[Samba] [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely

Rowland Penny rowlandpenny at googlemail.com
Tue Dec 10 08:30:51 MST 2013 

On 10/12/13 14:49, Patrick G. Stoesser wrote:
> Am 10.12.2013 15:25, schrieb steve:
>> On Tue, 2013-12-10 at 13:39 +0100, Patrick G. Stoesser wrote:
>>
>>>
>>> Does anyone have any idea where I could look after?
>>
>> nss is failing. What do you have in:
>> /etc/nsswitch.conf
>> and is the service for passwd running (could be winbind, sss,
>> ldap. . .)
>>
>> What does /smb.conf look like?
>>
>> IOW, not enough info 2 b able 2 help further. . .
>>
>> Steve
>>
>>
>
> Oops, my fault. Ok, here we are. Winbind is running.
>
> /etc/nsswitch.conf:
>
> passwd: files winbind
> group:  files winbind
> hosts:  files dns wins
> shadow: files winbind
>
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
>
> /etc/samba/smb.conf (anonymized with "***"). the directives "server 
> signing", "client signing", "max protocol" were added by me a few 
> minutes ago but did not help.
>
>
> [global]
> server signing = auto
> client signing = auto
> max protocol = smb2
> security = ADS
> encrypt passwords = true
> password server = ***.***.15.146 ***.***.15.208 ***.***.15.144
> workgroup = AD
> netbios name = fileserver3
> enhanced browsing = no
> realm = AD.***.DE
> winbind separator = #
> winbind use default domain = Yes
> client use spnego = yes
> server string = %h Debian GNU/Linux
> log file = /var/log/samba/%m.log
> syslog only = no
> syslog = 0
> log level = 1
> machine password timeout = 0
> winbind enum users = no
> winbind enum groups = no
> socket options = TCP_NODELAY.
>
> hostname lookups = no
> dnsproxy = no
> local master = no
> domain master = no
> directory mask = 0700
> create mask = 0700
> wins support = no
> wins server = ***.***.15.208 ***.***.15.144
> admin users = root
> dos charset = cp850
> unix charset = ISO-8859-15
> display charset = ISO-8859-15
> deadtime = 30
> name resolve order = wins bcast host
> disable spoolss = yes
> follow symlinks = no
> show add printer wizard = no
> oplocks = no
> level2 oplocks = no
> max log size = 1000
> load printers = no
> vfs object = recycle
> recycle:repository = ___TRASH___
> recycle:keeptree = yes
> recycle:touch = yes
> recycle:versions = yes
>
>
> [user1]
> path = /srv1/user1
> browseable = no
> valid users = ad#user1
> write list = ad#user1
>
> and so on with more shares.
>
>
>
> I raised the log level to 3, and here's a client log when trying to 
> connect:
>
> [2013/12/10 15:43:24.695236,  3] lib/access.c:338(allow_access)
>   Allowed connection from ***.***.14.24 (***.***.14.24)
> [2013/12/10 15:43:24.695406,  3] smbd/oplock.c:922(init_oplocks)
>   init_oplocks: initializing messages.
> [2013/12/10 15:43:24.695541,  3] 
> smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
>   Linux kernel oplocks enabled
> [2013/12/10 15:43:24.695681,  3] smbd/process.c:1662(process_smb)
>   Transaction 0 of length 72 (0 toread)
> [2013/12/10 15:43:24.695752,  2] smbd/reply.c:553(reply_special)
>   netbios connect: name1=FILESERVER30x20 name2=TSNEU          0x0
> [2013/12/10 15:43:24.711464,  2] smbd/reply.c:573(reply_special)
>   netbios connect: local=fileserver3 remote=tsneu, name type = 0
> [2013/12/10 15:43:33.633745,  3] lib/access.c:338(allow_access)
>   Allowed connection from ***.***.14.24 (***.***.14.24)
> [2013/12/10 15:43:33.633899,  3] smbd/oplock.c:922(init_oplocks)
>   init_oplocks: initializing messages.
> [2013/12/10 15:43:33.634030,  3] 
> smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
>   Linux kernel oplocks enabled
> [2013/12/10 15:43:33.634163,  3] smbd/process.c:1662(process_smb)
>   Transaction 0 of length 72 (0 toread)
> [2013/12/10 15:43:33.634232,  2] smbd/reply.c:553(reply_special)
>   netbios connect: name1=FILESERVER30x20 name2=TSNEU          0x0
> [2013/12/10 15:43:33.634306,  2] smbd/reply.c:573(reply_special)
>   netbios connect: local=fileserver3 remote=tsneu, name type = 0
> [2013/12/10 15:43:37.018709,  3] lib/access.c:338(allow_access)
>   Allowed connection from ***.***.14.24 (***.***.14.24)
> [2013/12/10 15:43:37.018857,  3] smbd/oplock.c:922(init_oplocks)
>   init_oplocks: initializing messages.
> [2013/12/10 15:43:37.019023,  3] 
> smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
>   Linux kernel oplocks enabled
> [2013/12/10 15:43:37.019167,  3] smbd/process.c:1662(process_smb)
>   Transaction 0 of length 72 (0 toread)
> [2013/12/10 15:43:37.019237,  2] smbd/reply.c:553(reply_special)
>   netbios connect: name1=FILESERVER30x20 name2=TSNEU          0x0
> [2013/12/10 15:43:37.019310,  2] smbd/reply.c:573(reply_special)
>   netbios connect: local=fileserver3 remote=tsneu, name type = 0
>
> Kind regards, Patrick
>
>
>
Hi, I take it that the machine in question is part of a domain and if 
so, I am surprised it works at all. You have quite a few lines in your 
smb.conf that could be removed because they are the defaults, but the 
biggest problem, as far as I can see is that the only lines that refer 
to winbind are these:

winbind separator = #
winbind use default domain = Yes
winbind enum users = no
winbind enum groups = no

I would expect something like this:

         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         winbind expand groups = 4
         winbind nss info = rfc2307
         winbind refresh tickets = Yes
         winbind offline logon = yes
         winbind normalize names = Yes
         idmap config AD:schema_mode = rfc2307
         idmap config AD:range = 20000-3100000
         idmap config AD:backend = ad
         idmap config *:range = 1100-2000
         idmap config *:backend = tdb

Though the backend line could be 'rid' instead. Without the above lines, 
I expect that the users will have different uid numbers on every server, 
I could be wrong but I do not think so.

Rowland

More information about the samba mailing list