[Samba] 3.6.6 map untrusted to domain does not work if winbind is running

Harald Hannelius harald.hannelius at arcada.fi
Thu Feb 12 06:47:01 MST 2015 


Anyone?

On Tue, 10 Feb 2015, Harald Hannelius wrote:

>
> Hi all,
>
> I have a domain member server 3.6.6 running on debian7, authenticating 
> against another debian7 + samba 3.6.6 in DC-mode. Both servers have 
> user-accounts and groups on LDAP and resolve posix users using libnss-ldap. 
> The groupmap is living on LDAP as well.
>
> The domain member server serves a share with ACL enabled. I got the upgrade 
> to 3.6.X and idmap-updates working, but the old behaviour where clients from 
> other (or unknown) domains should be mapped to domain users is not.
>
> I have been testing with "smbclient '\\server\intra'" which fails. If I test 
> with "smbclient '\\server\intra' -WGROUP" it works.
>
> If i stop winbindd (needed for groupmap) I am able to authenticate without 
> entering a workgroup.
>
> Workstations here are sitting in an AD-tree, and they are largerly now unable 
> to automagically authenticate to the share (they share the same usernames and 
> passwords).
>
> Please suggest anything
>
>
>
> # testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[intra]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
> 	workgroup = GROUP
> 	server string = Intranet
> 	security = DOMAIN
> 	passdb backend = ldapsam:"ldaps://ldap1.domain.com 
> ldaps://ldap2.domain.com "
> 	map untrusted to domain = Yes
> 	syslog = 0
> 	log file = /var/log/samba/log.%m
> 	max log size = 100
> 	unix extensions = No
> 	socket options = TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 
> IPTOS_LOWDELAY
> 	load printers = No
> 	os level = 65
> 	local master = No
> 	wins server = 11.22.33.44
> 	ldap admin dn = "cn=sambaadmin,dc=domain,dc=com"
> 	ldap idmap suffix = ou=people
> 	ldap suffix = dc=domain,dc=com
> 	ldap ssl = no
> 	ldap user suffix = ou=people
> 	utmp = Yes
> 	winbind enum groups = Yes
> 	idmap config * : base_rid = 0
> 	idmap config GROUP : ldap_user_dn = cn=server,dc=domain,dc=com
> 	idmap config GROUP : ldap_base_dn = ou=people,dc=domain,dc=com
> 	idmap config GROUP : ldap_url = ldaps://ldap1.domain.com/
> 	idmap config GROUP : read only = yes
> 	idmap config GROUP : range = 2000000-4000000
> 	idmap config GROUP : backend = ldap
> 	idmap config * : range = 2000-4999
> 	idmap config * : backend = tdb
>
> [intra]
> 	comment = Intranet
> 	path = /intra
> 	invalid users = root, someuser
> 	read only = No
> 	create mask = 0665
> 	directory mask = 02775
>
>
>
> [2015/02/10 14:31:07.975917,  3] auth/auth.c:222(check_ntlm_password)
>  check_ntlm_password:  mapped user is: [GROUP]\[harald]@[BIATCH]
> [2015/02/10 14:31:07.976003, 10] auth/auth.c:231(check_ntlm_password)
>  check_ntlm_password: auth_context challenge created by random
> [2015/02/10 14:31:07.976088, 10] auth/auth.c:233(check_ntlm_password)
>  challenge is:
> [2015/02/10 14:31:07.976172,  5] ../lib/util/util.c:415(dump_data)
>  [0000] 1E FA EF 6E 4C 2B DD CF                            ...nL+..
> [2015/02/10 14:31:07.976292, 10] auth/auth_builtin.c:44(check_guest_security)
>  Check auth for: [harald]
> [2015/02/10 14:31:07.976381, 10] auth/auth.c:259(check_ntlm_password)
>  check_ntlm_password: guest had nothing to say
> [2015/02/10 14:31:07.976472, 10] auth/auth_sam.c:75(auth_samstrict_auth)
>  Check auth for: [harald]
> [2015/02/10 14:31:07.976557,  8] lib/util.c:1521(is_myname)
>  is_myname("GROUP") returns 0
> [2015/02/10 14:31:07.976643,  6] auth/auth_sam.c:88(auth_samstrict_auth)
>  check_samstrict_security: GROUP is not one of my local names 
> (ROLE_DOMAIN_MEMBER)
> [2015/02/10 14:31:07.976729, 10] auth/auth.c:259(check_ntlm_password)
>  check_ntlm_password: sam had nothing to say
> [2015/02/10 14:31:07.976821, 10] 
> auth/auth_winbind.c:50(check_winbind_security)
>  Check auth for: [harald]
> [2015/02/10 14:31:07.976907,  4] smbd/sec_ctx.c:214(push_sec_ctx)
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2015/02/10 14:31:07.977003,  4] smbd/uid.c:460(push_conn_ctx)
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2015/02/10 14:31:07.977089,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2015/02/10 14:31:07.977175,  5] 
> ../libcli/security/security_token.c:53(security_token_debug)
>  Security token: (NULL)
> [2015/02/10 14:31:07.977258,  5] auth/token_util.c:527(debug_unix_user_token)
>  UNIX token of user 0
>  Primary group is 0 and contains 0 supplementary groups
> [2015/02/10 14:31:07.993761,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2015/02/10 14:31:07.993861, 10] 
> auth/auth_winbind.c:99(check_winbind_security)
>  check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
> [2015/02/10 14:31:07.993944,  5] auth/auth.c:271(check_ntlm_password)
>  check_ntlm_password: winbind authentication for user [harald] FAILED with 
> error NT_STATUS_WRONG_PASSWORD
> [2015/02/10 14:31:07.994032,  2] auth/auth.c:319(check_ntlm_password)
>  check_ntlm_password:  Authentication for user [harald] -> [harald] FAILED 
> with error NT_STATUS_WRONG_PASSWORD
> [2015/02/10 14:31:07.994141,  3] smbd/error.c:81(error_packet_set)
>  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) 
> NT_STATUS_LOGON_FAILURE
> [2015/02/10 14:31:07.994241,  5] lib/util.c:332(show_msg)
> [2015/02/10 14:31:07.994289,  5] lib/util.c:342(show_msg)
>
>
>

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list