[Samba] Auth fail getpwuid(3000007) failed

Leander Schäfer info at netocean.de
Sat May 3 07:07:15 MDT 2014 

Anyway, one more question is still open: what does 
--server-role=standalone then stand for?!

Am 03.05.14 14:53, schrieb Rowland Penny:
> On 03/05/14 13:43, Leander Schäfer wrote:
>>
>> Am 03.05.14 14:39, schrieb Rowland Penny:
>>> On 03/05/14 13:30, Leander Schäfer wrote:
>>>>
>>>> Am 03.05.14 14:20, schrieb Rowland Penny:
>>>>> On 03/05/14 13:15, Leander Schäfer wrote:
>>>>>>
>>>>>> Am 02.05.14 11:17, schrieb L.P.H. van Belle:
>>>>>>> and you did try:
>>>>>>> smbclient -U "DOMAIN\MyUser" \\\\MyServerName\\MyShare MyPassword
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: info at netocean.de [mailto:samba-bounces at lists.samba.org]
>>>>>>>> Namens Leander Schäfer
>>>>>>>> Verzonden: vrijdag 2 mei 2014 10:39
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> CC: Patrick Hald
>>>>>>>> Onderwerp: [Samba] Auth fail getpwuid(3000007) failed
>>>>>>>>
>>>>>>>> Hi
>>>>>>>>
>>>>>>>> sorry to bother, but all of a sudden after a fresh install of
>>>>>>>> samba with
>>>>>>>> the regular smb4.conf it keeps on failing when users try to
>>>>>>>> authenticate:
>>>>>>>>
>>>>>>>>
>>>>>>>> smbclient -U MyUser \\\\MyServerName\\MyShare MyPassword
>>>>>>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>
>>>>>>>> [...]
>>>>>>>>
>>>>>>>>    check_ntlm_password:  authentication for user [MyUser] ->
>>>>>>>> [MyUser] ->
>>>>>>>> [MyUser] succeeded
>>>>>>>> [2014/05/02 10:29:40.930648,  3]
>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>>>>>>>>    NTLMSSP Sign/Seal - Initialising with flags:
>>>>>>>> [2014/05/02 10:29:40.930671,  3]
>>>>>>>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>>>>>>>>    Got NTLMSSP neg_flags=0x60088215
>>>>>>>>      NTLMSSP_NEGOTIATE_UNICODE
>>>>>>>>      NTLMSSP_REQUEST_TARGET
>>>>>>>>      NTLMSSP_NEGOTIATE_SIGN
>>>>>>>>      NTLMSSP_NEGOTIATE_NTLM
>>>>>>>>      NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>>>>>>      NTLMSSP_NEGOTIATE_NTLM2
>>>>>>>>      NTLMSSP_NEGOTIATE_128
>>>>>>>>      NTLMSSP_NEGOTIATE_KEY_EXCH
>>>>>>>> [2014/05/02 10:29:40.930799,  4]
>>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>>> [2014/05/02 10:29:40.930876,  4]
>>>>>>>> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>>>>>>>>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>>>>>>> [2014/05/02 10:29:40.930905,  4]
>>>>>>>> ../source3/smbd/uid.c:495(push_conn_ctx)
>>>>>>>>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>>>>>>> [2014/05/02 10:29:40.930926,  4]
>>>>>>>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>>>>>>>>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>>>>>>> [2014/05/02 10:29:40.930947,  5]
>>>>>>>> ../libcli/security/security_token.c:53(security_token_debug)
>>>>>>>>    Security token: (NULL)
>>>>>>>> [2014/05/02 10:29:40.930968,  5]
>>>>>>>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>>>>>>>    UNIX token of user 0
>>>>>>>>    Primary group is 0 and contains 0 supplementary groups
>>>>>>>> [2014/05/02 10:29:40.931099,  4]
>>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>>> [2014/05/02 10:29:40.931611,  1]
>>>>>>>> ../source3/auth/token_util.c:430(add_local_groups)
>>>>>>>>    SID S-1-5-21-2799780924-1191006566-1534516595-1102 ->
>>>>>>>> getpwuid(3000007) failed
>>>>>>>> [2014/05/02 10:29:40.931654,  3]
>>>>>>>> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>>>>>>>>    Failed to finalize nt token
>>>>>>>> [2014/05/02 10:29:40.931677,  1]
>>>>>>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>>>>>>>    Failed to generate session_info (user and group token) for 
>>>>>>>> session
>>>>>>>> setup: NT_STATUS_UNSUCCESSFUL
>>>>>>>>
>>>>>>>> [...]
>>>>>>>>
>>>>>>>> What's wrong here?! Any hint is geartfully appreciated ;)
>>>>>>>>
>>>>>>>> Kind Regards
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>> Sorrz, I fogot. Here is the provision config:
>>>>>>
>>>>>>
>>>>>>
>>>>>> samba-tool domain provision \
>>>>>>            --realm ${DOMAINNAME^^} \
>>>>>>            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print 
>>>>>> $1}' )" \
>>>>>>            --adminpass ${ROOT_PWD} \
>>>>>>            --server-role=standalone
>>>>>>
>>>>> And there is probably where your problems are coming from, I am 
>>>>> fairly sure that you cannot provision samba4 as a standalone 
>>>>> server, you need to run samba4 as if it was a samba 3 server, 
>>>>> starting and running the separate smbd, nmbd and winbind daemons.
>>>>>
>>>>> Rowland
>>>> So, if I understand you correctly, then you recommend to NOT use 
>>>> the "samba-tool domain provision" command at all, and instead 
>>>> proceed with my regular smb4.conf posted before?
>>> If you mean this one:
>>>
>>> [global]
>>>
>>>   # Basic server settings
>>>   workgroup          = MYDOMAIN
>>>   realm              = MYDOMAIN.LOCAL
>>>   netbios name       = STORAGE-01
>>>   server role        = standalone server
>>>
>>>   # Password backend
>>>   passdb backend     = samba_dsdb
>>>
>>>   # DNS
>>>   dns forwarder      = 10.0.0.1
>>>
>>>   # Logging
>>>   log level    = auth:10
>>>   max log size = 0
>>>
>>>   # Charset
>>>   unix charset       = UTF-8
>>>   dos charset        = cp1252
>>>
>>>   # NTLMv2
>>>   ntlm auth          = No
>>>   lanman auth        = No
>>>   client ntlmv2 auth = Yes
>>>
>>>   # Printing
>>>   load printers = No
>>>   printing      = BSD
>>>   printcap name = /dev/null
>>>
>>>   # Default masks
>>>   unix extensions      = No
>>>   create mask          = 0777
>>>   force create mode    = 0777
>>>   directory mask       = 0777
>>>   force directory mode = 0777
>>>
>>>   # Miscellaneous
>>>   veto oplock files  = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>>>   veto files         = 
>>> /.snap/.windows/.zfs/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
>>>   wide links         = No
>>>
>>>
>>> # ============= Shares ============= #
>>>
>>>
>>> [FireFly]
>>>   comment     = Shared Music
>>>   path        = /mnt/FireFly
>>>   guest ok    = Yes
>>>   read only   = No
>>>
>>> Then no, If you are setting up a standalone fileserver, then it 
>>> needs to be setup as if you are setting up a samba3 machine, with 
>>> users that are both Unix & samba users, do a search on the internet, 
>>> there are loads of howto's out there.
>>>
>>> otherwise if you have a samba AD DC, then you need to set it up as a 
>>> member server, see here:
>>>
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>
>>> Rowland
>> Ja, sure - the user is both - Unix and samba use. But if I don't use 
>> the provisioning cmd beforehand:
>>
>> samba-tool domain provision \
>>            --realm ${DOMAINNAME^^} \
>>            --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print $1}' 
>> )" \
>>            --adminpass ${ROOT_PWD} \
>>            --server-role=standalone
>>
>>
>> and want to add unix user to samba user:
>>
>> (echo "${SAMBA_SHARE_PASSWORD}"; echo "${SAMBA_SHARE_PASSWORD}") | 
>> smbpasswd -a -s ${SAMBA_SHARE_USER}
>>
>>
>> then this results in an error:
>> Failed to open /var/db/samba4/private/secrets.tdb
>>
>> while it was working with the provisioning cmd, when I used it with 
>> my other samba4 machines?!
>>
>>
>>
>>
>>
> OK, if you want an AD DC then use the 'samba-tool domain provision' 
> otherwise do not use it.
>
> From what you have written, you are are running what is know as a 
> 'workgroup', with this set up your users have to exist on every 
> machine, both in /etc/passwd and samba. To do this, you need to set 
> samba up in the 'classic' mode, like I said, do a search on the 
> internet for howto to setup a samba3 fileserver.
>
> Rowland
>

More information about the samba mailing list