[Samba] Auth fail getpwuid(3000007) failed
Rowland Penny
rowlandpenny at googlemail.com
Sat May 3 07:18:42 MDT 2014
On 03/05/14 14:07, Leander Schäfer wrote:
> Anyway, one more question is still open: what does
> --server-role=standalone then stand for?!
>
> Am 03.05.14 14:53, schrieb Rowland Penny:
>> On 03/05/14 13:43, Leander Schäfer wrote:
>>>
>>> Am 03.05.14 14:39, schrieb Rowland Penny:
>>>> On 03/05/14 13:30, Leander Schäfer wrote:
>>>>>
>>>>> Am 03.05.14 14:20, schrieb Rowland Penny:
>>>>>> On 03/05/14 13:15, Leander Schäfer wrote:
>>>>>>>
>>>>>>> Am 02.05.14 11:17, schrieb L.P.H. van Belle:
>>>>>>>> and you did try:
>>>>>>>> smbclient -U "DOMAIN\MyUser" \\\\MyServerName\\MyShare MyPassword
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: info at netocean.de [mailto:samba-bounces at lists.samba.org]
>>>>>>>>> Namens Leander Schäfer
>>>>>>>>> Verzonden: vrijdag 2 mei 2014 10:39
>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>> CC: Patrick Hald
>>>>>>>>> Onderwerp: [Samba] Auth fail getpwuid(3000007) failed
>>>>>>>>>
>>>>>>>>> Hi
>>>>>>>>>
>>>>>>>>> sorry to bother, but all of a sudden after a fresh install of
>>>>>>>>> samba with
>>>>>>>>> the regular smb4.conf it keeps on failing when users try to
>>>>>>>>> authenticate:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> smbclient -U MyUser \\\\MyServerName\\MyShare MyPassword
>>>>>>>>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>> check_ntlm_password: authentication for user [MyUser] ->
>>>>>>>>> [MyUser] ->
>>>>>>>>> [MyUser] succeeded
>>>>>>>>> [2014/05/02 10:29:40.930648, 3]
>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
>>>>>>>>> NTLMSSP Sign/Seal - Initialising with flags:
>>>>>>>>> [2014/05/02 10:29:40.930671, 3]
>>>>>>>>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
>>>>>>>>> Got NTLMSSP neg_flags=0x60088215
>>>>>>>>> NTLMSSP_NEGOTIATE_UNICODE
>>>>>>>>> NTLMSSP_REQUEST_TARGET
>>>>>>>>> NTLMSSP_NEGOTIATE_SIGN
>>>>>>>>> NTLMSSP_NEGOTIATE_NTLM
>>>>>>>>> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>>>>>>> NTLMSSP_NEGOTIATE_NTLM2
>>>>>>>>> NTLMSSP_NEGOTIATE_128
>>>>>>>>> NTLMSSP_NEGOTIATE_KEY_EXCH
>>>>>>>>> [2014/05/02 10:29:40.930799, 4]
>>>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>>>> [2014/05/02 10:29:40.930876, 4]
>>>>>>>>> ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>>>>>>>>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>>>>>>>>> [2014/05/02 10:29:40.930905, 4]
>>>>>>>>> ../source3/smbd/uid.c:495(push_conn_ctx)
>>>>>>>>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>>>>>>>>> [2014/05/02 10:29:40.930926, 4]
>>>>>>>>> ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>>>>>>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>>>>>>>>> [2014/05/02 10:29:40.930947, 5]
>>>>>>>>> ../libcli/security/security_token.c:53(security_token_debug)
>>>>>>>>> Security token: (NULL)
>>>>>>>>> [2014/05/02 10:29:40.930968, 5]
>>>>>>>>> ../source3/auth/token_util.c:629(debug_unix_user_token)
>>>>>>>>> UNIX token of user 0
>>>>>>>>> Primary group is 0 and contains 0 supplementary groups
>>>>>>>>> [2014/05/02 10:29:40.931099, 4]
>>>>>>>>> ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>>>>>>>>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>>>>>> [2014/05/02 10:29:40.931611, 1]
>>>>>>>>> ../source3/auth/token_util.c:430(add_local_groups)
>>>>>>>>> SID S-1-5-21-2799780924-1191006566-1534516595-1102 ->
>>>>>>>>> getpwuid(3000007) failed
>>>>>>>>> [2014/05/02 10:29:40.931654, 3]
>>>>>>>>> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>>>>>>>>>
>>>>>>>>> Failed to finalize nt token
>>>>>>>>> [2014/05/02 10:29:40.931677, 1]
>>>>>>>>> ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
>>>>>>>>> Failed to generate session_info (user and group token) for
>>>>>>>>> session
>>>>>>>>> setup: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>> What's wrong here?! Any hint is geartfully appreciated ;)
>>>>>>>>>
>>>>>>>>> Kind Regards
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> Sorrz, I fogot. Here is the provision config:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> samba-tool domain provision \
>>>>>>> --realm ${DOMAINNAME^^} \
>>>>>>> --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print
>>>>>>> $1}' )" \
>>>>>>> --adminpass ${ROOT_PWD} \
>>>>>>> --server-role=standalone
>>>>>>>
>>>>>> And there is probably where your problems are coming from, I am
>>>>>> fairly sure that you cannot provision samba4 as a standalone
>>>>>> server, you need to run samba4 as if it was a samba 3 server,
>>>>>> starting and running the separate smbd, nmbd and winbind daemons.
>>>>>>
>>>>>> Rowland
>>>>> So, if I understand you correctly, then you recommend to NOT use
>>>>> the "samba-tool domain provision" command at all, and instead
>>>>> proceed with my regular smb4.conf posted before?
>>>> If you mean this one:
>>>>
>>>> [global]
>>>>
>>>> # Basic server settings
>>>> workgroup = MYDOMAIN
>>>> realm = MYDOMAIN.LOCAL
>>>> netbios name = STORAGE-01
>>>> server role = standalone server
>>>>
>>>> # Password backend
>>>> passdb backend = samba_dsdb
>>>>
>>>> # DNS
>>>> dns forwarder = 10.0.0.1
>>>>
>>>> # Logging
>>>> log level = auth:10
>>>> max log size = 0
>>>>
>>>> # Charset
>>>> unix charset = UTF-8
>>>> dos charset = cp1252
>>>>
>>>> # NTLMv2
>>>> ntlm auth = No
>>>> lanman auth = No
>>>> client ntlmv2 auth = Yes
>>>>
>>>> # Printing
>>>> load printers = No
>>>> printing = BSD
>>>> printcap name = /dev/null
>>>>
>>>> # Default masks
>>>> unix extensions = No
>>>> create mask = 0777
>>>> force create mode = 0777
>>>> directory mask = 0777
>>>> force directory mode = 0777
>>>>
>>>> # Miscellaneous
>>>> veto oplock files = /*.doc/*.xls/*.ppt/*.mdb/*.docx/*.xlsx/*.ppt
>>>> veto files =
>>>> /.snap/.windows/.zfs/Thumbs.db/.DS_Store/._.DS_Store/.apdisk/
>>>> wide links = No
>>>>
>>>>
>>>> # ============= Shares ============= #
>>>>
>>>>
>>>> [FireFly]
>>>> comment = Shared Music
>>>> path = /mnt/FireFly
>>>> guest ok = Yes
>>>> read only = No
>>>>
>>>> Then no, If you are setting up a standalone fileserver, then it
>>>> needs to be setup as if you are setting up a samba3 machine, with
>>>> users that are both Unix & samba users, do a search on the
>>>> internet, there are loads of howto's out there.
>>>>
>>>> otherwise if you have a samba AD DC, then you need to set it up as
>>>> a member server, see here:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>
>>>> Rowland
>>> Ja, sure - the user is both - Unix and samba use. But if I don't use
>>> the provisioning cmd beforehand:
>>>
>>> samba-tool domain provision \
>>> --realm ${DOMAINNAME^^} \
>>> --domain "$( echo ${DOMAINNAME^^} | awk -F'.' '{print
>>> $1}' )" \
>>> --adminpass ${ROOT_PWD} \
>>> --server-role=standalone
>>>
>>>
>>> and want to add unix user to samba user:
>>>
>>> (echo "${SAMBA_SHARE_PASSWORD}"; echo "${SAMBA_SHARE_PASSWORD}") |
>>> smbpasswd -a -s ${SAMBA_SHARE_USER}
>>>
>>>
>>> then this results in an error:
>>> Failed to open /var/db/samba4/private/secrets.tdb
>>>
>>> while it was working with the provisioning cmd, when I used it with
>>> my other samba4 machines?!
>>>
>>>
>>>
>>>
>>>
>> OK, if you want an AD DC then use the 'samba-tool domain provision'
>> otherwise do not use it.
>>
>> From what you have written, you are are running what is know as a
>> 'workgroup', with this set up your users have to exist on every
>> machine, both in /etc/passwd and samba. To do this, you need to set
>> samba up in the 'classic' mode, like I said, do a search on the
>> internet for howto to setup a samba3 fileserver.
>>
>> Rowland
>>
>
If you are setting up a windows AD DC then it would be a server that is
NOT part of a domain, have a look here:
http://technet.microsoft.com/en-us/library/cc737933%28v=ws.10%29.aspx
At the moment, as far as I know, you can only provision as a dc,
anything else, you set up as before with samba3.
Rowland
More information about the samba
mailing list