[Samba] Domain Member server - Domain users don't get access

Shane Robinson srobinson at simpeq.ca
Tue Feb 11 17:15:46 MST 2014


Hello list!

 

I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu Precise
KVM guest. It seems to be running well. Recent list posts have led me to set
up a second instance of samba/ubuntu as a file server. Like the domain
controller, Samba was built from git, but then it was configured using the
"Samba/Domain Member" wiki. I added the sfu attributes to a few users/groups
using ADUC, but I don't see that mentioned as a requirement (Is it a
requirement?).

 

My domain name is internal.simpeq.ca, the DC's name is Samba2, and the new
file server's name is FS2. I start the services with a script that runs
winbindd, then smbd, then nmbd, in that order.

 

Wbinfo -u and wbinfo -g work well, enumerating all domain users and groups.

 

Kinit works.

 

 

$ getent passwd INTERNAL\\administrator 

AND 

getent group INTERNAL\\hrall

 

. give nothing.

 

An strace of getent revealed that /lib64 was never queried for
libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
libnss_winbind.so to that folder.

(Is this incorrect, or shall I update the Wiki with this information for
Ubuntu users?)

 

After the relinking, getent group INTERNAL\\hrall shows the members of the
group "hrall", but getent passwd INTERNAL\\Administrator still fails.

 

$smbclient -L fs2 -UAdministrator

Session setup failed: NT_STATUS_LOGON_FAILURE

 

And, as you'd expect, domain users can't connect to FS2's shares from
windows either.

 

The log.smbd shows:

 

[2014/02/11 14:52:42.335901,  5]
../source3/auth/auth_util.c:115(make_user_info_map)

  Mapping user [INTERNAL]\[Administrator] from workstation [FS2]

[2014/02/11 14:52:42.336554,  5]
../source3/auth/user_info.c:61(make_user_info)

  attempting to make a user_info for Administrator (Administrator)

[2014/02/11 14:52:42.336592,  5]
../source3/auth/user_info.c:72(make_user_info)

  making strings for Administrator's user_info struct

[2014/02/11 14:52:42.336629,  5]
../source3/auth/user_info.c:92(make_user_info)

  making blobs for Administrator's user_info struct

[2014/02/11 14:52:42.336657,  3]
../source3/auth/auth.c:177(auth_check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user
[INTERNAL]\[Administrator]@[FS2] with the new password interface

[2014/02/11 14:52:42.336685,  3]
../source3/auth/auth.c:180(auth_check_ntlm_password)

  check_ntlm_password:  mapped user is: [INTERNAL]\[Administrator]@[FS2]

[2014/02/11 14:52:42.336714,  5] ../lib/util/util.c:556(dump_data)

  [0000] 4E 9F 81 20 8D B4 2D 02                            N.. ..-.

[2014/02/11 14:52:42.336765,  6]
../source3/auth/auth_sam.c:88(auth_samstrict_auth)

  check_samstrict_security: INTERNAL is not one of my local names
(ROLE_DOMAIN_MEMBER)

[2014/02/11 14:52:42.336798,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)

  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2

[2014/02/11 14:52:42.336825,  4] ../source3/smbd/uid.c:485(push_conn_ctx)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 1

[2014/02/11 14:52:42.336851,  4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2

[2014/02/11 14:52:42.336877,  5]
../libcli/security/security_token.c:53(security_token_debug)

  Security token: (NULL)

[2014/02/11 14:52:42.336908,  5]
../source3/auth/token_util.c:528(debug_unix_user_token)

  UNIX token of user 0

  Primary group is 0 and contains 0 supplementary groups

[2014/02/11 14:52:42.353224,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1

[2014/02/11 14:52:42.353328,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)

  Finding user INTERNAL\administrator

[2014/02/11 14:52:42.353366,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as lowercase is internal\administrator

[2014/02/11 14:52:42.353786,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as given is INTERNAL\administrator

[2014/02/11 14:52:42.354074,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR

[2014/02/11 14:52:42.354402,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)

  Checking combinations of 0 uppercase letters in internal\administrator

[2014/02/11 14:52:42.354436,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)

  Get_Pwnam_internals didn't find user [INTERNAL\administrator]!

[2014/02/11 14:52:42.354463,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)

  Finding user administrator

[2014/02/11 14:52:42.354490,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as lowercase is administrator

[2014/02/11 14:52:42.354771,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)

  Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR

[2014/02/11 14:52:42.355046,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)

  Checking combinations of 0 uppercase letters in administrator

[2014/02/11 14:52:42.355079,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)

  Get_Pwnam_internals didn't find user [administrator]!

[2014/02/11 14:52:42.355152,  3]
../source3/auth/auth_util.c:1247(check_account)

  Failed to find authenticated user INTERNAL\administrator via getpwnam(),
denying access.

[2014/02/11 14:52:42.355204,  5]
../source3/auth/auth.c:229(auth_check_ntlm_password)

  check_ntlm_password: winbind authentication for user [Administrator]
FAILED with error NT_STATUS_NO_SUCH_USER

[2014/02/11 14:52:42.355247,  2]
../source3/auth/auth.c:288(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [Administrator] ->
[Administrator] FAILED with error NT_STATUS_NO_SUCH_USER

[2014/02/11 14:52:42.355293,  5]
../source3/auth/auth_ntlmssp.c:144(auth3_check_password)

  Checking NTLMSSP password for INTERNAL\Administrator failed:
NT_STATUS_NO_SUCH_USER

[2014/02/11 14:52:42.355329,  5]
../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password)

  ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
INTERNAL\Administrator failed: NT_STATUS_NO_SUCH_USER

[2014/02/11 14:52:42.355368,  2]
../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)

  SPNEGO login failed: NT_STATUS_NO_SUCH_USER

 

log.winbindd shows:

 

[2014/02/11 14:48:22.544398,  6]
../source3/winbindd/winbindd.c:870(new_connection)

  accepted socket 25

[2014/02/11 14:48:22.544610,  3]
../source3/winbindd/winbindd_misc.c:395(winbindd_interface_version)

  [ 2629]: request interface version

[2014/02/11 14:48:22.544767,  3]
../source3/winbindd/winbindd_misc.c:428(winbindd_priv_pipe_dir)

  [ 2629]: request location of privileged pipe

[2014/02/11 14:48:22.544911,  6]
../source3/winbindd/winbindd.c:870(new_connection)

  accepted socket 28

[2014/02/11 14:48:22.545005,  6]
../source3/winbindd/winbindd.c:918(winbind_client_request_read)

  closing socket 25, client exited

[2014/02/11 14:48:22.545112,  3]
../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)

  [ 2629]: domain_info [INTERNAL]

[2014/02/11 14:48:22.546028,  3]
../source3/winbindd/winbindd_pam_auth_crap.c:73(winbindd_pam_auth_crap_send)

  [ 2629]: pam auth crap domain: [INTERNAL] user: Administrator

[2014/02/11 14:48:22.613469,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)

  getpwnam internal\administrator

[2014/02/11 14:48:24.273838,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)

  Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED

[2014/02/11 14:48:24.274046,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)

  getpwnam INTERNAL\administrator

[2014/02/11 14:48:24.274271,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)

  Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED

[2014/02/11 14:48:24.274415,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)

  getpwnam INTERNAL\ADMINISTRATOR

[2014/02/11 14:48:24.274558,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)

  Could not convert sid S-1-5-21-2882618318-1039994385-1644329023-500:
NT_STATUS_NONE_MAPPED

[2014/02/11 14:48:24.274775,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)

 

 

Below are the configuration files for FS2 (the file server / domain member
server). Commented parameters are ones I tried, with no change to the
aforementioned results.

 

SMB.Conf:

 

 

[global]

 

   workgroup = INTERNAL

   security = ADS

   realm = INTERNAL.SIMPEQ.CA

 

   idmap config *:backend = tdb

   idmap config *:range = 70001-80000

   idmap config INTERNAL:backend = ad

   idmap config INTERNAL:schema_mode = rfc2307

   idmap config INTERNAL:range = 500-40000

 

   winbind nss info = rfc2307

 

#these are NOT from the domain member wiki

 

  winbind use default domain = yes

 

   #winbind separator = +

   #wibind enum groups = yes

   #winbind trusted domains only = no

 

###########################

 

#from wiki on Configuring file shares (feb7'14)

   vfs objects = acl_xattr

   map acl inherit = Yes

   store dos attributes = Yes

#########################

  

   log level = 7

 

#Oplocks

   veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt/*.pst

 

 

[test]

   path = /srv/test

   read only = no

   #valid users = @"Domain Users"

 

[Sites]

        path = /srv/sites

        read only = no

 

 

 

nsswitch.conf:

 

# /etc/nsswitch.conf

#

# Example configuration of GNU Name Service Switch functionality.

# If you have the `glibc-doc-reference' and `info' packages installed, try:

# `info libc "Name Service Switch"' for information about this file.

 

passwd:         compat winbind

group:          compat winbind

shadow:         compat

 

hosts:          files dns wins

networks:       files

 

protocols:      db files

services:       db files

ethers:         db files

rpc:            db files

 

netgroup:       nis

 

 

If you would like to see any further information, please let me know.

 

Thank you very much!

 

 

Shane Robinson

Chief Administrative Officer

SimpeQ Care

t. 604.988.3103 ext. 104

c. 604.506.3311

f. 604.988.3105

Please consider the environment before printing this email.

 



More information about the samba mailing list