[Samba] Domain Member server - Domain users don't get access

Shane Robinson srobinson at simpeq.ca
Wed Feb 12 18:42:08 MST 2014

>>>> Hello list!
>>>> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu 
>>>> Precise KVM guest. It seems to be running well. Recent list posts 
>>>> have led me to set up a second instance of samba/ubuntu as a file
>>>> Like the domain controller, Samba was built from git, but then it 
>>>> was configured using the "Samba/Domain Member" wiki. I added the sfu 
>>>> attributes to a few users/groups using ADUC, but I don't see that 
>>>> mentioned as a requirement (Is it a requirement?).
>>> If you want getent to work, you don't _have_ to add the sfu stuff.
>>> uidNumber and gidNumber are sufficient.
>>>> My domain name is internal.simpeq.ca, the DC's name is Samba2, and 
>>>> the new file server's name is FS2. I start the services with a 
>>>> script that runs winbindd, then smbd, then nmbd, in that order.
>>>> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
>> groups.
>>>> Kinit works.
>>>> $ getent passwd INTERNAL\\administrator
>>>> AND
>>>> getent group INTERNAL\\hrall
>>>> . give nothing.
>>>> An strace of getent revealed that /lib64 was never queried for 
>>>> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked 
>>>> libnss_winbind.so to that folder.
>>>> (Is this incorrect, or shall I update the Wiki with this information 
>>>> for Ubuntu users?)
>>>> am
>>> The wiki is for 32 bit non-Debian distros only.
>>> How did you join FS2?
>>> Could you post:
>>> The content of its keytab
>>> The DN of INTERNAL\administrator
>>> Cheers,
>>> Steve
>> Thanks for the reply Steve (et al)!
>> First, if the uidNumber and ridNumber are required, I'll add that as a 
>> note to the wiki, once my account is active. Is it as simple as adding 
>> them in ADUC? Can you leave the default numbers in? For example, my 
>> administrator account has a uidNumber of 10002 and a gidNumber of 
>> 10004, as they were the defaults in ADUC.
>> Second, the wiki makes no mention of being "32-bit non-debian". There 
>> is a section on linking the libnss_winbind.so in 64bit systems, but it 
>> only asks the user to link to /lib64, which doesn't appear to be 
>> correct for the ubuntu situation. If my suggestion is correct, I will 
>> add this to the wiki as well.
>> The join was as follows: (did it again to be sure)
>> shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator 
>> Enter Administrator's password:
>> Using short domain name -- INTERNAL
>> Joined 'FS2' to dns domain 'internal.simpeq.ca'
>> No DNS domain configured for fs2. Unable to perform DNS Update.
>> The distinguishedName of Administrator (from ADSI) is:
>> CN=Administrator,CN=Users,DC=internal,DC=simpeq,DC=ca
>> As to the keytab file:
>> shane at FS2:/usr/local/samba$ klist
>> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
>> And here's the part of the show where I explain that this is my first 
>> and only foray into anything Active Directory (LDAP, Kerberos, DNS etc).
>> There was no mention whatsoever of a keytab file on the wiki, so I 
>> didn't do anything about it. Should one have been 
>> created/retrieved/found/pulled out of my... ? If so, what is the 
>> procedure for doing so? I'd love to be able to make that wiki as complete
as possible.
>> Thank you very much!
>I think that part of your problem lies in the fact that the example
smb.conf on the wiki page is only a partial example, it is missing, For
>kerberos method = secrets and keytab
>winbind refresh tickets = Yes
>If you add these lines, restart samba and then rejoin, I am sure that you
will find that /etc/krb5.conf has been created (provided, of course, that
you have installed krb5-user).
>The other problem with the wiki, is that it is written by ordinary users,
who base what they write, on what they did to their own system and Linux
being Linux, the way that you do something on rpm based systems is different
from deb based system, package names is the least of the differences. Along
came 64bit (well, it didn't really, sun for instance had 64bit machines for
years before AMD/intel discovered them) and of course various distro's did
different things, so yes, as you found, /lib64 is /usr/lib/x86_64 on Ubuntu.
>If you use the ad backend then you need uidNumber's & gidNumber's in AD and
they need to be within the range that you set in smb.conf, the one that you
refer to should be fine.

Hi Rowland,

Is there a reason those lines would be left off of the example? I've added
them now, and /etc/krb5.conf is generated, but my results have not changed, 

ie: smbclient -L localhost -Uadministrator
session setup failed: NT_STATUS_LOGON_FAILURE

log.smbd shows 

 [2014/02/12 17:10:44.285058,  5]
  Mapping user [INTERNAL]\[administrator] from workstation [FS2]
[2014/02/12 17:10:44.295310,  5]
  attempting to make a user_info for administrator (administrator)
[2014/02/12 17:10:44.295604,  5]
  making strings for administrator's user_info struct
[2014/02/12 17:10:44.295732,  5]
  making blobs for administrator's user_info struct
[2014/02/12 17:10:44.295830,  3]
  check_ntlm_password:  Checking password for unmapped user
[INTERNAL]\[administrator]@[FS2] with the new password interface
[2014/02/12 17:10:44.295921,  3]
  check_ntlm_password:  mapped user is: [INTERNAL]\[administrator]@[FS2]
[2014/02/12 17:10:44.296016,  5] ../lib/util/util.c:556(dump_data)
  [0000] B3 83 CA FB 97 C2 15 A5                            ........
[2014/02/12 17:10:44.296185,  6]
  check_samstrict_security: INTERNAL is not one of my local names
[2014/02/12 17:10:44.296298,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2014/02/12 17:10:44.296387,  4] ../source3/smbd/uid.c:485(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2014/02/12 17:10:44.296475,  4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2014/02/12 17:10:44.296562,  5]
  Security token: (NULL)
[2014/02/12 17:10:44.296647,  5]
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2014/02/12 17:10:44.320649,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/02/12 17:10:44.323708,  5]
  Finding user INTERNAL\administrator
[2014/02/12 17:10:44.323911,  5]
  Trying _Get_Pwnam(), username as lowercase is internal\administrator
[2014/02/12 17:10:44.325044,  5]
  Trying _Get_Pwnam(), username as given is INTERNAL\administrator
[2014/02/12 17:10:44.325335,  5]
  Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR
[2014/02/12 17:10:44.325609,  5]
  Checking combinations of 0 uppercase letters in internal\administrator
[2014/02/12 17:10:44.325642,  5]
  Get_Pwnam_internals didn't find user [INTERNAL\administrator]!
[2014/02/12 17:10:44.325671,  5]
  Finding user administrator
[2014/02/12 17:10:44.325697,  5]
  Trying _Get_Pwnam(), username as lowercase is administrator
[2014/02/12 17:10:44.325962,  5]
  Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
[2014/02/12 17:10:44.326269,  5]
  Checking combinations of 0 uppercase letters in administrator
[2014/02/12 17:10:44.326303,  5]
  Get_Pwnam_internals didn't find user [administrator]!
[2014/02/12 17:10:44.326414,  3]
  Failed to find authenticated user INTERNAL\administrator via getpwnam(),
denying access.
[2014/02/12 17:10:44.326474,  5]
  check_ntlm_password: winbind authentication for user [administrator]
[2014/02/12 17:10:44.326517,  2]
  check_ntlm_password:  Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/02/12 17:10:44.326546,  5]
  Checking NTLMSSP password for INTERNAL\administrator failed:
[2014/02/12 17:10:44.326582,  5]
  ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
INTERNAL\administrator failed: NT_STATUS_NO_SUCH_USER
[2014/02/12 17:10:44.326620,  2]
[2014/02/12 17:10:44.326666,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/02/12 17:10:44.326697,  5]
  check lock order 1 for
[2014/02/12 17:10:44.326760,  5]
  release lock order 1 for
[2014/02/12 17:10:44.326812,  3]
  NT error packet at ../source3/smbd/sesssetup.c(263) cmd=115

Regarding the wiki, I understand fully that different distros do different
things, and someone has already caught the library linking issue for debian,
so the wiki is now fully up to date in that regard. When I mention the wiki,
I do so in the hopes of being able to contribute to it so other users in my
situation don't have to flood the list with the same questions, and we have
as complete a reference as possible.

Thank you for your help, would you be able to point me in the next
trouble-shooting direction?

Shane Robinson
Chief Administrative Officer
SimpeQ Care
t. 604.988.3103 ext. 104
c. 604.506.3311
f. 604.988.3105
Please consider the environment before printing this email.


More information about the samba mailing list