[Samba] Domain Member server - Domain users don't get access
Shane Robinson
srobinson at simpeq.ca
Tue Feb 11 17:15:46 MST 2014
Hello list!
I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise
KVM guest. It seems to be running well. Recent list posts have led me to set
up a second instance of samba/ubuntu as a file server. Like the domain
controller, Samba was built from git, but then it was configured using the
"Samba/Domain Member" wiki. I added the sfu attributes to a few users/groups
using ADUC, but I don't see that mentioned as a requirement (Is it a
requirement?).
My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new
file server's name is FS2. I start the services with a script that runs
winbindd, then smbd, then nmbd, in that order.
Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups.
Kinit works.
$ getent passwd INTERNAL\\administrator
AND
getent group INTERNAL\\hrall
. give nothing.
An strace of getent revealed that /lib64 was never queried for
libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
libnss_winbind.so to that folder.
(Is this incorrect, or shall I update the Wiki with this information for
Ubuntu users?)
After the relinking, getent group INTERNAL\\hrall shows the members of the
group "hrall", but getent passwd INTERNAL\\Administrator still fails.
$smbclient -L fs2 -UAdministrator
Session setup failed: NT_STATUS_LOGON_FAILURE
And, as you'd expect, domain users can't connect to FS2's shares from
windows either.
The log.smbd shows:
[2014/02/11 14:52:42.335901, 5]
../source3/auth/auth_util.c:115(make_user_info_map)
Mapping user [INTERNAL]\[Administrator] from workstation [FS2]
[2014/02/11 14:52:42.336554, 5]
../source3/auth/user_info.c:61(make_user_info)
attempting to make a user_info for Administrator (Administrator)
[2014/02/11 14:52:42.336592, 5]
../source3/auth/user_info.c:72(make_user_info)
making strings for Administrator's user_info struct
[2014/02/11 14:52:42.336629, 5]
../source3/auth/user_info.c:92(make_user_info)
making blobs for Administrator's user_info struct
[2014/02/11 14:52:42.336657, 3]
../source3/auth/auth.c:177(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[INTERNAL]\[Administrator]@[FS2] with the new password interface
[2014/02/11 14:52:42.336685, 3]
../source3/auth/auth.c:180(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [INTERNAL]\[Administrator]@[FS2]
[2014/02/11 14:52:42.336714, 5] ../lib/util/util.c:556(dump_data)
[0000] 4E 9F 81 20 8D B4 2D 02 N.. ..-.
[2014/02/11 14:52:42.336765, 6]
../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: INTERNAL is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2014/02/11 14:52:42.336798, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2014/02/11 14:52:42.336825, 4] ../source3/smbd/uid.c:485(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2014/02/11 14:52:42.336851, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2014/02/11 14:52:42.336877, 5]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/02/11 14:52:42.336908, 5]
../source3/auth/token_util.c:528(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/02/11 14:52:42.353224, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/02/11 14:52:42.353328, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user INTERNAL\administrator
[2014/02/11 14:52:42.353366, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is internal\administrator
[2014/02/11 14:52:42.353786, 5]
../source3/lib/username.c:128(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is INTERNAL\administrator
[2014/02/11 14:52:42.354074, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR
[2014/02/11 14:52:42.354402, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in internal\administrator
[2014/02/11 14:52:42.354436, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [INTERNAL\administrator]!
[2014/02/11 14:52:42.354463, 5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
Finding user administrator
[2014/02/11 14:52:42.354490, 5]
../source3/lib/username.c:120(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is administrator
[2014/02/11 14:52:42.354771, 5]
../source3/lib/username.c:141(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
[2014/02/11 14:52:42.355046, 5]
../source3/lib/username.c:153(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in administrator
[2014/02/11 14:52:42.355079, 5]
../source3/lib/username.c:159(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [administrator]!
[2014/02/11 14:52:42.355152, 3]
../source3/auth/auth_util.c:1247(check_account)
Failed to find authenticated user INTERNAL\administrator via getpwnam(),
denying access.
[2014/02/11 14:52:42.355204, 5]
../source3/auth/auth.c:229(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355247, 2]
../source3/auth/auth.c:288(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355293, 5]
../source3/auth/auth_ntlmssp.c:144(auth3_check_password)
Checking NTLMSSP password for INTERNAL\Administrator failed:
NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355329, 5]
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
INTERNAL\Administrator failed: NT_STATUS_NO_SUCH_USER
[2014/02/11 14:52:42.355368, 2]
../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
log.winbindd shows:
[2014/02/11 14:48:22.544398, 6]
../source3/winbindd/winbindd.c:870(new_connection)
accepted socket 25
[2014/02/11 14:48:22.544610, 3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)
[ 2629]: request interface version
[2014/02/11 14:48:22.544767, 3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)
[ 2629]: request location of privileged pipe
[2014/02/11 14:48:22.544911, 6]
../source3/winbindd/winbindd.c:870(new_connection)
accepted socket 28
[2014/02/11 14:48:22.545005, 6]
../source3/winbindd/winbindd.c:918(winbind_client_request_read)
closing socket 25, client exited
[2014/02/11 14:48:22.545112, 3]
../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)
[ 2629]: domain_info [INTERNAL]
[2014/02/11 14:48:22.546028, 3]
../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)
[ 2629]: pam auth crap domain: [INTERNAL] user: Administrator
[2014/02/11 14:48:22.613469, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam internal\administrator
[2014/02/11 14:48:24.273838, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274046, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam INTERNAL\administrator
[2014/02/11 14:48:24.274271, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274415, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam INTERNAL\ADMINISTRATOR
[2014/02/11 14:48:24.274558, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED
[2014/02/11 14:48:24.274775, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
Below are the configuration files for FS2 (the file server / domain member
server). Commented parameters are ones I tried, with no change to the
aforementioned results.
SMB.Conf:
[global]
workgroup = INTERNAL
security = ADS
realm = INTERNAL.SIMPEQ.CA
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config INTERNAL:backend = ad
idmap config INTERNAL:schema_mode = rfc2307
idmap config INTERNAL:range = 500-40000
winbind nss info = rfc2307
#these are NOT from the domain member wiki
winbind use default domain = yes
#winbind separator = +
#wibind enum groups = yes
#winbind trusted domains only = no
###########################
#from wiki on Configuring file shares (feb7'14)
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
#########################
log level = 7
#Oplocks
veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt/*.pst
[test]
path = /srv/test
read only = no
#valid users = @"Domain Users"
[Sites]
path = /srv/sites
read only = no
nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
If you would like to see any further information, please let me know.
Thank you very much!
Shane Robinson
Chief Administrative Officer
SimpeQ Care
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.
More information about the samba
mailing list