023/07/28 13:09:57.186094, 0]
> ../../source3/auth/auth_util.c:1936(check_account)
>
> check_account: Failed to find local account with UID 2147483648 for
> SID S-1-5-21-1644491937-1604221776-725345543-304562
> (dom_user[ADLOCAL\dgmartin])
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba