[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users

Martin Decker martin.decker at gmx.net
Mon Aug 21 15:25:31 UTC 2017 

Dear Rowland,

our windows admin assured me that they have set uidNumber and gidNumber in
the range. I have requested screenshots for confirmation.

Now we are one step further: "getent passwd | grep mdecker" now lists the
AD account.

mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

With "getent passwd mdecker" however, it shows "NT_STATUS_NO_SUCH_USER".

getent passwd mdecker

winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER

Also not working:

getnet passwd mdecker
getent passwd "MYDOM\\mdecker"

What is working though is when i give REALM Suffix ".ADS"

getent passwd "MYDOM.ADS\\mdecker"
mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

For "getent group" currently, the issue is: "rejecting getgrsid()", altough
the Group "DOMAIN USERS" was sucessfully resolved from name to SID.

getent group "MYDOM\\DOMÄNEN-BENUTZER"

wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER ->
S-1-5-21-1585417398-3384821309-2524188735-513
(NT_STATUS_OK)
winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-513
Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513:
NT_STATUS_NO_SUCH_GROUP

Is there anything else to set up on Windows side in order for getgrsid to
work?

With wbinfo, i can do these sucessfully:

wbinfo --sid-to-uid "S-1-5-21-1585417398-3384821309-2524188735-13667"
13667


root at solaris1:/# wbinfo --uid-info=13667
mdecker:*:13667:7142::/home/MYDOM/mdecker:/bin/false

... but "wbinfo -r" does not work:

root at solaris1:/# wbinfo -r mdecker
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user mdecker

Testing access to a Solaris SMB Share from Windows, reports this error when
trying to mount the share:


[2017/08/21 17:19:44.281527,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [mdecker at MYDOM.ADS]
[2017/08/21 17:19:44.281680, 10]
auth/user_krb5.c:82(get_user_from_kerberos_info)
  Domain is [MYDOM] (using PAC)
[2017/08/21 17:19:44.281747,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user MYDOM\mdecker
[2017/08/21 17:19:44.281805,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is MYDOM\mdecker
[2017/08/21 17:19:44.283946,  5] lib/username.c:123(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MYDOM\mdecker
[2017/08/21 17:19:44.284685,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MYDOM\MDECKER
[2017/08/21 17:19:44.285073,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in MYDOM\mdecker
[2017/08/21 17:19:44.285150,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MYDOM\mdecker]!
[2017/08/21 17:19:44.285222,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user mdecker
[2017/08/21 17:19:44.285323,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is mdecker
[2017/08/21 17:19:44.285755,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MDECKER
[2017/08/21 17:19:44.286128,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in mdecker
[2017/08/21 17:19:44.286197,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [mdecker]!
[2017/08/21 17:19:44.287762,  1]
auth/user_krb5.c:161(get_user_from_kerberos_info)
  Username MYDOM\mdecker is invalid on this system
[2017/08/21 17:19:44.287963,  3] smbd/error.c:77(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Any ideas?

Best regards,
Martin




2017-08-18 17:48 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Fri, 18 Aug 2017 17:32:34 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Thank you for your feedback. I have changed the parameters, but still
> > no success.
> >
> > winbind use default domain = yes
> >          idmap config * : range = 1000000-1999999
> >          idmap config MYDOM : range = 100-999999
> >
>
> You are using the winbind 'ad' backend, so do your AD domain users
> have a uidNumber attribute containing a unique number inside the range
> '100-999999' AND does 'Domain Users' have a gidNumber attribute
> containing a number in the same range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
--
Martin Decker

More information about the samba mailing list