[Samba] Re: Trusting and trusted domain (home mapping) problem
Adrian Chow
achow at uwcsea.edu.sg
Thu Nov 4 00:53:30 GMT 2004
Hi Igor,
I did "smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user"
and I got :-
Domain=[UWCSTU] OS=[Unix] Server=[Samba 3.0.7-Debian]
tree connect failed: NT_STATUS_ACCESS_DENIED
I think it has to do with the UNIX and NIS groups required for
@"Domain_A\Domain Users" to work.
On the Domain_B_PDC 's log file on Domain_A, it is like this:-
----------------------------------------------------------------
[2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam(293)
Finding user STAFF\achow
[2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is staff\achow
[2004/11/04 08:40:52, 5] lib/username.c:Get_Pwnam_internals(251)
Get_Pwnam_internals did find user [STAFF\achow]!
[2004/11/04 08:40:52, 5] auth/auth_util.c:fill_sam_account(960)
fill_sam_account: located username was [STAFF\achow]
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/11/04 08:40:52, 5] lib/smbldap.c:smbldap_search(963)
smbldap_search: base => [ou=Group,ou=studentnet,dc=uwcsea,dc=org],
filter => [(&(objectClass=sambaGroupMapping)(gidNumber=10000))], scope
=> [2]
[2004/11/04 08:40:52, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008)
ldapsam_getgroup: Did not find group
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 4] lib/substitute.c:automount_server(323)
Home server: gloin
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 10139
Primary group is 10000 and contains 3 supplementary groups
Group[ 0]: 10000
Group[ 1]: 10013
Group[ 2]: 10014
[2004/11/04 08:40:52, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: winbind authentication for user [achow] succeeded
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 5] auth/auth.c:check_ntlm_password(292)
check_ntlm_password: PAM Account for user [STAFF\achow] succeeded
[2004/11/04 08:40:52, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [achow] -> [achow] ->
[STAFF\achow] succeeded
[2004/11/04 08:40:52, 5] auth/auth_util.c:free_user_info(1306)
attempting to free (and zero) a user_info structure
[2004/11/04 08:40:52, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2004/11/04 08:40:52, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(222)
User name: STAFF\achow Real name: Adrian Chow
[2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(241)
UNIX uid 10139 is UNIX user STAFF\achow, and will be vuid 100
[2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(270)
Adding homes service for user 'STAFF\achow' using home directory:
'/home/STAFF/achow'
[2004/11/04 08:40:52, 3] param/loadparm.c:lp_add_home(2341)
adding home's share [achow] for user 'STAFF\achow' at '/home/STAFF/achow'
[2004/11/04 08:40:52, 3] smbd/process.c:process_smb(1092)
Transaction 3 of length 84
[2004/11/04 08:40:52, 5] lib/util.c:show_msg(439)
[2004/11/04 08:40:52, 5] lib/util.c:show_msg(449)
size=80
smb_com=0x75
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=8
smb_flg2=51201
smb_tid=0
smb_pid=26725
smb_uid=100
smb_mid=4
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 1 (0x1)
smb_bcc=37
[2004/11/04 08:40:52, 3] smbd/process.c:switch_message(887)
switch message SMBtconX (pid 20987) conn 0x0
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/11/04 08:40:52, 5] smbd/uid.c:change_to_root_user(296)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/11/04 08:40:52, 4] smbd/reply.c:reply_tcon_and_X(408)
Client requested device type [?????] for share [SHARED]
[2004/11/04 08:40:52, 5] smbd/service.c:make_connection(812)
making a connection to 'normal' service shared
[2004/11/04 08:40:52, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/04 08:40:52, 5] lib/username.c:user_in_netgroup_list(315)
Unable to get default yp domain
[2004/11/04 08:40:52, 2] smbd/service.c:make_connection_snum(314)
user 'STAFF\achow' (from session setup) not permitted to access this
share (Shared)
[2004/11/04 08:40:52, 3] smbd/error.c:error_packet(105)
error string = No such file or directory
[2004/11/04 08:40:52, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED
[2004/11/04 08:40:52, 5] lib/util.c:show_msg(439)
[2004/11/04 08:40:52, 5] lib/util.c:show_msg(449)
size=35
smb_com=0x75
smb_rcls=34
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=26725
smb_uid=100
smb_mid=4
smt_wct=0
smb_bcc=0
[2004/11/04 08:40:52, 3] smbd/process.c:timeout_processing(1332)
timeout_processing: End of file from client (client has disconnected).
[2004/11/04 08:40:52, 5] lib/gencache.c:gencache_shutdown(88)
Closing cache file
[2004/11/04 08:40:52, 5] libsmb/namecache.c:namecache_shutdown(79)
namecache_shutdown: netbios namecache closed successfully.
[2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/11/04 08:40:52, 5] smbd/uid.c:change_to_root_user(296)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/11/04 08:40:52, 2] smbd/server.c:exit_server(571)
Closing connections
[2004/11/04 08:40:52, 5] auth/auth_util.c:free_server_info(1332)
attempting to free (and zero) a server_info structure
[2004/11/04 08:40:52, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/11/04 08:40:52, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does
not exist.
[2004/11/04 08:40:52, 5] smbd/oplock.c:receive_local_message(107)
receive_local_message: doing select with timeout of 1 ms
[2004/11/04 08:40:52, 3] smbd/server.c:exit_server(614)
Server exit (normal exit)
---------------------------------------------------------------------
Maybe you can shed a light what is going on... why call pwnam_internals?
Especially when it is a trustdomain or winbind is resolving.
If I remove the winbind from the nsswitch.conf, I will find that the PDC
will still use pwnam_internals ALTHOUGH it has queried the Domain_A_PDC
for the information.
Do you think it is the way we configure during samba compilation?
BTW, do you have pam_ldap setup in your login,ssh in pam.d folder? I
had on mine..
Thanks for your reply. I really hope to hear from you and maybe seeing
you shed some light on the log file on top.... (eg. explaining why is
the function doing that....)
adrian
Igor Belyi wrote:
> Adrian Chow wrote:
>
>> Hi Igor,
>>
>> Do you have trustdomains in your "auth methods"?
>>
>> Currently I removed the winbind from nsswitch.conf. And "smbclient
>> //domain_B_PDC//shared -U domain_A/domain_A_user" does not work.
>
>
> Have you tried "smbclient //domain_B_PDC//shared -W domain_A -U
> domain_A_user"?
>
>> If I put winbind in the nsswitch.conf, then I will be able to
>> authenticated but cannot connect to shared folder with the following
>> error:-
>> Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian]
>> tree connect failed: NT_STATUS_ACCESS_DENIED
>
>
> I would also guess that since "valid users" and "write list" accept only
> UNIX and NIS groups you will need to have winbind in your nsswitch.conf
> for @"Domain_A\Domain Users" to work...
>
> Does Samba allows Domain_A\domain_a_user to access this share if you
> list the user without domain specification: "valid users = domain_a_user"?
>
>> The log file from the Domain_B_PDC:-
>>
>> [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408)
>> Client requested device type [?????] for share [SHARED]
>> [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812)
>> making a connection to 'normal' service shared
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>> Unable to get default yp domain
>> [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315)
>> Unable to get default yp domain
>> [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314)
>> user 'Domain_A\domain_a_user' (from session setup) not permitted to
>> access this share (Shared)
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105)
>> error string = No such file or directory
>> [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129)
>> error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
>> NT_STATUS_ACCESS_DENIED
>>
>> --------------
>>
>> My smb.conf :-
>>
>> [Shared]
>> path = /shared
>> valid users = @"Domain Users", @"Domain_A\Domain Users"
>> write list = @"Domain Users", @"Domain_A\Domain Users"
>> browsable = yes
>> guest ok = no
>> writeable =no
>>
>>
>> ---------------
>>
>>
>> Do you have winbind in your nsswitch.conf?
>
>
> No, I don't.
>
>> How did you managed to get the mapped home directory for domain_a_user
>> when he log on to the joined_domain_B_computer?
>
>
> Yes, I have XP computer joined domain_A and this domain has mutual trust
> with domain_B. I can login on this computer as user_a into domain_A and
> as user_b into domain_B and their corresponding home directories get
> correctly mapped into drive H:
>
> dn: uid=user_a,ou=People,dc=domain_A,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_A\homes
>
> dn: uid=user_b,ou=People,dc=domain_B,dc=org
> sambaHomeDrive: H:
> sambaHomePath: \\server_B\homes
>
>>
>> Hope to hear from you on this... thanks a lot.
>>
>> adrian
>>
>> p/s: hope you got my previous mail cos I forgotten to cc to sambalists
>
>
> Yes, I did. I apologize for delays - I work with Samba only in my spare
> time.
>
> Igor
>
>> Igor Belyi wrote:
>>
>>> ====== (Header) e-mail Filtrado ======
>>> I would guess that it means that DomainA trust DomainB but DomainB
>>> does not trust DomainA. Can you verify that trust is mutual between
>>> them? Check 'net rpc trustom list' on both machines.
>>>
>>> No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf).
>>> Winbind is used only by Samba when it maps users from trust domain
>>> into local space.
>>>
>>> Adrian Chow wrote:
>>>
>>>> Hi Igor,
>>>>
>>>> I got stuck now. I did my best. I got stuck at the winbind which I
>>>> suspected is the reason why the domainA_computer cannot map the
>>>> domain_B user's home directory.
>>>>
>>>> 1. What are the settings of your winbind?
>>>>
>>>>
>>> I have the following winbind related entries in smb.conf:
>>> ldap idmap suffix = ou=Idmap
>>> idmap backend = ldap:ldap://localhost
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>>
>>> To see if winbind works you can also try to resolve a name into SID
>>> and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'.
>>> Try to do the following:
>>> wbinfo -n 'STAFF\wheel'
>>> wbinfo -Y <SID return in a previous command>
>>>
>>>> 2. Do you use only "winbind" in your libnss_ldap or use "ldap" as
>>>> well?
>>>>
>>>>
>>> In my /etc/nsswitch.conf I have only "ldap" without winbind. As far
>>> as I understand this, winbind usage via NSS can confuse Samba into
>>> thinking that those users and groups are defined locally and maybe
>>> allowing Samba to use winbind directly is a better approach for trust
>>> between domains.
>>>
>>> I don't know why would you want to put winbind into libnss_ldap which
>>> is configuration for LDAP interface for NSS (when you use 'ldap' in
>>> /etc/nssswitch.conf file)
>>>
>>>> 3. My winbind works with :-
>>>> (For both sides)
>>>> wbinfo -t
>>>> wbinfo -p
>>>> wbinfo -u
>>>> wbinfo -g
>>>> getent passwd
>>>> (For DomainA)
>>>> "getent group" shows all the local groups and also the groups shown
>>>> in "wbinfo -g"
>>>> (For DomainB)
>>>> "getent group" shows all the local groups and only the GUESTs
>>>> group. Very weird. The rest of the groups in "wbinfo -g" does not
>>>> come up.
>>>> The logs is something like this:-
>>>> -----------------------------------
>>>>
>>>> nsswitch/winbindd_group.c:fill_grent_mem(133)
>>>> could not lookup membership for group rid
>>>> S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error:
>>>> NT_STATUS_NO_SUCH_GROUP)
>>>> [2004/11/01 00:13:10, 0]
>>>> nsswitch/winbindd_group.c:winbindd_getgrent(795)
>>>> could not lookup domain group STAFF\wheel
>>>>
>>>> ---------------------------------------
>>>>
>>>>
>>> Do you mean that this error message was reported during "getent
>>> group" in DomainB? Because, without this error message I would assume
>>> that you have winbind written in /etc/nsswithc.conf on your DomainA
>>> server but not on your DomainB server.
>>>
>>> The error message means that Samba thinks that 'wheel' is a Domain
>>> group of the 'STAFF' domain and fails to find its mapping. I would
>>> expect this error to come up during login of a Domain user whose
>>> primary group is a local 'wheel' group instead of a Domain group. If
>>> this user is supposed to have 'wheel' as a primary group you probably
>>> forgot to create a groupmap from a Domain group for it.
>>>
>>> Igor
>>
>>
>
>
More information about the samba
mailing list