[Samba] Domain Member server - Domain users don't get access

Chan Min Wai dcmwai at gmail.com
Wed Feb 12 23:24:28 MST 2014


Hi Shane Robinson,

Can post your krb.conf?
There are some information samba need there...

Thank you


On Thu, Feb 13, 2014 at 9:42 AM, Shane Robinson <srobinson at simpeq.ca> wrote:

> >>>> Hello list!
> >>>>
> >>>>
> >>>>
> >>>> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu
> >>>> Precise KVM guest. It seems to be running well. Recent list posts
> >>>> have led me to set up a second instance of samba/ubuntu as a file
> server.
> >>>> Like the domain controller, Samba was built from git, but then it
> >>>> was configured using the "Samba/Domain Member" wiki. I added the sfu
> >>>> attributes to a few users/groups using ADUC, but I don't see that
> >>>> mentioned as a requirement (Is it a requirement?).
> >>> If you want getent to work, you don't _have_ to add the sfu stuff.
> >>> uidNumber and gidNumber are sufficient.
> >>>>
> >>>>
> >>>> My domain name is internal.simpeq.ca, the DC's name is Samba2, and
> >>>> the new file server's name is FS2. I start the services with a
> >>>> script that runs winbindd, then smbd, then nmbd, in that order.
> >>>>
> >>>>
> >>>>
> >>>> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
> >> groups.
> >>>>
> >>>>
> >>>> Kinit works.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> $ getent passwd INTERNAL\\administrator
> >>>>
> >>>> AND
> >>>>
> >>>> getent group INTERNAL\\hrall
> >>>>
> >>>>
> >>>>
> >>>> . give nothing.
> >>>>
> >>>>
> >>>>
> >>>> An strace of getent revealed that /lib64 was never queried for
> >>>> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
> >>>> libnss_winbind.so to that folder.
> >>>>
> >>>> (Is this incorrect, or shall I update the Wiki with this information
> >>>> for Ubuntu users?)
> >>>>
> >>>> am
> >>> The wiki is for 32 bit non-Debian distros only.
> >>> How did you join FS2?
> >>> Could you post:
> >>> The content of its keytab
> >>> The DN of INTERNAL\administrator
> >>> Cheers,
> >>> Steve
> >>
> >> Thanks for the reply Steve (et al)!
> >>
> >> First, if the uidNumber and ridNumber are required, I'll add that as a
> >> note to the wiki, once my account is active. Is it as simple as adding
> >> them in ADUC? Can you leave the default numbers in? For example, my
> >> administrator account has a uidNumber of 10002 and a gidNumber of
> >> 10004, as they were the defaults in ADUC.
> >>
> >> Second, the wiki makes no mention of being "32-bit non-debian". There
> >> is a section on linking the libnss_winbind.so in 64bit systems, but it
> >> only asks the user to link to /lib64, which doesn't appear to be
> >> correct for the ubuntu situation. If my suggestion is correct, I will
> >> add this to the wiki as well.
> >>
> >>
> >> The join was as follows: (did it again to be sure)
> >>
> >> shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator
> >> Enter Administrator's password:
> >> Using short domain name -- INTERNAL
> >> Joined 'FS2' to dns domain 'internal.simpeq.ca'
> >> No DNS domain configured for fs2. Unable to perform DNS Update.
> >> DNS update failed: NT_STATUS_INVALID_PARAMETER
> >>
> >> The distinguishedName of Administrator (from ADSI) is:
> >> CN=Administrator,CN=Users,DC=internal,DC=simpeq,DC=ca
> >>
> >>
> >> As to the keytab file:
> >>
> >> shane at FS2:/usr/local/samba$ klist
> >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
> >>
> >> And here's the part of the show where I explain that this is my first
> >> and only foray into anything Active Directory (LDAP, Kerberos, DNS etc).
> >>
> >> There was no mention whatsoever of a keytab file on the wiki, so I
> >> didn't do anything about it. Should one have been
> >> created/retrieved/found/pulled out of my... ? If so, what is the
> >> procedure for doing so? I'd love to be able to make that wiki as
> complete
> as possible.
> >>
> >> Thank you very much!
> >>
> >I think that part of your problem lies in the fact that the example
> smb.conf on the wiki page is only a partial example, it is missing, For
> >instance:
> >
> >kerberos method = secrets and keytab
> >winbind refresh tickets = Yes
> >
> >If you add these lines, restart samba and then rejoin, I am sure that you
> will find that /etc/krb5.conf has been created (provided, of course, that
> you have installed krb5-user).
> >
> >The other problem with the wiki, is that it is written by ordinary users,
> who base what they write, on what they did to their own system and Linux
> being Linux, the way that you do something on rpm based systems is
> different
> from deb based system, package names is the least of the differences. Along
> came 64bit (well, it didn't really, sun for instance had 64bit machines for
> years before AMD/intel discovered them) and of course various distro's did
> different things, so yes, as you found, /lib64 is /usr/lib/x86_64 on
> Ubuntu.
> >
> >If you use the ad backend then you need uidNumber's & gidNumber's in AD
> and
> they need to be within the range that you set in smb.conf, the one that you
> refer to should be fine.
> >
> >Rowland
> >
>
> Hi Rowland,
>
> Is there a reason those lines would be left off of the example? I've added
> them now, and /etc/krb5.conf is generated, but my results have not changed,
>
> ie: smbclient -L localhost -Uadministrator
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> log.smbd shows
>
>  [2014/02/12 17:10:44.285058,  5]
> ../source3/auth/auth_util.c:115(make_user_info_map)
>   Mapping user [INTERNAL]\[administrator] from workstation [FS2]
> [2014/02/12 17:10:44.295310,  5]
> ../source3/auth/user_info.c:61(make_user_info)
>   attempting to make a user_info for administrator (administrator)
> [2014/02/12 17:10:44.295604,  5]
> ../source3/auth/user_info.c:72(make_user_info)
>   making strings for administrator's user_info struct
> [2014/02/12 17:10:44.295732,  5]
> ../source3/auth/user_info.c:92(make_user_info)
>   making blobs for administrator's user_info struct
> [2014/02/12 17:10:44.295830,  3]
> ../source3/auth/auth.c:177(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [INTERNAL]\[administrator]@[FS2] with the new password interface
> [2014/02/12 17:10:44.295921,  3]
> ../source3/auth/auth.c:180(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [INTERNAL]\[administrator]@[FS2]
> [2014/02/12 17:10:44.296016,  5] ../lib/util/util.c:556(dump_data)
>   [0000] B3 83 CA FB 97 C2 15 A5                            ........
> [2014/02/12 17:10:44.296185,  6]
> ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
>   check_samstrict_security: INTERNAL is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2014/02/12 17:10:44.296298,  4]
> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2014/02/12 17:10:44.296387,  4] ../source3/smbd/uid.c:485(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2014/02/12 17:10:44.296475,  4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2014/02/12 17:10:44.296562,  5]
> ../libcli/security/security_token.c:53(security_token_debug)
>   Security token: (NULL)
> [2014/02/12 17:10:44.296647,  5]
> ../source3/auth/token_util.c:528(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2014/02/12 17:10:44.320649,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/02/12 17:10:44.323708,  5]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>   Finding user INTERNAL\administrator
> [2014/02/12 17:10:44.323911,  5]
> ../source3/lib/username.c:120(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is internal\administrator
> [2014/02/12 17:10:44.325044,  5]
> ../source3/lib/username.c:128(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as given is INTERNAL\administrator
> [2014/02/12 17:10:44.325335,  5]
> ../source3/lib/username.c:141(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR
> [2014/02/12 17:10:44.325609,  5]
> ../source3/lib/username.c:153(Get_Pwnam_internals)
>   Checking combinations of 0 uppercase letters in internal\administrator
> [2014/02/12 17:10:44.325642,  5]
> ../source3/lib/username.c:159(Get_Pwnam_internals)
>   Get_Pwnam_internals didn't find user [INTERNAL\administrator]!
> [2014/02/12 17:10:44.325671,  5]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>   Finding user administrator
> [2014/02/12 17:10:44.325697,  5]
> ../source3/lib/username.c:120(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as lowercase is administrator
> [2014/02/12 17:10:44.325962,  5]
> ../source3/lib/username.c:141(Get_Pwnam_internals)
>   Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
> [2014/02/12 17:10:44.326269,  5]
> ../source3/lib/username.c:153(Get_Pwnam_internals)
>   Checking combinations of 0 uppercase letters in administrator
> [2014/02/12 17:10:44.326303,  5]
> ../source3/lib/username.c:159(Get_Pwnam_internals)
>   Get_Pwnam_internals didn't find user [administrator]!
> [2014/02/12 17:10:44.326414,  3]
> ../source3/auth/auth_util.c:1247(check_account)
>   Failed to find authenticated user INTERNAL\administrator via getpwnam(),
> denying access.
> [2014/02/12 17:10:44.326474,  5]
> ../source3/auth/auth.c:229(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [administrator]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326517,  2]
> ../source3/auth/auth.c:288(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [administrator] ->
> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326546,  5]
> ../source3/auth/auth_ntlmssp.c:144(auth3_check_password)
>   Checking NTLMSSP password for INTERNAL\administrator failed:
> NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326582,  5]
> ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_check_password)
>   ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
> INTERNAL\administrator failed: NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326620,  2]
> ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326666,  4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/02/12 17:10:44.326697,  5]
> ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
>   check lock order 1 for
> /usr/local/samba/var/lock/smbXsrv_session_global.tdb
> [2014/02/12 17:10:44.326760,  5]
> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>   release lock order 1 for
> /usr/local/samba/var/lock/smbXsrv_session_global.tdb
> [2014/02/12 17:10:44.326812,  3]
> ../source3/smbd/error.c:82(error_packet_set)
>   NT error packet at ../source3/smbd/sesssetup.c(263) cmd=115
> (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>
>
> Regarding the wiki, I understand fully that different distros do different
> things, and someone has already caught the library linking issue for
> debian,
> so the wiki is now fully up to date in that regard. When I mention the
> wiki,
> I do so in the hopes of being able to contribute to it so other users in my
> situation don't have to flood the list with the same questions, and we have
> as complete a reference as possible.
>
>
> Thank you for your help, would you be able to point me in the next
> trouble-shooting direction?
>
>
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list