[Samba] help: id user : non existant user using Active Directory connexion ( NT_STATUS_OBJECT_NAME_NOT_FOUND)
David Touzeau
david at touzeau.eu
Thu Aug 4 06:36:44 MDT 2011
Dear i have connected Samba 3.5.6 with an Active Directory 2008 R2
When i try to get the uid number of an Active Directory user on the
linux box:
*********************************************
root at bdc2:~# id angelique
id: angelique : utilisateur inexistant (means non existent user)
*********************************************
The winbindd debug claim NT_STATUS_OBJECT_NAME_NOT_FOUND and
NT_STATUS_INVALID_PARAMETER but the Active Directry is correcly linked.
Where i'm wrong ?
***************************************
Winbind debug output :
trusted_domains(ads): Searching trusted domain list of TOUZEAU and
storing trust flags for domain touzeau.home
[2011/08/04 14:23:45.166249, 10]
winbindd/winbindd_cache.c:4397(wcache_tdc_add_domain)
wcache_tdc_add_domain: Adding domain TOUZEAU (touzeau.home), SID
S-1-5-21-3487440176-1554673074-2687830590, flags = 0x1d, attributes =
0x0, type = 0x2
[2011/08/04 14:23:45.166273, 10]
winbindd/winbindd_cache.c:4121(add_wbdomain_to_tdc_array)
add_wbdomain_to_tdc_array: Found existing record for TOUZEAU
[2011/08/04 14:23:45.166284, 10]
winbindd/winbindd_cache.c:4206(pack_tdc_domains)
pack_tdc_domains: Packing 3 trusted domains
[2011/08/04 14:23:45.166298, 10]
winbindd/winbindd_cache.c:4225(pack_tdc_domains)
pack_tdc_domains: Packing domain BUILTIN ()
[2011/08/04 14:23:45.166309, 10]
winbindd/winbindd_cache.c:4225(pack_tdc_domains)
pack_tdc_domains: Packing domain BDC2 ()
[2011/08/04 14:23:45.166319, 10]
winbindd/winbindd_cache.c:4225(pack_tdc_domains)
pack_tdc_domains: Packing domain TOUZEAU (touzeau.home)
[2011/08/04 14:23:45.166337, 4]
winbindd/winbindd_dual.c:1532(fork_domain_child)
Finished processing child request 20
[2011/08/04 14:23:45.166347, 10]
winbindd/winbindd_dual.c:1548(fork_domain_child)
Writing 3560 bytes to parent
[2011/08/04 14:23:45.166363, 10]
lib/events.c:182(get_timed_events_timeout)
timed_events_timeout: 2909/510746
[2011/08/04 14:23:47.371126, 10]
winbindd/winbindd.c:593(process_request)
process_request: Handling async request 2302:GETPWNAM
[2011/08/04 14:23:47.371158, 3]
winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send)
getpwnam angelique
[2011/08/04 14:23:47.371187, 10]
winbindd/winbindd_cache.c:451(fetch_cache_seqnum)
fetch_cache_seqnum: timeout [TOUZEAU][33401 @ 1312460590]
[2011/08/04 14:23:47.371200, 3]
winbindd/winbindd_ads.c:1206(sequence_number)
ads: fetch sequence_number for TOUZEAU
[2011/08/04 14:23:47.371210, 10]
winbindd/winbindd_ads.c:46(ads_cached_connection)
ads_cached_connection
[2011/08/04 14:23:47.371220, 7]
winbindd/winbindd_ads.c:59(ads_cached_connection)
Current tickets expire in 35422 seconds (at 1312496049, time is now
1312460627)
[2011/08/04 14:23:47.371726, 5]
libads/ldap_utils.c:64(ads_do_search_retry_internal)
Search for (objectclass=*) in <> gave 1 replies
[2011/08/04 14:23:47.371770, 10]
winbindd/winbindd_cache.c:494(wcache_store_seqnum)
wcache_store_seqnum: success [TOUZEAU][33401 @ 1312460627]
[2011/08/04 14:23:47.371784, 10]
winbindd/winbindd_cache.c:581(refresh_sequence_number)
refresh_sequence_number: TOUZEAU seq number is now 33401
[2011/08/04 14:23:47.371799, 10]
winbindd/idmap_ad.c:71(ad_idmap_cached_connection_internal)
ad_idmap_cached_connection: called for domain 'TOUZEAU'
[2011/08/04 14:23:47.371810, 7]
winbindd/idmap_ad.c:86(ad_idmap_cached_connection_internal)
Current tickets expire in 35451 seconds (at 1312496078, time is now
1312460627)
[2011/08/04 14:23:47.380451, 5]
libads/ldap_utils.c:64(ads_do_search_retry_internal)
Search for (uid=angelique) in <dc=TOUZEAU,dc=HOME> gave 0 replies
[2011/08/04 14:23:47.380476, 5]
winbindd/winbindd_cache.c:1206(resolve_alias_to_username)
resolve_alias_to_username: backend query returned
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2011/08/04 14:23:47.380497, 5]
winbindd/winbindd_getpwnam.c:68(winbindd_getpwnam_send)
Could not parse domain user: angelique
[2011/08/04 14:23:47.380515, 5]
winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv)
Could not convert sid S-0-0: NT_STATUS_INVALID_PARAMETER
[2011/08/04 14:23:47.380528, 10]
winbindd/winbindd.c:655(wb_request_done)
wb_request_done[2302:GETPWNAM]: NT_STATUS_INVALID_PARAMETER
[2011/08/04 14:23:47.380552, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[2302:GETPWNAM]: deliverd response to
client
[2011/08/04 14:23:50.163136, 10] lib/events.c:131(run_events)
Running timed event "rescan_trusted_domains" 0x7f88fb21c7c0
[2011/08/04 14:23:50.163284, 4]
winbindd/winbindd_dual.c:1524(fork_domain_child)
child daemon request 20
[2011/08/04 14:23:50.166642, 10]
winbindd/winbindd_dual.c:479(child_process_request)
child_process_request: request fn LIST_TRUSTDOM
[2011/08/04 14:23:50.166666, 3]
winbindd/winbindd_misc.c:159(winbindd_dual_list_trusted_domains)
[15477]: list trusted domains
[2011/08/04 14:23:50.166684, 10]
winbindd/winbindd_cache.c:2780(trusted_domains)
trusted_domains: [Cached] - doing backend query for info for domain
TOUZEAU
[2011/08/04 14:23:50.166698, 3]
winbindd/winbindd_ads.c:1269(trusted_domains)
ads: trusted_domains
[2011/08/04 14:23:50.166721,
1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_DsrEnumerateDomainTrusts: struct
netr_DsrEnumerateDomainTrusts
***************************************
have set the nsswitch.conf has it :
***************************************
passwd: files ldap winbind
group: files ldap winbind
shadow: files ldap winbind
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
aliases: files
automount: ldap files
***************************************
here it is the krb5.conf
***************************************
[libdefaults]
default_realm = TOUZEAU.HOME
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
[realms]
TOUZEAU.HOME = {
kdc = win-rsf60g6as1l.touzeau.home
admin_server = win-rsf60g6as1l.touzeau.home
default_domain = touzeau.home
}
[domain_realm]
.kerberos.server=TOUZEAU.HOME
.touzeau.home=TOUZEAU.HOME
[kdc]
profile = /etc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
***************************************
wbinfo -u output :
***************************************
TOUZEAU/administrateur
TOUZEAU/invité
TOUZEAU/krbtgt
TOUZEAU/david.touzeau
TOUZEAU/angelique
***************************************
wbinfo -g output:
***************************************
TOUZEAU/ordinateurs du domaine
TOUZEAU/contrôleurs de domaine
TOUZEAU/administrateurs du schéma
TOUZEAU/administrateurs de l’entreprise
TOUZEAU/éditeurs de certificats
TOUZEAU/admins du domaine
TOUZEAU/utilisateurs du domaine
TOUZEAU/invités du domaine
TOUZEAU/propriétaires créateurs de la stratégie de groupe
TOUZEAU/serveurs ras et ias
TOUZEAU/groupe de réplication dont le mot de passe rodc est autorisé
TOUZEAU/groupe de réplication dont le mot de passe rodc est refusé
TOUZEAU/contrôleurs de domaine en lecture seule
TOUZEAU/contrôleurs de domaine d’entreprise en lecture seule
TOUZEAU/dnsadmins
TOUZEAU/dnsupdateproxy
TOUZEAU/comptabilité
***************************************
klist:
***************************************
root at bdc2:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrateur at TOUZEAU.HOME
Valid starting Expires Service principal
08/04/11 14:19:55 08/05/11 00:21:03 krbtgt/TOUZEAU.HOME at TOUZEAU.HOME
renew until 08/05/11 14:19:55
***************************************
piece of relevant smb.conf:
***************************************
[global]
workgroup = TOUZEAU
netbios name = bdc2
server string = %h server
disable netbios =no
name resolve order =host lmhosts wins bcast
dns proxy = No
wins support = No
syslog = 3
log level = 10
log file = /var/log/samba/log.%m
debug timestamp = yes
# Enable symbolics links -----------------------------------
follow symlinks = yes
wide links = yes
unix extensions = no
usershare allow guests = no
usershare max shares = 100
usershare owner only = true
usershare path=/var/lib/samba/usershares/data
#Guest access
guest account = nobody
map to guest = Bad Password
template homedir = /home/%U
template shell = /bin/false
enable privileges = yes
os level = 40
ldap passwd sync = no
#WINBINDD *******************************************************
security = ADS
realm = TOUZEAU.HOME
idmap config TOUZEAU:backend = ad
idmap config TOUZEAU:readonly = yes
idmap config TOUZEAU:schema_mode = rfc2307
idmap config TOUZEAU:range = 1000-4000000000
idmap uid = 1000-4000000000
idmap gid = 1000-4000000000
client use spnego = Yes
encrypt passwords = Yes
client ntlmv2 auth = Yes
winbind normalize names = Yes
winbind separator = /
winbind use default domain = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307
winbind offline logon = true
winbind cache time = 5
winbind refresh tickets = true
kerberos method = system keytab
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
ntlm auth = Yes
lanman auth = No
preferred master = No
***************************************
More information about the samba
mailing list