[Samba] Problem with Samba 4.2/FreeBSD10.1

Rowland Penny rowlandpenny241155 at gmail.com
Sat Jul 11 09:16:07 UTC 2015 

On 11/07/15 04:06, Lee Brown wrote:
> Hi Everyone, my first foray into Samba  and AD both.
>
> Not sure if this is an OS or configuration problem.  I've found similar
> issues, but nothing either recent enough (is related to samba 3) or close
> enough.
>
> FreeBSD-10.1-RELENG, Samba 4.2.2.
>
> I have the domain provisioned as rfc2307
> I have joined a Win7-virtual machine to the domain
> I have created a new user with ADUC
> I have assigned 10000 to the Domain Users GID
> I have assigned 10000 to the new user
> I have logged in with the new user
> I have joined a member server to the domain
> I cannot access anything from the member server, it would appear it doesn't
> recognize any of the users.
>
> Both the DC and MS are jailed.
>
> ***Domain controller***
> 10.1.200.99/32
>
> #cat /etc/resolv.conf
> nameserver 10.1.200.99
> search ad.nyingma.org
>
> #hostname
> dc1.ad.nyingma.org
>
> # cat /etc/krb5.conf
> [libdefaults]
>          default_realm = AD.NYINGMA.ORG
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> #cat /usr/local/etc/smb4.conf
> [global]
>          workgroup = NYINGMA
>          realm = AD.NYINGMA.ORG
>          netbios name = DC1
>          interfaces = 10.1.200.99
>          bind interfaces only = Yes
>          server role = active directory domain controller
>          dns forwarder = 10.1.200.1
>          idmap_ldb:use rfc2307 = yes
>          disable netbios = yes
>          nsupdate command = /usr/local/bin/samba-nsupdate -g
>
> [netlogon]
>          path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
>          read only = No
>
> [sysvol]
>          path = /var/db/samba4/sysvol
>          read only = No
>
> ***Member Server***
> 10.1.200.98/32
>
> # cat /etc/resolv.conf
> nameserver 10.1.200.99
> search ad.nyingma.org
>
> # cat /usr/local/etc/smb4.conf
> # cat /usr/local/etc/smb4.conf
> [global]
>    netbios name = MS1
>    workgroup = NYINGMA
>    security = ADS
>    realm = AD.NYINGMA.ORG
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config NYINGMA:backend = ad
>    idmap config NYINGMA:schema_mode = rfc2307
>    idmap config NYINGMA:range = 10000-99999
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = Yes
>
>    log level = 10
>
> [demoshare]
>    path = /srv/samba/test
>    read only = no
>
> # wbinfo -u
> administrator
> krbtgt
> guest
> leeb
>
> # cat /etc/nsswitch.conf
> #
> # nsswitch.conf(5) - name service switch configuration file
> # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb
> $
> #
> #group: compat
> #group_compat: nis
> hosts: files dns
> networks: files
> #passwd: compat
> #passwd_compat: nis
> shells: files
> services: compat
> services_compat: nis
> protocols: files
> rpc: files
>
> group: files winbind
> user: files winbind
>
> # sockstat -4
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN
> ADDRESS
> root     winbindd   52698 26 tcp4   10.1.200.98:37794     10.1.200.99:445
> root     winbindd   52698 28 tcp4   10.1.200.98:37794     10.1.200.99:445
> root     winbindd   52698 30 tcp4   10.1.200.98:59691     10.1.200.99:389
> root     winbindd   52698 31 tcp4   10.1.200.98:59026     10.1.200.99:389
> root     winbindd   52698 32 tcp4   10.1.200.98:49319     10.1.200.99:1024
> root     smbd       52693 35 tcp4   10.1.200.98:445       *:*
> root     smbd       52693 36 tcp4   10.1.200.98:139       *:*
> root     nmbd       52689 16 udp4   10.1.200.98:137       *:*
> root     nmbd       52689 17 udp4   10.1.200.98:138       *:*
> root     nmbd       52689 18 udp4   10.1.200.98:137       *:*
> root     nmbd       52689 19 udp4   10.1.200.98:137       *:*
> root     nmbd       52689 20 udp4   10.1.200.98:138       *:*
> root     nmbd       52689 21 udp4   10.1.200.98:138       *:*
>
> # wbinfo -i leeb
> leeb:*:10000:10000:lee:/home/leeb:/bin/sh
>
> # kinit leeb at AD.NYINGMA.ORG
> leeb at AD.NYINGMA.ORG's Password:
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: leeb at AD.NYINGMA.ORG
>
>    Issued                Expires               Principal
> Jul 10 20:03:32 2015  Jul 11 06:03:32 2015  krbtgt/
> AD.NYINGMA.ORG at AD.NYINGMA.ORG
>
> HOWEVER:
> # getent passwd
> does not list the above user
>
> The windows side gets an access denied.
> With a debug level of 1:
>
> # tail log.smbd
> [2015/07/10 20:01:31.573768,  0]
> ../source3/lib/util_sock.c:455(open_socket_in)
>    open_socket_in(): socket() call failed: Protocol not supported
> [2015/07/10 20:01:31.573832,  0]
> ../source3/smbd/server.c:690(smbd_open_one_socket)
>    smbd_open_once_socket: open_socket_in: Protocol not supported
> [2015/07/10 20:01:31.574017,  1]
> ../source3/printing/printer_list.c:227(printer_list_get_last_refresh)
>    Failed to fetch record!
> [2015/07/10 20:01:38.007082,  1]
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>    Username NYINGMA\leeb is invalid on this system
> [2015/07/10 20:01:38.007103,  1]
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>    Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
>
>
> Any clues to where to go next would be very much appreciated.
>
> -- lee

Hi, i recently set up a freebsd member server to test something and my 
setup was virtually the same as yours, only real differences I can see 
are, mine worked and I *didn't* use jails.

Rowland

More information about the samba mailing list