[Samba] user map Problem with security= ADS after upgrade form 3.5.13 to 3.6.4
"Maurer, Hansjörg"
Hansjoerg.Maurer at dlr.de
Thu Apr 12 06:04:35 MDT 2012
Hi
we are running samba on Linux as an AD member.
Linux is integrated into the AD with Vintella Authentification services.
The "normal" AD Users are unix enabled and available on the linux system
using nss/vas.
Therefore we used
idmap config DLR: backend = nss
idmap config DLR: readonly = yes
In the AD we have some administrative accounts which are not unix
enabled (like username-adm)
Up to samba 3.5.13 we have been able to map this administrative accounts
to root on the samba server
root = DLR\username-adm
With 3.6.4 this does not work any more
If I connect form a workstation logged in as
DOMAIN\username-adm
I get a password prompt
It seems that the mapping is ok
Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username)
Mapped user DLR\username-adm to root
but with 3.6.4 ist seems that even a user ist mapped to root a unix
account is required for the original user
Failed to find authenticated user DLR\username-adm via getpwnam(),
denying access.
Of cource we can unix enable an adm-account, but before doing so, I want
to now, if there might be another solution
Regards
Hansjörg
[2012/04/12 13:33:35.870906, 3]
smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/04/12 13:33:35.871057, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2012/04/12 13:33:35.871282, 3]
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/04/12 13:33:35.871472, 3]
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 5.2]
[2012/04/12 13:33:35.871698, 3]
smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 6731
[2012/04/12 13:33:35.876804, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: username-adm [username-adm]
[2012/04/12 13:33:35.877386, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.877609, 3] auth/user_util.c:402(map_username)
Mapped user DLR\username-adm to root
[2012/04/12 13:33:35.896434, 3] auth/auth_util.c:1028(check_account)
Failed to find authenticated user DLR\username-adm via getpwnam(),
denying access.
[2012/04/12 13:33:35.896609, 1] auth/user_krb5.c:211(make_server_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/04/12 13:33:35.896794, 1] smbd/sesssetup.c:379(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2012/04/12 13:33:35.896975, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/04/12 13:33:35.898900, 3] smbd/server_exit.c:180(exit_server_common)
Server exit (failed to receive smb request)
[2012/04/12 13:33:35.911450, 3] smbd/negprot.c:419(reply_nt1)
using SPNEGO
[2012/04/12 13:33:35.911651, 3] smbd/negprot.c:704(reply_negprot)
Selected protocol NT LM 0.12
[2012/04/12 13:33:35.912998, 3] smbd/process.c:1662(process_smb)
Transaction 1 of length 6992 (0 toread)
[2012/04/12 13:33:35.913232, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 4861) conn 0x0
[2012/04/12 13:33:35.913366, 3]
smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/04/12 13:33:35.913530, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2012/04/12 13:33:35.913647, 3]
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/04/12 13:33:35.913803, 3]
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[]
PrimaryDomain=[Windows Server 2003 5.2]
[2012/04/12 13:33:35.914000, 3]
smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 6731
[2012/04/12 13:33:35.919423, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: username-adm [username-adm]
[2012/04/12 13:33:35.919825, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username)
Mapped user DLR\username-adm to root
[2012/04/12 13:33:35.931919, 3] auth/auth_util.c:1028(check_account)
Failed to find authenticated user DLR\username-adm via getpwnam(),
denying access.
[2012/04/12 13:33:35.932087, 1] auth/user_krb5.c:211(make_server_info_krb5)
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/04/12 13:33:35.932385, 1] smbd/sesssetup.c:379(reply_spnego_kerberos)
make_server_info_krb5 failed!
[2012/04/12 13:33:35.932603, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/04/12 13:33:35.938360, 3] smbd/server_exit.c:180(exit_server_common)
Server exit (failed to receive smb request)
[2012/04/12 13:33:35.944654, 3] lib/access.c:338(allow_access)
More information about the samba
mailing list