[Samba] Domain Member server - Domain users don't get access
Chan Min Wai
dcmwai at gmail.com
Wed Feb 12 23:24:28 MST 2014
Hi Shane Robinson,
Can post your krb.conf?
There are some information samba need there...
On Thu, Feb 13, 2014 at 9:42 AM, Shane Robinson <srobinson at simpeq.ca> wrote:
> >>>> Hello list!
> >>>> I have a newish Samba 4.1.4 (from git) AD DC running in an Ubuntu
> >>>> Precise KVM guest. It seems to be running well. Recent list posts
> >>>> have led me to set up a second instance of samba/ubuntu as a file
> >>>> Like the domain controller, Samba was built from git, but then it
> >>>> was configured using the "Samba/Domain Member" wiki. I added the sfu
> >>>> attributes to a few users/groups using ADUC, but I don't see that
> >>>> mentioned as a requirement (Is it a requirement?).
> >>> If you want getent to work, you don't _have_ to add the sfu stuff.
> >>> uidNumber and gidNumber are sufficient.
> >>>> My domain name is internal.simpeq.ca, the DC's name is Samba2, and
> >>>> the new file server's name is FS2. I start the services with a
> >>>> script that runs winbindd, then smbd, then nmbd, in that order.
> >>>> Wbinfo -u and wbinfo -g work well, enumerating all domain users and
> >> groups.
> >>>> Kinit works.
> >>>> $ getent passwd INTERNAL\\administrator
> >>>> AND
> >>>> getent group INTERNAL\\hrall
> >>>> . give nothing.
> >>>> An strace of getent revealed that /lib64 was never queried for
> >>>> libnss_winbind.so, but /usr/lib/x86_64-linux-gnu was, so I relinked
> >>>> libnss_winbind.so to that folder.
> >>>> (Is this incorrect, or shall I update the Wiki with this information
> >>>> for Ubuntu users?)
> >>>> am
> >>> The wiki is for 32 bit non-Debian distros only.
> >>> How did you join FS2?
> >>> Could you post:
> >>> The content of its keytab
> >>> The DN of INTERNAL\administrator
> >>> Cheers,
> >>> Steve
> >> Thanks for the reply Steve (et al)!
> >> First, if the uidNumber and ridNumber are required, I'll add that as a
> >> note to the wiki, once my account is active. Is it as simple as adding
> >> them in ADUC? Can you leave the default numbers in? For example, my
> >> administrator account has a uidNumber of 10002 and a gidNumber of
> >> 10004, as they were the defaults in ADUC.
> >> Second, the wiki makes no mention of being "32-bit non-debian". There
> >> is a section on linking the libnss_winbind.so in 64bit systems, but it
> >> only asks the user to link to /lib64, which doesn't appear to be
> >> correct for the ubuntu situation. If my suggestion is correct, I will
> >> add this to the wiki as well.
> >> The join was as follows: (did it again to be sure)
> >> shane at FS2:/usr/local/samba$ sudo ./bin/net ads join -UAdministrator
> >> Enter Administrator's password:
> >> Using short domain name -- INTERNAL
> >> Joined 'FS2' to dns domain 'internal.simpeq.ca'
> >> No DNS domain configured for fs2. Unable to perform DNS Update.
> >> DNS update failed: NT_STATUS_INVALID_PARAMETER
> >> The distinguishedName of Administrator (from ADSI) is:
> >> CN=Administrator,CN=Users,DC=internal,DC=simpeq,DC=ca
> >> As to the keytab file:
> >> shane at FS2:/usr/local/samba$ klist
> >> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
> >> And here's the part of the show where I explain that this is my first
> >> and only foray into anything Active Directory (LDAP, Kerberos, DNS etc).
> >> There was no mention whatsoever of a keytab file on the wiki, so I
> >> didn't do anything about it. Should one have been
> >> created/retrieved/found/pulled out of my... ? If so, what is the
> >> procedure for doing so? I'd love to be able to make that wiki as
> as possible.
> >> Thank you very much!
> >I think that part of your problem lies in the fact that the example
> smb.conf on the wiki page is only a partial example, it is missing, For
> >kerberos method = secrets and keytab
> >winbind refresh tickets = Yes
> >If you add these lines, restart samba and then rejoin, I am sure that you
> will find that /etc/krb5.conf has been created (provided, of course, that
> you have installed krb5-user).
> >The other problem with the wiki, is that it is written by ordinary users,
> who base what they write, on what they did to their own system and Linux
> being Linux, the way that you do something on rpm based systems is
> from deb based system, package names is the least of the differences. Along
> came 64bit (well, it didn't really, sun for instance had 64bit machines for
> years before AMD/intel discovered them) and of course various distro's did
> different things, so yes, as you found, /lib64 is /usr/lib/x86_64 on
> >If you use the ad backend then you need uidNumber's & gidNumber's in AD
> they need to be within the range that you set in smb.conf, the one that you
> refer to should be fine.
> Hi Rowland,
> Is there a reason those lines would be left off of the example? I've added
> them now, and /etc/krb5.conf is generated, but my results have not changed,
> ie: smbclient -L localhost -Uadministrator
> session setup failed: NT_STATUS_LOGON_FAILURE
> log.smbd shows
> [2014/02/12 17:10:44.285058, 5]
> Mapping user [INTERNAL]\[administrator] from workstation [FS2]
> [2014/02/12 17:10:44.295310, 5]
> attempting to make a user_info for administrator (administrator)
> [2014/02/12 17:10:44.295604, 5]
> making strings for administrator's user_info struct
> [2014/02/12 17:10:44.295732, 5]
> making blobs for administrator's user_info struct
> [2014/02/12 17:10:44.295830, 3]
> check_ntlm_password: Checking password for unmapped user
> [INTERNAL]\[administrator]@[FS2] with the new password interface
> [2014/02/12 17:10:44.295921, 3]
> check_ntlm_password: mapped user is: [INTERNAL]\[administrator]@[FS2]
> [2014/02/12 17:10:44.296016, 5] ../lib/util/util.c:556(dump_data)
>  B3 83 CA FB 97 C2 15 A5 ........
> [2014/02/12 17:10:44.296185, 6]
> check_samstrict_security: INTERNAL is not one of my local names
> [2014/02/12 17:10:44.296298, 4]
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2014/02/12 17:10:44.296387, 4] ../source3/smbd/uid.c:485(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2014/02/12 17:10:44.296475, 4] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2014/02/12 17:10:44.296562, 5]
> Security token: (NULL)
> [2014/02/12 17:10:44.296647, 5]
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2014/02/12 17:10:44.320649, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/02/12 17:10:44.323708, 5]
> Finding user INTERNAL\administrator
> [2014/02/12 17:10:44.323911, 5]
> Trying _Get_Pwnam(), username as lowercase is internal\administrator
> [2014/02/12 17:10:44.325044, 5]
> Trying _Get_Pwnam(), username as given is INTERNAL\administrator
> [2014/02/12 17:10:44.325335, 5]
> Trying _Get_Pwnam(), username as uppercase is INTERNAL\ADMINISTRATOR
> [2014/02/12 17:10:44.325609, 5]
> Checking combinations of 0 uppercase letters in internal\administrator
> [2014/02/12 17:10:44.325642, 5]
> Get_Pwnam_internals didn't find user [INTERNAL\administrator]!
> [2014/02/12 17:10:44.325671, 5]
> Finding user administrator
> [2014/02/12 17:10:44.325697, 5]
> Trying _Get_Pwnam(), username as lowercase is administrator
> [2014/02/12 17:10:44.325962, 5]
> Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
> [2014/02/12 17:10:44.326269, 5]
> Checking combinations of 0 uppercase letters in administrator
> [2014/02/12 17:10:44.326303, 5]
> Get_Pwnam_internals didn't find user [administrator]!
> [2014/02/12 17:10:44.326414, 3]
> Failed to find authenticated user INTERNAL\administrator via getpwnam(),
> denying access.
> [2014/02/12 17:10:44.326474, 5]
> check_ntlm_password: winbind authentication for user [administrator]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326517, 2]
> check_ntlm_password: Authentication for user [administrator] ->
> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326546, 5]
> Checking NTLMSSP password for INTERNAL\administrator failed:
> [2014/02/12 17:10:44.326582, 5]
> ../auth/ntlmssp/ntlmssp_server.c:454: Checking NTLMSSP password for
> INTERNAL\administrator failed: NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326620, 2]
> SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2014/02/12 17:10:44.326666, 4] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/02/12 17:10:44.326697, 5]
> check lock order 1 for
> [2014/02/12 17:10:44.326760, 5]
> release lock order 1 for
> [2014/02/12 17:10:44.326812, 3]
> NT error packet at ../source3/smbd/sesssetup.c(263) cmd=115
> (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> Regarding the wiki, I understand fully that different distros do different
> things, and someone has already caught the library linking issue for
> so the wiki is now fully up to date in that regard. When I mention the
> I do so in the hopes of being able to contribute to it so other users in my
> situation don't have to flood the list with the same questions, and we have
> as complete a reference as possible.
> Thank you for your help, would you be able to point me in the next
> trouble-shooting direction?
> Shane Robinson
> Chief Administrative Officer
> SimpeQ Care
> t. 604.988.3103 ext. 104
> c. 604.506.3311
> f. 604.988.3105
> Please consider the environment before printing this email.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba