[Samba] How to get users from a second AD domain recognized by samba?

Joel Therrien Joel_Therrien at uml.edu
Tue Aug 18 20:59:40 MDT 2009 

I have an issue with getting my students access to the samba shares for 
our lab's server. I am using authentication through our university's 
active directory. I followed the directions for getting this set up 
using winbind. I am using winbind for both samba authentication as well 
as user logins through pam.

The trouble is this: I have no problems logging in and getting access to 
the samba shares. My students can log into shell accounts using their 
university credentials. But, they can not get into the samba shares.

A few details: The university splits the users according to 
faculty/staff and students, so I log in as UMLADCO\username, while the 
students log in as STUDENT\username. If it matters, they are all using 
win XP machines with the latest service packs, while I am using windows 
7 RC (though I did not have issues using an XP box either). below are 
the smb.conf file, user map, and a typical log file from when a student 
tries to log in through one of the machines in the lab.

I made a lot of headway getting this thing to work, but this last part 
is just a brick wall that I can't get past.

This is on a Debian Lenny install using kernel 2.6.18-5amd64 and Samba 3.2.5

Thanks in advance for any help!

Joel Therrien

# smb.conf
# SAMBA CONFIG FILE

[global]

# netbios name
netbios name = nanoelecfs

# server string is the equivalent of the NT Description field
server string = Samba Server nanoelecfs

# realm = Kerberos realm
realm = FS.UML.EDU

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = UMLADCO

# Security mode.
security = ADS

# Password encryption
encrypt passwords = true

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
; log file = /var/log/samba/samba.log
log level = 3

# Unix users can map to different SMB User names
username map = /etc/samba/user.map

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# PAM-related
obey pam restrictions = yes
pam password change = yes

# Winbind separator
winbind separator = +

# Winbind use default domain
# This parameter specifies whether the winbindd daemon should
# operate on users without domain component in their username.
# Users without a domain component are treated as is part of
# the winbindd server's own domain. While this does not benefit
# Windows users, it makes SSH, FTP and e-mail function in a way
# much closer to the way they would in a native unix system.
# Default: winbind use default domain = no
winbind use default domain = yes

# RID to UID map
idmap backend = rid:"BUILTIN=1000-9999,UMLADCO=10000-60000"

idmap domains = UMLADCO, STUDENT
idmap config UMLADCO:backend = rid
idmap config UMLADCO:range = 10000-60000
idmap config BUILTIN:backend = rid
idmap config BUILTIN:range = 1000-9999

# RID idmap does not work with trusted domains
allow trusted domains = no

# Domain user id range
idmap uid = 1000-60000

# Domain group id range
idmap gid = 1000-60000

# Allow enumeration of domain users and groups
winbind enum users = no
winbind enum groups = no

# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the home
# directory for that user. If the string %D is present it is sub-
# stituted with the userâEUR^(TM)s Windows NT domain name. If the string
# %U is present it is substituted with the userâEUR^(TM)s Windows NT user
# name.
template homedir = /home/%U

# When filling out the user information for a Windows NT user, the
# winbindd(8) daemon uses this parameter to fill in the login
# shell for that user.
template shell = /bin/bash

# This option defines the default primary group for each user cre-
# ated by winbindd(8) local account management functions (simi-
# lar to the add user script).
; template primary group = "UMLADCO/Domain Users"
; template primary group = "Domain Users"

# Services
default service = homes
preload = global homes printers

# Default share values
valid users = @"UMLADCO/Domain Users"
admin users = "UMLADCO/Admin's username"

# Making samba play nice with vista

# client ntlmv2 auth = yes

#==================


[Data]
path = /home/data
comment = Data
browseable = yes
writable = yes
valid users = joel, tao, lian
# valid users = @"UMLADCO+EG therrienlab",\
# STUDENT+Tao_Jiang,\
# STUDENT+Carlos_Hernandez,\
# STUDENT+Daniel_Emerson,\
# STUDENT+Malavika_Vashist,\
# STUDENT+Aaron_Bandremer,\
# STUDENT+Lian_Dai,\
# STUDENT+Kyle_Twarowski,\
# joel_therrien
# admin users = Joel_Therrien
# read list = Joel_Therrien
# write list = Joel_Therrien

[ipc$]
path = /dev/null
comment = some vodoo that does work
valid users = joel

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
;public = yes
;to allow user 'guest account' to print

user.map file

# user.map
# SAMBA USERMAP FILE

# Unix_name = SMB_name1 SMB_name2 ...
joel = UMLADCO+Joel_Therrien
tao = STUDENT+Tao_Jiang
lian = STUDENT+Lian_Dai

samba log file for a winXP machine

[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 0 of length 137 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBnegprot (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN1.0]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [Windows for Workgroups 3.1a]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LM1.2X002]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN2.1]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [NT LM 0.12]
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_nt1(392)
using SPNEGO
[2009/08/14 15:57:05, 3] smbd/negprot.c:reply_negprot(673)
Selected protocol NT LM 0.12
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 1 of length 240 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 40
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088207
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 2 of length 276 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
Got user=[] domain=[] workstation=[UML-4F0C88A99EB] len1=1 len2=0
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user 
[]\[]@[UML-4F0C88A99EB] with the new password interface
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [UMLADCO]\[]@[UML-4F0C88A99EB]
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(269)
check_ntlm_password: guest authentication for user [] succeeded
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID 
[S-1-5-21-1671084997-507029419-2634510391-501]
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2009/08/14 15:57:05, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
NTLMSSP Sign/Seal - Initialising with flags:
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088205
[2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(314)
register_existing_vuid: User name: nobody Real name: nobody
[2009/08/14 15:57:05, 3] smbd/password.c:register_existing_vuid(326)
register_existing_vuid: UNIX uid 65534 is UNIX user nobody, and will be 
vuid 100
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 3 of length 90 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBtconX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/service.c:make_connection_snum(940)
Connect path is '/tmp' for service [ipc$]
[2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(249)
[2009/08/14 15:57:05, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-1671084997-507029419-2634510391-501
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
[2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_default(96)
Initialising default vfs hooks
[2009/08/14 15:57:05, 3] smbd/vfs.c:vfs_init_custom(130)
Initialising custom vfs hooks from [/[Default VFS]/]
[2009/08/14 15:57:05, 3] lib/util_sid.c:string_to_sid(228)
string_to_sid: Sid joel does not start with 'S-'.
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 2] smbd/uid.c:change_to_user(192)
change_to_user: SMB user (unix user nobody, vuid 100) not permitted 
access to share ipc$.
[2009/08/14 15:57:05, 0] smbd/service.c:make_connection_snum(1082)
Can't become connected user!
[2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31)
Yielding connection to ipc$
[2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/reply.c(662) cmd=117 (SMBtconX) 
NT_STATUS_LOGON_FAILURE
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 4 of length 43 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBulogoffX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/reply.c:reply_ulogoffX(1910)
ulogoffX vuid=100
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 5 of length 240 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(800)
reply_spnego_negotiate: Got secblob of size 40
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xa2088207
[2009/08/14 15:57:05, 3] smbd/process.c:process_smb(1549)
Transaction 6 of length 358 (0 toread)
[2009/08/14 15:57:05, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 5608) conn 0x0
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=12 flg2=0xc807
[2009/08/14 15:57:05, 2] smbd/sesssetup.c:setup_new_vc_session(1363)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/08/14 15:57:05, 3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 
5.1] PrimaryDomain=[]
[2009/08/14 15:57:05, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
Got user=[lian_dai] domain=[STUDENT] workstation=[UML-4F0C88A99EB] 
len1=24 len2=24
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user 
[STUDENT]\[lian_dai]@[UML-4F0C88A99EB] with the new password interface
[2009/08/14 15:57:05, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [STUDENT]\[lian_dai]@[UML-4F0C88A99EB]
[2009/08/14 15:57:05, 1] auth/auth.c:check_domain_match(171)
check_domain_match: Attempt to connect as user lian_dai from domain 
STUDENT denied.
[2009/08/14 15:57:05, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2009/08/14 15:57:05, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2009/08/14 15:57:05, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/08/14 15:57:05, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2009/08/14 15:57:05, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)

More information about the samba mailing list