[Samba] Problem with Samba 4.2/FreeBSD10.1

Lee Brown leeb at ratnaling.org
Sat Jul 11 03:06:11 UTC 2015 

Hi Everyone, my first foray into Samba  and AD both.

Not sure if this is an OS or configuration problem.  I've found similar
issues, but nothing either recent enough (is related to samba 3) or close
enough.

FreeBSD-10.1-RELENG, Samba 4.2.2.

I have the domain provisioned as rfc2307
I have joined a Win7-virtual machine to the domain
I have created a new user with ADUC
I have assigned 10000 to the Domain Users GID
I have assigned 10000 to the new user
I have logged in with the new user
I have joined a member server to the domain
I cannot access anything from the member server, it would appear it doesn't
recognize any of the users.

Both the DC and MS are jailed.

***Domain controller***
10.1.200.99/32

#cat /etc/resolv.conf
nameserver 10.1.200.99
search ad.nyingma.org

#hostname
dc1.ad.nyingma.org

# cat /etc/krb5.conf
[libdefaults]
        default_realm = AD.NYINGMA.ORG
        dns_lookup_realm = false
        dns_lookup_kdc = true

#cat /usr/local/etc/smb4.conf
[global]
        workgroup = NYINGMA
        realm = AD.NYINGMA.ORG
        netbios name = DC1
        interfaces = 10.1.200.99
        bind interfaces only = Yes
        server role = active directory domain controller
        dns forwarder = 10.1.200.1
        idmap_ldb:use rfc2307 = yes
        disable netbios = yes
        nsupdate command = /usr/local/bin/samba-nsupdate -g

[netlogon]
        path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

***Member Server***
10.1.200.98/32

# cat /etc/resolv.conf
nameserver 10.1.200.99
search ad.nyingma.org

# cat /usr/local/etc/smb4.conf
# cat /usr/local/etc/smb4.conf
[global]
  netbios name = MS1
  workgroup = NYINGMA
  security = ADS
  realm = AD.NYINGMA.ORG
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config NYINGMA:backend = ad
  idmap config NYINGMA:schema_mode = rfc2307
  idmap config NYINGMA:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

  log level = 10

[demoshare]
  path = /srv/samba/test
  read only = no

# wbinfo -u
administrator
krbtgt
guest
leeb

# cat /etc/nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb
$
#
#group: compat
#group_compat: nis
hosts: files dns
networks: files
#passwd: compat
#passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

group: files winbind
user: files winbind

# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN
ADDRESS
root     winbindd   52698 26 tcp4   10.1.200.98:37794     10.1.200.99:445
root     winbindd   52698 28 tcp4   10.1.200.98:37794     10.1.200.99:445
root     winbindd   52698 30 tcp4   10.1.200.98:59691     10.1.200.99:389
root     winbindd   52698 31 tcp4   10.1.200.98:59026     10.1.200.99:389
root     winbindd   52698 32 tcp4   10.1.200.98:49319     10.1.200.99:1024
root     smbd       52693 35 tcp4   10.1.200.98:445       *:*
root     smbd       52693 36 tcp4   10.1.200.98:139       *:*
root     nmbd       52689 16 udp4   10.1.200.98:137       *:*
root     nmbd       52689 17 udp4   10.1.200.98:138       *:*
root     nmbd       52689 18 udp4   10.1.200.98:137       *:*
root     nmbd       52689 19 udp4   10.1.200.98:137       *:*
root     nmbd       52689 20 udp4   10.1.200.98:138       *:*
root     nmbd       52689 21 udp4   10.1.200.98:138       *:*

# wbinfo -i leeb
leeb:*:10000:10000:lee:/home/leeb:/bin/sh

# kinit leeb at AD.NYINGMA.ORG
leeb at AD.NYINGMA.ORG's Password:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: leeb at AD.NYINGMA.ORG

  Issued                Expires               Principal
Jul 10 20:03:32 2015  Jul 11 06:03:32 2015  krbtgt/
AD.NYINGMA.ORG at AD.NYINGMA.ORG

HOWEVER:
# getent passwd
does not list the above user

The windows side gets an access denied.
With a debug level of 1:

# tail log.smbd
[2015/07/10 20:01:31.573768,  0]
../source3/lib/util_sock.c:455(open_socket_in)
  open_socket_in(): socket() call failed: Protocol not supported
[2015/07/10 20:01:31.573832,  0]
../source3/smbd/server.c:690(smbd_open_one_socket)
  smbd_open_once_socket: open_socket_in: Protocol not supported
[2015/07/10 20:01:31.574017,  1]
../source3/printing/printer_list.c:227(printer_list_get_last_refresh)
  Failed to fetch record!
[2015/07/10 20:01:38.007082,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username NYINGMA\leeb is invalid on this system
[2015/07/10 20:01:38.007103,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)


Any clues to where to go next would be very much appreciated.

-- lee

More information about the samba mailing list