[Samba] user map Problem with security= ADS after upgrade form 3.5.13 to 3.6.4

"Maurer, Hansjörg" Hansjoerg.Maurer at dlr.de
Thu Apr 12 06:04:35 MDT 2012 

Hi

we are running samba on Linux as an AD member.
Linux is integrated into the AD with Vintella Authentification services.
The "normal" AD Users are unix enabled and available on the linux system 
using nss/vas.

Therefore we used

         idmap config DLR: backend  = nss
         idmap config DLR: readonly = yes

In the AD we have some administrative accounts which are not  unix 
enabled (like username-adm)

Up to samba 3.5.13 we have been able to map this administrative accounts 
to root on the samba server

root =  DLR\username-adm

With 3.6.4 this does not work any more
If I connect form a workstation logged in as
DOMAIN\username-adm
I get a password prompt

It seems that  the mapping is ok

   Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072,  3] auth/user_util.c:402(map_username)
   Mapped user DLR\username-adm to root

but with 3.6.4 ist seems that even a user ist mapped to root a unix 
account is required for the original user

  Failed to find authenticated user DLR\username-adm via getpwnam(), 
denying access.


Of cource we can unix enable an adm-account, but before doing so, I want 
to now, if there might be another solution


Regards

Hansjörg



[2012/04/12 13:33:35.870906,  3] 
smbd/sesssetup.c:1333(reply_sesssetup_and_X)
   wct=12 flg2=0xc807
[2012/04/12 13:33:35.871057,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2012/04/12 13:33:35.871282,  3] 
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2012/04/12 13:33:35.871472,  3] 
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
   NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] 
PrimaryDomain=[Windows Server 2003 5.2]
[2012/04/12 13:33:35.871698,  3] 
smbd/sesssetup.c:660(reply_spnego_negotiate)
   reply_spnego_negotiate: Got secblob of size 6731
[2012/04/12 13:33:35.876804,  3] libads/authdata.c:332(decode_pac_data)
   Found account name from PAC: username-adm [username-adm]
[2012/04/12 13:33:35.877386,  3] 
auth/user_krb5.c:50(get_user_from_kerberos_info)
   Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.877609,  3] auth/user_util.c:402(map_username)
   Mapped user DLR\username-adm to root
[2012/04/12 13:33:35.896434,  3] auth/auth_util.c:1028(check_account)
   Failed to find authenticated user DLR\username-adm via getpwnam(), 
denying access.
[2012/04/12 13:33:35.896609,  1] auth/user_krb5.c:211(make_server_info_krb5)
   make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/04/12 13:33:35.896794,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
   make_server_info_krb5 failed!
[2012/04/12 13:33:35.896975,  3] smbd/error.c:81(error_packet_set)
   error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2012/04/12 13:33:35.898900,  3] smbd/server_exit.c:180(exit_server_common)
   Server exit (failed to receive smb request)


[2012/04/12 13:33:35.911450,  3] smbd/negprot.c:419(reply_nt1)
   using SPNEGO
[2012/04/12 13:33:35.911651,  3] smbd/negprot.c:704(reply_negprot)
   Selected protocol NT LM 0.12
[2012/04/12 13:33:35.912998,  3] smbd/process.c:1662(process_smb)
   Transaction 1 of length 6992 (0 toread)
[2012/04/12 13:33:35.913232,  3] smbd/process.c:1467(switch_message)
   switch message SMBsesssetupX (pid 4861) conn 0x0
[2012/04/12 13:33:35.913366,  3] 
smbd/sesssetup.c:1333(reply_sesssetup_and_X)
   wct=12 flg2=0xc807
[2012/04/12 13:33:35.913530,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2012/04/12 13:33:35.913647,  3] 
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2012/04/12 13:33:35.913803,  3] 
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
   NativeOS=[Windows Server 2003 3790 Service Pack 2] NativeLanMan=[] 
PrimaryDomain=[Windows Server 2003 5.2]
[2012/04/12 13:33:35.914000,  3] 
smbd/sesssetup.c:660(reply_spnego_negotiate)
   reply_spnego_negotiate: Got secblob of size 6731
[2012/04/12 13:33:35.919423,  3] libads/authdata.c:332(decode_pac_data)
   Found account name from PAC: username-adm [username-adm]
[2012/04/12 13:33:35.919825,  3] 
auth/user_krb5.c:50(get_user_from_kerberos_info)
   Kerberos ticket principal name is [username-adm at INTRA.DLR.DE]
[2012/04/12 13:33:35.920072,  3] auth/user_util.c:402(map_username)
   Mapped user DLR\username-adm to root

[2012/04/12 13:33:35.931919,  3] auth/auth_util.c:1028(check_account)
   Failed to find authenticated user DLR\username-adm via getpwnam(), 
denying access.
[2012/04/12 13:33:35.932087,  1] auth/user_krb5.c:211(make_server_info_krb5)
   make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
[2012/04/12 13:33:35.932385,  1] smbd/sesssetup.c:379(reply_spnego_kerberos)
   make_server_info_krb5 failed!
[2012/04/12 13:33:35.932603,  3] smbd/error.c:81(error_packet_set)
   error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2012/04/12 13:33:35.938360,  3] smbd/server_exit.c:180(exit_server_common)
   Server exit (failed to receive smb request)
[2012/04/12 13:33:35.944654,  3] lib/access.c:338(allow_access)

More information about the samba mailing list