[Samba] Auth fail getpwuid(3000007) failed

Rowland Penny rowlandpenny at googlemail.com
Sat May 3 06:53:18 MDT 2014 

On 03/05/14 13:43, Leander Schäfer wrote:
>
> Am 03.05.14 14:39, schrieb Rowland Penny:
>> On 03/05/14 13:30, Leander Schäfer wrote:
>>>
>>> Am 03.05.14 14:20, schrieb Rowland Penny:
>>>> On 03/05/14 13:15, Leander Schäfer wrote:
>>>>>
>>>>> Am 02.05.14 11:17, schrieb L.P.H. van Belle:
>>>>>> and you did try:
>>>>>> smbclient -U "DOMAIN\MyUser" \\\\MyServerName\\MyShare MyPassword
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: info at netocean.de [mailto:samba-bounces at lists.samba.org]
>>>>>>> Namens Leander Schäfer
>>>>>>> Verzonden: vrijdag 2 mei 2014 10:39
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> CC: Patrick Hald
>>>>>>> Onderwerp: [Samba] Auth fail getpwuid(3000007) failed
>>>>>>>
>>>>>>> Hi
>>>>>>>
>>>>>>> sorry to bother, but all of a sudden after a fresh install of
>>>>>>> samba with
>>>>>>> the regular smb4.conf it keeps on failing when users try to
>>>>>>> authenticate:
>>>>>>>
>>>>>>>
>>>>>>> smbclient -U MyUser \\\\MyServerName\\MyShare MyPassword
>>>>>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>>    check_ntlm_password:  authentication for user [MyUser] ->
>>>>>>> [MyUser] ->
>>>>>>> [MyUser] succeeded
>>>>>>> [2014/05/02 10:29:40.930648,  3]
>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>>>>>>>    NTLMSSP Sign/Seal - Initialising with flags:
>>>>>>> [2014/05/02 10:29:40.930671,  3]
>>>>>>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>>>>>>>    Got NTLMSSP neg_flags=0x60088215
>>>>>>>      NTLMSSP_NEGOTIATE_UNICODE
>>>>>>>      NTLMSSP_REQUEST_TARGET
>>>>>>>      NTLMSSP_NEGOTIATE_SIGN
>>>>>>>      NTLMSSP_NEGOTIATE_NTLM
>>>>>>>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>>>>>      NTLMSSP_NEGOTIATE_NTLM2
>>>>>>>      NTLMSSP_NEGOTIATE_128
>>>>>>>      NTLMSSP_NEGOTIATE_KEY_EXCH
>>>>>>> [2014/05/02 10:29:40.930799,  4]
>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>> [2014/05/02 10:29:40.930876,  4]
>>>>>>> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>>>>>>>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>>>>>> [2014/05/02 10:29:40.930905,  4]
>>>>>>> ../source3/smbd/uid.c:495(push_conn_ctx)
>>>>>>>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>>>>>> [2014/05/02 10:29:40.930926,  4]
>>>>>>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>>>>>>>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>>>>>> [2014/05/02 10:29:40.930947,  5]
>>>>>>> ../libcli/security/security_token.c:53(security_token_debug)
>>>>>>>    Security token: (NULL)
>>>>>>> [2014/05/02 10:29:40.930968,  5]
>>>>>>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>>>>>>    UNIX token of user 0
>>>>>>>    Primary group is 0 and contains 0 supplementary groups
>>>>>>> [2014/05/02 10:29:40.931099,  4]
>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>> [2014/05/02 10:29:40.931611,  1]
>>>>>>> ../source3/auth/token_util.c:430(add_local_groups)
>>>>>>>    SID S-1-5-21-2799780924-1191006566-1534516595-1102 ->
>>>>>>> getpwuid(3000007) failed
>>>>>>> [2014/05/02 10:29:40.931654,  3]
>>>>>>> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>>>>>>>    Failed to finalize nt token
>>>>>>> [2014/05/02 10:29:40.931677,  1]
>>>>>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>>>>>>    Failed to generate session_info (user and group token) for 
>>>>>>> session
>>>>>>> setup: NT_STATUS_UNSUCCESSFUL
>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>> What's wrong here?! Any hint is geartfully appreciated ;)
>>>>>>>
>>>>>>> Kind Regards
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>> Sorrz, I fogot. Here is the provision config:
>>>>>
>>>>>
>>>>>
>>>>> samba-tool domain provision \
>>>>>            --realm ${DOMAINNAME^^} \
>>>>>            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print 
>>>>> $1}' )" \
>>>>>            --adminpass ${ROOT_PWD} \
>>>>>            --server-role=standalone
>>>>>
>>>> And there is probably where your problems are coming from, I am 
>>>> fairly sure that you cannot provision samba4 as a standalone 
>>>> server, you need to run samba4 as if it was a samba 3 server, 
>>>> starting and running the separate smbd, nmbd and winbind daemons.
>>>>
>>>> Rowland
>>> So, if I understand you correctly, then you recommend to NOT use the 
>>> "samba-tool domain provision" command at all, and instead proceed 
>>> with my regular smb4.conf posted before?
>> If you mean this one:
>>
>> [global]
>>
>>   # Basic server settings
>>   workgroup          = MYDOMAIN
>>   realm              = MYDOMAIN.LOCAL
>>   netbios name       = STORAGE-01
>>   server role        = standalone server
>>
>>   # Password backend
>>   passdb backend     = samba_dsdb
>>
>>   # DNS
>>   dns forwarder      = 10.0.0.1
>>
>>   # Logging
>>   log level    = auth:10
>>   max log size = 0
>>
>>   # Charset
>>   unix charset       = UTF-8
>>   dos charset        = cp1252
>>
>>   # NTLMv2
>>   ntlm auth          = No
>>   lanman auth        = No
>>   client ntlmv2 auth = Yes
>>
>>   # Printing
>>   load printers = No
>>   printing      = BSD
>>   printcap name = /dev/null
>>
>>   # Default masks
>>   unix extensions      = No
>>   create mask          = 0777
>>   force create mode    = 0777
>>   directory mask       = 0777
>>   force directory mode = 0777
>>
>>   # Miscellaneous
>>   veto oplock files  = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>>   veto files         = 
>> /.snap/.windows/.zfs/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
>>   wide links         = No
>>
>>
>> # ============= Shares ============= #
>>
>>
>> [FireFly]
>>   comment     = Shared Music
>>   path        = /mnt/FireFly
>>   guest ok    = Yes
>>   read only   = No
>>
>> Then no, If you are setting up a standalone fileserver, then it needs 
>> to be setup as if you are setting up a samba3 machine, with users 
>> that are both Unix & samba users, do a search on the internet, there 
>> are loads of howto's out there.
>>
>> otherwise if you have a samba AD DC, then you need to set it up as a 
>> member server, see here:
>>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
> Ja, sure - the user is both - Unix and samba use. But if I don't use 
> the provisioning cmd beforehand:
>
> samba-tool domain provision \
>            --realm ${DOMAINNAME^^} \
>            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print $1}' 
> )" \
>            --adminpass ${ROOT_PWD} \
>            --server-role=standalone
>
>
> and want to add unix user to samba user:
>
> (echo "${SAMBA_SHARE_PASSWORD}"; echo "${SAMBA_SHARE_PASSWORD}") | 
> smbpasswd -a -s ${SAMBA_SHARE_USER}
>
>
> then this results in an error:
> Failed to open /var/db/samba4/private/secrets.tdb
>
> while it was working with the provisioning cmd, when I used it with my 
> other samba4 machines?!
>
>
>
>
>
OK, if you want an AD DC then use the 'samba-tool domain provision' 
otherwise do not use it.

 From what you have written, you are are running what is know as a 
'workgroup', with this set up your users have to exist on every machine, 
both in /etc/passwd and samba. To do this, you need to set samba up in 
the 'classic' mode, like I said, do a search on the internet for howto 
to setup a samba3 fileserver.

Rowland

More information about the samba mailing list