[Samba] User is invalid on this system

Kevin Elliott kevin_elliott at ci.juneau.ak.us
Thu Nov 29 17:51:55 MST 2012


Hello all.

We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:


Here's an example from my workstation (logging verbosity set at 10):

[2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
  switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/11/29 15:23:58.120353,  3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2012/11/29 15:23:58.120409,  3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309,  3] auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [kevin_elliott at CBJ.LOCAL]
[2012/11/29 15:23:58.124710,  1] auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)



However, I can successfully return login information with winbind:

# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

'getent passwd' will only return the local users from /etc/passwd.


And the relevant section of smb.conf:

[global]
        workgroup = CBJ_NT
        realm = CBJ.LOCAL
        netbios aliases = CITY-LIZA-L90, CITY-LIZA
        server string = External FTP Server
        interfaces = 192.0.2.87/32, lo
        bind interfaces only = Yes
        security = ADS
        obey pam restrictions = Yes
        password server = 192.0.2.25, 192.0.2.50
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
        client NTLMv2 auth = Yes
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 2500
        printcap name = cups
        os level = 5
        local master = No
        domain master = No
        wins server = 192.0.2.25
        ldap ssl = no
        panic action = /usr/share/samba/panic-action %d
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config LIBRARY:range = 65535-79999
        idmap config LIBRARY:base_rid = 0
        idmap config LIBRARY:backend = rid
        idmap config * : range = 10000-65533
        idmap config * : base_rid = 0
        idmap config * : backend = rid
        admin users = @CBJ_NT+admin
        veto files = /.*/

[ftp]
        comment = FTP directory
        path = /var/ftp/pub/
        valid users = "@CBJ_NT+domain users"
        read only = No
        create mask = 0775
        directory mask = 0775
        hide unreadable = Yes


Any ideas? Anyone else see this?

---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905




More information about the samba mailing list