[Samba] Samba as AD member can not validate domain user

jd at ionica.lv jd at ionica.lv
Mon Apr 6 13:31:36 MDT 2015 

correction (see below)
Citēju jd at ionica.lv:

> Citēju jd at ionica.lv:
>
>> Citēju Rowland Penny <rowlandpenny at googlemail.com>:
>>
>>>> CFG files from fileserver:
>>>> ============
>>>> krb5.conf
>>>> [libdefaults]
>>>> default = INTERNAL.DOMAIN.LV
>>>> dns_lookup_realm = false
>>>> dns_lookup_kdc = true
>>>>
>>>> ===========
>>>> nsswitch.conf
>>>> passwd:         compat winbind
>>>> group:          compat winbind
>>>> shadow:         compat files
>>>>
>>>> hosts:          files dns
>>>> networks:       files
>>>>
>>>> services:       files
>>>> protocols:      files
>>>> rpc:            files
>>>> ethers:         files
>>>> netmasks:       files
>>>> netgroup:       files
>>>> bootparams:     files
>>>>
>>>> automount:      files
>>>> aliases:        files nisplus
>>>> publickey:      nisplus
>>>> =============
>>>> SMB.conf on fileserver
>>>> [global]
>>>>      security = ADS
>>>>      workgroup = INTERNAL
>>>>      acl group control = yes
>>>>      inherit acls = Yes
>>>>      map acl inherit = Yes
>>>>      realm = INTERNAL.DOMAIN.LV
>>>>      kerberos method = secrets and keytab
>>>>      idmap config internal:backend = ad
>>>>      idmap config internal:range = 10000-3001000
>>>>      idmap config internal:schema_mode = rfc2307
>>>>      idmap config *:range = 2000-9999
>>>>      idmap config *:backend = tdb
>>>>      dedicated keytab file = /etc/krb5.keytab
>>>>      winbind enum users = Yes
>>>>      winbind enum groups = Yes
>>>>      winbind separator = \
>>>>      winbind refresh tickets = Yes
>>>>      winbind nss info = rfc2307
>>>>      winbind use default domain = yes
>>>>      winbind trusted domains only = yes
>>>>      utmp = yes
>>>>      wins server = sambadc.DOMAIN.lv
>>>>      wins support = yes
>>>>      dns proxy = no
>>>>      wins proxy = no
>>>>      wtmp directory = /var/log/wtmp
>>>>      preferred master = no
>>>>      log level = 4
>>>>      bind interfaces only = Yes
>>>>      interfaces = lo, eth1
>>>>      netbios name = FS2
>>>>      os level = 33
>>>> ======================
>>> Firstly, please put the smb.conf on the AD DC back to what it was  
>>> just after the provision. You do not need the extra lines you have  
>>> added.
>>
>> now smb.conf is rather short:
>> [global]
>>        workgroup = INTERNAL
>>        realm = INTERNAL.DOMAIN.LV
>>        netbios name = SAMBADC
>>        server role = active directory domain controller
>>        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>        idmap_ldb:use rfc2307 = yes
>>        log level = 4
>>
>> [netlogon]
>>        path = /var/lib/samba/sysvol/internal.domain.lv/scripts
>>        read only = No
>>
>> [sysvol]
>>        path = /var/lib/samba/sysvol
>>        read only = No
>>
>>> You have posted what is probably your problem:
>>>
>>> 3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)'  
>>> objectSID gidNumber
>>> gives onlyObjectSID without gidNumber;
>>>
>>> You are using the winbind 'ad' backend on the member server, for  
>>> this to work, your users need a 'uidNumber' attribute and 'Domain  
>>> Users' (at least) *NEEDS* a 'gidNumber'
>>
>> after assigning UNIX attributes to users and domain groups all of them have
>> uidNUmbers and gidNumbers starting from 10000,
>> ldbsearch gives:
>> dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv
>> objectSid: S-1-5-21-216404829-505555237-127066545-513
>> gidNumber: 10000
>>
>>> If you use the 'ad' backend, then giving your users a 'uidNumber'  
>>> is not enough, you must give their primarygroup (Domain Users) a  
>>> 'gidNumber' attribute.
>>
>> all of the AD users are members of the Domain Users group now.
>>
>> Now on DC getent passwd gives just list of local users;
>> getent passwd INTERNAL\\username gives domain user info with  
>> uid/gid 100xx:10000
>>
>> still no changes on fileserver, getent passwd INTERNAL\\username  
>> finishes without any msg;
>> in log.winbindd there is notion:
>> 2015/04/06 21:42:37.714639,  3]  
>> ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
>>  getpwnam INTERNAL\username
>>
>>
>> joining to the AD DC ends with joined server and such messages:
>> DNS Update for mail.domain.lv failed: ERROR_DNS_INVALID_MESSAGE
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> (mail.domain.lv being the hostname of the server where samba  
>> fileserver with netbios name FS2 resides)
>>
>> I do not see anything in capital letters in the logs
>
> just wanted to add :
>
> log.smbd on fileserver get such msg after unsuccessful attempt to  
> browse shares:
>
> [2015/04/06 22:12:41.553353,  3]  
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
>   Found account name from PAC: username []
> [2015/04/06 22:12:41.553372,  3]  
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
>   Kerberos ticket principal name is [username at INTERNAL.DOMAIN.LV]
> [2015/04/06 22:12:41.554105,  1]  
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>   Username INTERNALwusername is invalid on this system
[2015/04/06 22:26:05.829369,  1]  
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
   Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)

(??? the couldn't be such local user as I understood)

More information about the samba mailing list