AW: only admin idmap cannot resolved any longer
c.vielhauer at me.com
c.vielhauer at me.com
Wed Jan 18 00:00:10 UTC 2017
BEGIN smb.conf
[global]
workgroup = DOMAINNAME
realm = DOMAINNAME.LOCAL
netbios name = fs
preferred master = no
server string = FileServer
security = ADS
encrypt passwords = yes
interfaces = eth0 10.27.0.0/16
ldap server require strong auth = No
log file = /var/log/samba/%m.log
max log size = 50
log level = 3 winbind:99 idmap:99
time server = yes
template shell = /bin/bash
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config EXAMPLEDOM:backend = rid
idmap config EXAMPLEDOM:range = 10000 - 49999
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
[file-exchange]
comment = File Share
path = /mnt/user-data/file-exchange
guest ok = Yes
browseable = Yes
writeable = Yes
force group = @file-exchange_writelist
create mask = 0770
write list = @file-exchange_writelist
valid users = @file-exchange_userlist
….
END smb.conf
Maybe these Information are also helpful:
The getent passwd and Group command works as expected.
I can see all users and Groups from local and AD.
If I add a new user on the Domain, i can also see this user in getent passwd and wbinfo -u,
but I also cannot logon with this new user with smbclient.
A reboot does not help….
Update AD1 to latest stable 4.5.3 changed nothing to file server’s behavior
On another file-server it still works with user admin. Same smb.conf, but netbios Name = fs-mbd and also member of same DC AD1
#root at fs-mbd:~# smbclient -U admin \\\\fs-mbd\\file-exchange
Enter admin's password:
Domain=[SCHNIPPERING] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
smb: \> ^C
Von: Rowland Penny
Gesendet: Dienstag, 17. Januar 2017 21:14
An: samba-technical at lists.samba.org
Betreff: Re: only admin idmap cannot resolved any longer
On Tue, 17 Jan 2017 18:00:39 +0100
c.vielhauer at me.com wrote:
> Hi samba list,
>
> I have no idea what happens, but only the idmapping of my admin user
> cannot be resolved any longer on my file Server (4.3.11-ubuntu).
>
> Maybe this is the wrong list, but I hope I am right here :-)
>
>
> Following commands on file Server:
> wbinfo -n admin
> =>
> S-1-5-21-4276986800-2750720779-1919105469-1107 SID_USER (1)
>
>
> wbinfo -S S-1-5-21-4276986800-2750720779-1919105469-1107
> =>
> 11107
>
>
> 4 drwx------ 33 11107 domain users 4096 Jan 11 19:12
> admin 4 drwx------ 13 administrator domain users 4096 Okt 10
> 2015 administrator
>
>
> #root at fs:/mnt/user-data/home# smbclient -U admin \\\\fs\\file-exchange
> WARNING: The "syslog" option is deprecated
> Enter admin's password:
> session setup failed: NT_STATUS_UNSUCCESSFUL
>
>
> In the log I can see the this:
> [2017/01/17 17:17:57.806761,
> 1] ../source3/auth/token_util.c:430(add_local_groups) SID
> S-1-5-21-4276986800-2750720779-1919105469-1107 -> getpwuid(11107)
> failed [2017/01/17 17:17:57.806946,
> 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
> Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
>
>
>
> The admin user logon from file server on the AD Server sysvol
> Directory works fine:
>
> smbclient -U admin \\\\ad1\\sysvol
> Enter admin's password:
> Domain=[SCHNIPPERING] OS=[Windows 6.1] Server=[Samba 4.5.2]
> smb: \>
>
>
>
>
> On my AD Server (4.5.2 build from source), Proxy (4.3.11-ubuntu) it
> still works correctly.
>
>
> Is there a way to clear idmap cache for the idmap 11107 / admin /
> SID on the file Server, or maybe you have any other Idea?
>
Can you please post your smb.conf from the 'file server'
Rowland
More information about the samba-technical
mailing list