[Samba] User is invalid on this system
dale at BriannasSaladDressing.com
Fri Nov 30 12:55:22 MST 2012
With what I've read and what I've seen with the rebuilds, there's a good
chance the rejoin could fix your problem. That being said, there are no
guarantees with winbind. It's the part of the Samba suite that has given
me the most problems over the years, breaking existing configs almost
every time its internal workings are changed.
I wish you good luck!
On 11/30/2012 12:57 PM, Kevin Elliott wrote:
> I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another.
> Do you think un-joining and then re-joining the existing system could fix this?
> Kevin Elliott
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
> -----Original Message-----
> From: Dale Schroeder [mailto:dale at BriannasSaladDressing.com]
> Sent: Friday, November 30, 2012 9:38 AM
> To: Kevin Elliott
> Cc: 'samba at lists.samba.org'
> Subject: Re: [Samba] User is invalid on this system
> 3.6.x has had several issues with idmap rid. I was hit with this one:
> https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap rid issues with 3.6.x will reveal others as well.
> Someone indicated that rejoining the domain would fix this issue. As it so happened, I had to rebuild one of the servers. After joining the rebuilt system to the domain, it has worked flawlessly ever since. So, it appears the problem with rid and some of the other idmap backends is somehow related to upgrading, as newly joined systems work as expected.
> On 11/29/2012 6:51 PM, Kevin Elliott wrote:
>> Hello all.
>> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:
>> Here's an example from my workstation (logging verbosity set at 10):
>> [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message)
>> switch message SMBsesssetupX (pid 2517) conn 0x0
>> [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
>> wct=12 flg2=0xc807
>> [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
>> [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
>> NativeOS= NativeLanMan= PrimaryDomain=
>> [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
>> reply_spnego_negotiate: Got secblob of size 1680
>> [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data)
>> Found account name from PAC: kevin_elliott [Kevin Elliott]
>> [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
>> Kerberos ticket principal name is [kevin_elliott at CBJ.LOCAL]
>> [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
>> Username CBJ_NT+kevin_elliott is invalid on this system
>> [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set)
>> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
>> [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc)
>> receive_smb_raw_talloc failed for client 126.96.36.199 read error = NT_STATUS_CONNECTION_RESET.
>> [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common)
>> Server exit (failed to receive smb request)
>> However, I can successfully return login information with winbind:
>> # wbinfo -i kevin_elliott
>> 'getent passwd' will only return the local users from /etc/passwd.
>> And the relevant section of smb.conf:
>> workgroup = CBJ_NT
>> realm = CBJ.LOCAL
>> netbios aliases = CITY-LIZA-L90, CITY-LIZA
>> server string = External FTP Server
>> interfaces = 192.0.2.87/32, lo
>> bind interfaces only = Yes
>> security = ADS
>> obey pam restrictions = Yes
>> password server = 192.0.2.25, 192.0.2.50
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
>> client NTLMv2 auth = Yes
>> log level = 3
>> log file = /var/log/samba/log.%m
>> max log size = 2500
>> printcap name = cups
>> os level = 5
>> local master = No
>> domain master = No
>> wins server = 192.0.2.25
>> ldap ssl = no
>> panic action = /usr/share/samba/panic-action %d
>> winbind separator = +
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> idmap config LIBRARY:range = 65535-79999
>> idmap config LIBRARY:base_rid = 0
>> idmap config LIBRARY:backend = rid
>> idmap config * : range = 10000-65533
>> idmap config * : base_rid = 0
>> idmap config * : backend = rid
>> admin users = @CBJ_NT+admin
>> veto files = /.*/
>> comment = FTP directory
>> path = /var/ftp/pub/
>> valid users = "@CBJ_NT+domain users"
>> read only = No
>> create mask = 0775
>> directory mask = 0775
>> hide unreadable = Yes
>> Any ideas? Anyone else see this?
>> Kevin Elliott
>> Network Specialist
>> City and Borough of Juneau, MIS
>> (907) 586 - 0905
More information about the samba