[Samba] 3.6.6 map untrusted to domain does not work if winbind is running

Harald Hannelius harald+samba at arcada.fi
Tue Feb 10 05:37:23 MST 2015 

Hi all,

I have a domain member server 3.6.6 running on debian7, authenticating 
against another debian7 + samba 3.6.6 in DC-mode. Both servers have 
user-accounts and groups on LDAP and resolve posix users using libnss-ldap. 
The groupmap is living on LDAP as well.

The domain member server serves a share with ACL enabled. I got the upgrade 
to 3.6.X and idmap-updates working, but the old behaviour where clients from 
other (or unknown) domains should be mapped to domain users is not.

I have been testing with "smbclient '\\server\intra'" which fails. If I test 
with "smbclient '\\server\intra' -WGROUP" it works.

If i stop winbindd (needed for groupmap) I am able to authenticate without 
entering a workgroup.

Workstations here are sitting in an AD-tree, and they are largerly now 
unable to automagically authenticate to the share (they share the same 
usernames and passwords).

Please suggest anything



# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[intra]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
 	workgroup = GROUP
 	server string = Intranet
 	security = DOMAIN
 	passdb backend = ldapsam:"ldaps://ldap1.domain.com ldaps://ldap2.domain.com "
 	map untrusted to domain = Yes
 	syslog = 0
 	log file = /var/log/samba/log.%m
 	max log size = 100
 	unix extensions = No
 	socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 IPTOS_LOWDELAY
 	load printers = No
 	os level = 65
 	local master = No
 	wins server = 11.22.33.44
 	ldap admin dn = "cn=sambaadmin,dc=domain,dc=com"
 	ldap idmap suffix = ou=people
 	ldap suffix = dc=domain,dc=com
 	ldap ssl = no
 	ldap user suffix = ou=people
 	utmp = Yes
 	winbind enum groups = Yes
 	idmap config * : base_rid = 0
 	idmap config GROUP : ldap_user_dn = cn=server,dc=domain,dc=com
 	idmap config GROUP : ldap_base_dn = ou=people,dc=domain,dc=com
 	idmap config GROUP : ldap_url = ldaps://ldap1.domain.com/
 	idmap config GROUP : read only = yes
 	idmap config GROUP : range = 2000000-4000000
 	idmap config GROUP : backend = ldap
 	idmap config * : range = 2000-4999
 	idmap config * : backend = tdb

[intra]
 	comment = Intranet
 	path = /intra
 	invalid users = root, someuser
 	read only = No
 	create mask = 0665
 	directory mask = 02775



[2015/02/10 14:31:07.975917,  3] auth/auth.c:222(check_ntlm_password)
   check_ntlm_password:  mapped user is: [GROUP]\[harald]@[BIATCH]
[2015/02/10 14:31:07.976003, 10] auth/auth.c:231(check_ntlm_password)
   check_ntlm_password: auth_context challenge created by random
[2015/02/10 14:31:07.976088, 10] auth/auth.c:233(check_ntlm_password)
   challenge is:
[2015/02/10 14:31:07.976172,  5] ../lib/util/util.c:415(dump_data)
   [0000] 1E FA EF 6E 4C 2B DD CF                            ...nL+..
[2015/02/10 14:31:07.976292, 10] 
auth/auth_builtin.c:44(check_guest_security)
   Check auth for: [harald]
[2015/02/10 14:31:07.976381, 10] auth/auth.c:259(check_ntlm_password)
   check_ntlm_password: guest had nothing to say
[2015/02/10 14:31:07.976472, 10] auth/auth_sam.c:75(auth_samstrict_auth)
   Check auth for: [harald]
[2015/02/10 14:31:07.976557,  8] lib/util.c:1521(is_myname)
   is_myname("GROUP") returns 0
[2015/02/10 14:31:07.976643,  6] auth/auth_sam.c:88(auth_samstrict_auth)
   check_samstrict_security: GROUP is not one of my local names 
(ROLE_DOMAIN_MEMBER)
[2015/02/10 14:31:07.976729, 10] auth/auth.c:259(check_ntlm_password)
   check_ntlm_password: sam had nothing to say
[2015/02/10 14:31:07.976821, 10] 
auth/auth_winbind.c:50(check_winbind_security)
   Check auth for: [harald]
[2015/02/10 14:31:07.976907,  4] smbd/sec_ctx.c:214(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2015/02/10 14:31:07.977003,  4] smbd/uid.c:460(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2015/02/10 14:31:07.977089,  4] smbd/sec_ctx.c:314(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2015/02/10 14:31:07.977175,  5] 
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2015/02/10 14:31:07.977258,  5] 
auth/token_util.c:527(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2015/02/10 14:31:07.993761,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/02/10 14:31:07.993861, 10] 
auth/auth_winbind.c:99(check_winbind_security)
   check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2015/02/10 14:31:07.993944,  5] auth/auth.c:271(check_ntlm_password)
   check_ntlm_password: winbind authentication for user [harald] FAILED with 
error NT_STATUS_WRONG_PASSWORD
[2015/02/10 14:31:07.994032,  2] auth/auth.c:319(check_ntlm_password)
   check_ntlm_password:  Authentication for user [harald] -> [harald] FAILED 
with error NT_STATUS_WRONG_PASSWORD
[2015/02/10 14:31:07.994141,  3] smbd/error.c:81(error_packet_set)
   error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2015/02/10 14:31:07.994241,  5] lib/util.c:332(show_msg)
[2015/02/10 14:31:07.994289,  5] lib/util.c:342(show_msg)


-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list