[Samba] Auth fail getpwuid(3000007) failed

Leander Schäfer info at netocean.de
Sat May 3 06:43:52 MDT 2014 

Am 03.05.14 14:39, schrieb Rowland Penny:
> On 03/05/14 13:30, Leander Schäfer wrote:
>>
>> Am 03.05.14 14:20, schrieb Rowland Penny:
>>> On 03/05/14 13:15, Leander Schäfer wrote:
>>>>
>>>> Am 02.05.14 11:17, schrieb L.P.H. van Belle:
>>>>> and you did try:
>>>>> smbclient -U "DOMAIN\MyUser" \\\\MyServerName\\MyShare MyPassword
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: info at netocean.de [mailto:samba-bounces at lists.samba.org]
>>>>>> Namens Leander Schäfer
>>>>>> Verzonden: vrijdag 2 mei 2014 10:39
>>>>>> Aan: samba at lists.samba.org
>>>>>> CC: Patrick Hald
>>>>>> Onderwerp: [Samba] Auth fail getpwuid(3000007) failed
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> sorry to bother, but all of a sudden after a fresh install of
>>>>>> samba with
>>>>>> the regular smb4.conf it keeps on failing when users try to
>>>>>> authenticate:
>>>>>>
>>>>>>
>>>>>> smbclient -U MyUser \\\\MyServerName\\MyShare MyPassword
>>>>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> [...]
>>>>>>
>>>>>>    check_ntlm_password:  authentication for user [MyUser] ->
>>>>>> [MyUser] ->
>>>>>> [MyUser] succeeded
>>>>>> [2014/05/02 10:29:40.930648,  3]
>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>>>>>>    NTLMSSP Sign/Seal - Initialising with flags:
>>>>>> [2014/05/02 10:29:40.930671,  3]
>>>>>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>>>>>>    Got NTLMSSP neg_flags=0x60088215
>>>>>>      NTLMSSP_NEGOTIATE_UNICODE
>>>>>>      NTLMSSP_REQUEST_TARGET
>>>>>>      NTLMSSP_NEGOTIATE_SIGN
>>>>>>      NTLMSSP_NEGOTIATE_NTLM
>>>>>>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>>>>      NTLMSSP_NEGOTIATE_NTLM2
>>>>>>      NTLMSSP_NEGOTIATE_128
>>>>>>      NTLMSSP_NEGOTIATE_KEY_EXCH
>>>>>> [2014/05/02 10:29:40.930799,  4]
>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>> [2014/05/02 10:29:40.930876,  4]
>>>>>> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>>>>>>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>>>>> [2014/05/02 10:29:40.930905,  4]
>>>>>> ../source3/smbd/uid.c:495(push_conn_ctx)
>>>>>>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>>>>> [2014/05/02 10:29:40.930926,  4]
>>>>>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>>>>>>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>>>>> [2014/05/02 10:29:40.930947,  5]
>>>>>> ../libcli/security/security_token.c:53(security_token_debug)
>>>>>>    Security token: (NULL)
>>>>>> [2014/05/02 10:29:40.930968,  5]
>>>>>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>>>>>    UNIX token of user 0
>>>>>>    Primary group is 0 and contains 0 supplementary groups
>>>>>> [2014/05/02 10:29:40.931099,  4]
>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>> [2014/05/02 10:29:40.931611,  1]
>>>>>> ../source3/auth/token_util.c:430(add_local_groups)
>>>>>>    SID S-1-5-21-2799780924-1191006566-1534516595-1102 ->
>>>>>> getpwuid(3000007) failed
>>>>>> [2014/05/02 10:29:40.931654,  3]
>>>>>> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>>>>>>    Failed to finalize nt token
>>>>>> [2014/05/02 10:29:40.931677,  1]
>>>>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>>>>>    Failed to generate session_info (user and group token) for 
>>>>>> session
>>>>>> setup: NT_STATUS_UNSUCCESSFUL
>>>>>>
>>>>>> [...]
>>>>>>
>>>>>> What's wrong here?! Any hint is geartfully appreciated ;)
>>>>>>
>>>>>> Kind Regards
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>> Sorrz, I fogot. Here is the provision config:
>>>>
>>>>
>>>>
>>>> samba-tool domain provision \
>>>>            --realm ${DOMAINNAME^^} \
>>>>            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print 
>>>> $1}' )" \
>>>>            --adminpass ${ROOT_PWD} \
>>>>            --server-role=standalone
>>>>
>>> And there is probably where your problems are coming from, I am 
>>> fairly sure that you cannot provision samba4 as a standalone server, 
>>> you need to run samba4 as if it was a samba 3 server, starting and 
>>> running the separate smbd, nmbd and winbind daemons.
>>>
>>> Rowland
>> So, if I understand you correctly, then you recommend to NOT use the 
>> "samba-tool domain provision" command at all, and instead proceed 
>> with my regular smb4.conf posted before?
> If you mean this one:
>
> [global]
>
>   # Basic server settings
>   workgroup          = MYDOMAIN
>   realm              = MYDOMAIN.LOCAL
>   netbios name       = STORAGE-01
>   server role        = standalone server
>
>   # Password backend
>   passdb backend     = samba_dsdb
>
>   # DNS
>   dns forwarder      = 10.0.0.1
>
>   # Logging
>   log level    = auth:10
>   max log size = 0
>
>   # Charset
>   unix charset       = UTF-8
>   dos charset        = cp1252
>
>   # NTLMv2
>   ntlm auth          = No
>   lanman auth        = No
>   client ntlmv2 auth = Yes
>
>   # Printing
>   load printers = No
>   printing      = BSD
>   printcap name = /dev/null
>
>   # Default masks
>   unix extensions      = No
>   create mask          = 0777
>   force create mode    = 0777
>   directory mask       = 0777
>   force directory mode = 0777
>
>   # Miscellaneous
>   veto oplock files  = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>   veto files         = 
> /.snap/.windows/.zfs/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
>   wide links         = No
>
>
> # ============= Shares ============= #
>
>
> [FireFly]
>   comment     = Shared Music
>   path        = /mnt/FireFly
>   guest ok    = Yes
>   read only   = No
>
> Then no, If you are setting up a standalone fileserver, then it needs 
> to be setup as if you are setting up a samba3 machine, with users that 
> are both Unix & samba users, do a search on the internet, there are 
> loads of howto's out there.
>
> otherwise if you have a samba AD DC, then you need to set it up as a 
> member server, see here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
Ja, sure - the user is both - Unix and samba use. But if I don't use the 
provisioning cmd beforehand:

samba-tool domain provision \
            --realm ${DOMAINNAME^^} \
            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print $1}' )" \
            --adminpass ${ROOT_PWD} \
            --server-role=standalone


and want to add unix user to samba user:

(echo "${SAMBA_SHARE_PASSWORD}"; echo "${SAMBA_SHARE_PASSWORD}") | 
smbpasswd -a -s ${SAMBA_SHARE_USER}


then this results in an error:
Failed to open /var/db/samba4/private/secrets.tdb

while it was working with the provisioning cmd, when I used it with my 
other samba4 machines?!

More information about the samba mailing list