[Samba] smbd not talking to winbindd?

David Magda dmagda at ee.ryerson.ca
Mon Jan 25 09:46:42 MST 2010 

Hello,

I'm running a compiled-from-source instance of Samba 3.4.5 on RHEL AS 4u2,
and am having some flakiness with AD-Unix mappings. We're talking to a
Windows 2008R2 server, with AD in "2003 mode" I believe.

What the issue appears to be is that smbd does not seem to want to talk
with winbindd. One moment my account worked:

[2010/01/25 08:13:07,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[dmagda] domain=[ADS] workstation=[TOR123] len1=24 len2=24
[2010/01/25 08:13:07,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[ADS]\[dmagda]@[TOR123] with the new password interface
[2010/01/25 08:13:07,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [ADS]\[dmagda]@[TOR123]
[...]
[2010/01/25 08:13:07,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [ADS]\[dmagda]@[TOR123]
[2010/01/25 08:13:07,  3] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [dmagda] succeeded
[2010/01/25 08:13:07,  2] auth/auth.c:310(check_ntlm_password)
  check_ntlm_password:  authentication for user [dmagda] -> [dmagda] ->
[ADS+dmagda] succeeded
[2010/01/25 08:13:07,  3] smbd/password.c:269(register_existing_vuid)
  register_existing_vuid: User name: ADS+dmagda Real name:
[2010/01/25 08:13:07,  3] smbd/password.c:279(register_existing_vuid)
  register_existing_vuid: UNIX uid 16777216 is UNIX user ADS+dmagda, and
will be vuid 100
[2010/01/25 08:13:07,  3] smbd/password.c:211(register_homes_share)
  Adding homes service for user 'ADS+dmagda' using home directory:
'/var/empty/sshd'
[2010/01/25 08:13:07,  3] smbd/service.c:1047(make_connection_snum)
  tor123 (::ffff:10.aaa.bbb.ccc) connect to service IPC$ initially as user
ADS+dmagda (uid=16777216, gid=16777218) (pid 22758)

I then uncommented a share in "smb.conf" and restarted smbd:

[2010/01/25 08:13:54,  3] param/loadparm.c:9040(lp_load_ex)
  lp_load_ex: refreshing parameters
Initialising global parameters
[2010/01/25 08:13:54,  3] ../lib/util/params.c:550(pm_process)
  params.c:pm_process() - Processing configuration file "/etc/samb/smb.conf"
[2010/01/25 08:13:54,  3] param/loadparm.c:7727(do_section)
  Processing section "[global]"
[...]

And suddenly I no longer get a mapping:

[2010/01/25 08:14:08,  3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2010/01/25 08:14:08,  3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/01/25 08:14:08,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[dmagda] domain=[ADS] workstation=[TOR123] len1=24 len2=24
[2010/01/25 08:14:08,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[ADS]\[dmagda]@[TOR123] with the new password interface
[2010/01/25 08:14:08,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [ADS]\[dmagda]@[TOR123]
[...]
[2010/01/25 08:14:08,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [dmagda] -> [dmagda]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/01/25 08:14:08,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

Reverting the change (i.e., re-commenting out that the share and
restarting) didn't work: things still stayed broken.

If I try putting my account into /etc/passwd, then all of a sudden things
work again. Also, if I add a "username map" entry to my smb.conf (and
comment out all the uidmap/winbind stuff), and have the following line in
/etc/samba/smbusers:

	nobody = *

Things generally work again as well.

Is there any particular reason why smbd would stop talking with winbindd?

I don't necessarily mind using a generic 'smbusers' file, as access is 
read-only, but are there any real differences between mapping to the Unix
"nobody" account and getting a random UID from winbind?



My sanitized smb.conf file:

[global]
	server string = fileserv (File Server)
	netbios name = FILESERV

	workgroup = ADS
	security = domain
	password server = adchost1, adchost2, adshost3

	wins server = 111.222.333.444, 222.333.444.555
	domain master = no
	local master = no
	unix password sync = false

	lock directory = /var/spool/locks
	max log size = 0
	log level = 1
	socket options = SO_KEEPALIVE
	deadtime = 15
	kernel oplocks = yes
	aio read size = 1

	disable spoolss = yes
	show add printer wizard = no
	printing = bsd
	client schannel = no   # doesn't help, with or without this line

	passdb backend = tdbsam
	idmap backend = tdb
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/false
	template homedir = /var/empty/sshd

	winbind separator = +
	winbind nested groups = yes
	winbind enum users = yes

	winbind use default domain = yes   # also tried "no"
	winbind trusted domains only = no
	allow trusted domains = yes

# share below this line

More information about the samba mailing list