[Samba] Problem with Samba 4.2/FreeBSD10.1

Rowland Penny rowlandpenny241155 at gmail.com
Sat Jul 11 10:01:48 UTC 2015 

On 11/07/15 10:16, Rowland Penny wrote:
> On 11/07/15 04:06, Lee Brown wrote:
>> Hi Everyone, my first foray into Samba and AD both.
>>
>> Not sure if this is an OS or configuration problem.  I've found similar
>> issues, but nothing either recent enough (is related to samba 3) or 
>> close
>> enough.
>>
>> FreeBSD-10.1-RELENG, Samba 4.2.2.
>>
>> I have the domain provisioned as rfc2307
>> I have joined a Win7-virtual machine to the domain
>> I have created a new user with ADUC
>> I have assigned 10000 to the Domain Users GID
>> I have assigned 10000 to the new user
>> I have logged in with the new user
>> I have joined a member server to the domain
>> I cannot access anything from the member server, it would appear it 
>> doesn't
>> recognize any of the users.
>>
>> Both the DC and MS are jailed.
>>
>> ***Domain controller***
>> 10.1.200.99/32
>>
>> #cat /etc/resolv.conf
>> nameserver 10.1.200.99
>> search ad.nyingma.org
>>
>> #hostname
>> dc1.ad.nyingma.org
>>
>> # cat /etc/krb5.conf
>> [libdefaults]
>>          default_realm = AD.NYINGMA.ORG
>>          dns_lookup_realm = false
>>          dns_lookup_kdc = true
>>
>> #cat /usr/local/etc/smb4.conf
>> [global]
>>          workgroup = NYINGMA
>>          realm = AD.NYINGMA.ORG
>>          netbios name = DC1
>>          interfaces = 10.1.200.99
>>          bind interfaces only = Yes
>>          server role = active directory domain controller
>>          dns forwarder = 10.1.200.1
>>          idmap_ldb:use rfc2307 = yes
>>          disable netbios = yes
>>          nsupdate command = /usr/local/bin/samba-nsupdate -g
>>
>> [netlogon]
>>          path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/db/samba4/sysvol
>>          read only = No
>>
>> ***Member Server***
>> 10.1.200.98/32
>>
>> # cat /etc/resolv.conf
>> nameserver 10.1.200.99
>> search ad.nyingma.org
>>
>> # cat /usr/local/etc/smb4.conf
>> # cat /usr/local/etc/smb4.conf
>> [global]
>>    netbios name = MS1
>>    workgroup = NYINGMA
>>    security = ADS
>>    realm = AD.NYINGMA.ORG
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 2000-9999
>>    idmap config NYINGMA:backend = ad
>>    idmap config NYINGMA:schema_mode = rfc2307
>>    idmap config NYINGMA:range = 10000-99999
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = Yes
>>
>>    log level = 10
>>
>> [demoshare]
>>    path = /srv/samba/test
>>    read only = no
>>
>> # wbinfo -u
>> administrator
>> krbtgt
>> guest
>> leeb
>>
>> # cat /etc/nsswitch.conf
>> #
>> # nsswitch.conf(5) - name service switch configuration file
>> # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z 
>> dougb
>> $
>> #
>> #group: compat
>> #group_compat: nis
>> hosts: files dns
>> networks: files
>> #passwd: compat
>> #passwd_compat: nis
>> shells: files
>> services: compat
>> services_compat: nis
>> protocols: files
>> rpc: files
>>
>> group: files winbind
>> user: files winbind
>>
>> # sockstat -4
>> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS FOREIGN
>> ADDRESS
>> root     winbindd   52698 26 tcp4   10.1.200.98:37794 10.1.200.99:445
>> root     winbindd   52698 28 tcp4   10.1.200.98:37794 10.1.200.99:445
>> root     winbindd   52698 30 tcp4   10.1.200.98:59691 10.1.200.99:389
>> root     winbindd   52698 31 tcp4   10.1.200.98:59026 10.1.200.99:389
>> root     winbindd   52698 32 tcp4   10.1.200.98:49319 10.1.200.99:1024
>> root     smbd       52693 35 tcp4   10.1.200.98:445       *:*
>> root     smbd       52693 36 tcp4   10.1.200.98:139       *:*
>> root     nmbd       52689 16 udp4   10.1.200.98:137       *:*
>> root     nmbd       52689 17 udp4   10.1.200.98:138       *:*
>> root     nmbd       52689 18 udp4   10.1.200.98:137       *:*
>> root     nmbd       52689 19 udp4   10.1.200.98:137       *:*
>> root     nmbd       52689 20 udp4   10.1.200.98:138       *:*
>> root     nmbd       52689 21 udp4   10.1.200.98:138       *:*
>>
>> # wbinfo -i leeb
>> leeb:*:10000:10000:lee:/home/leeb:/bin/sh
>>
>> # kinit leeb at AD.NYINGMA.ORG
>> leeb at AD.NYINGMA.ORG's Password:
>> # klist
>> Credentials cache: FILE:/tmp/krb5cc_0
>>          Principal: leeb at AD.NYINGMA.ORG
>>
>>    Issued                Expires               Principal
>> Jul 10 20:03:32 2015  Jul 11 06:03:32 2015  krbtgt/
>> AD.NYINGMA.ORG at AD.NYINGMA.ORG
>>
>> HOWEVER:
>> # getent passwd
>> does not list the above user
>>
>> The windows side gets an access denied.
>> With a debug level of 1:
>>
>> # tail log.smbd
>> [2015/07/10 20:01:31.573768,  0]
>> ../source3/lib/util_sock.c:455(open_socket_in)
>>    open_socket_in(): socket() call failed: Protocol not supported
>> [2015/07/10 20:01:31.573832,  0]
>> ../source3/smbd/server.c:690(smbd_open_one_socket)
>>    smbd_open_once_socket: open_socket_in: Protocol not supported
>> [2015/07/10 20:01:31.574017,  1]
>> ../source3/printing/printer_list.c:227(printer_list_get_last_refresh)
>>    Failed to fetch record!
>> [2015/07/10 20:01:38.007082,  1]
>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>    Username NYINGMA\leeb is invalid on this system
>> [2015/07/10 20:01:38.007103,  1]
>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>    Failed to map kerberos principal to system user 
>> (NT_STATUS_LOGON_FAILURE)
>>
>>
>> Any clues to where to go next would be very much appreciated.
>>
>> -- lee
>
> Hi, i recently set up a freebsd member server to test something and my 
> setup was virtually the same as yours, only real differences I can see 
> are, mine worked and I *didn't* use jails.
>
> Rowland

I also just noticed this in nsswitch.conf:

group: files winbind
user: files winbind

'user' should be 'passwd'

Rowland

More information about the samba mailing list