[Samba] Problem with Samba 4.2/FreeBSD10.1

Lee Brown leeb at ratnaling.org
Sun Jul 12 19:55:46 UTC 2015 

On Sat, Jul 11, 2015 at 3:01 AM, Rowland Penny <rowlandpenny241155 at gmail.com
> wrote:

> On 11/07/15 10:16, Rowland Penny wrote:
>
>> On 11/07/15 04:06, Lee Brown wrote:
>>
>>> Hi Everyone, my first foray into Samba and AD both.
>>>
>>> Not sure if this is an OS or configuration problem.  I've found similar
>>> issues, but nothing either recent enough (is related to samba 3) or close
>>> enough.
>>>
>>> FreeBSD-10.1-RELENG, Samba 4.2.2.
>>>
>>> I have the domain provisioned as rfc2307
>>> I have joined a Win7-virtual machine to the domain
>>> I have created a new user with ADUC
>>> I have assigned 10000 to the Domain Users GID
>>> I have assigned 10000 to the new user
>>> I have logged in with the new user
>>> I have joined a member server to the domain
>>> I cannot access anything from the member server, it would appear it
>>> doesn't
>>> recognize any of the users.
>>>
>>> Both the DC and MS are jailed.
>>>
>>> ***Domain controller***
>>> 10.1.200.99/32
>>>
>>> #cat /etc/resolv.conf
>>> nameserver 10.1.200.99
>>> search ad.nyingma.org
>>>
>>> #hostname
>>> dc1.ad.nyingma.org
>>>
>>> # cat /etc/krb5.conf
>>> [libdefaults]
>>>          default_realm = AD.NYINGMA.ORG
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>
>>> #cat /usr/local/etc/smb4.conf
>>> [global]
>>>          workgroup = NYINGMA
>>>          realm = AD.NYINGMA.ORG
>>>          netbios name = DC1
>>>          interfaces = 10.1.200.99
>>>          bind interfaces only = Yes
>>>          server role = active directory domain controller
>>>          dns forwarder = 10.1.200.1
>>>          idmap_ldb:use rfc2307 = yes
>>>          disable netbios = yes
>>>          nsupdate command = /usr/local/bin/samba-nsupdate -g
>>>
>>> [netlogon]
>>>          path = /var/db/samba4/sysvol/ad.nyingma.org/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /var/db/samba4/sysvol
>>>          read only = No
>>>
>>> ***Member Server***
>>> 10.1.200.98/32
>>>
>>> # cat /etc/resolv.conf
>>> nameserver 10.1.200.99
>>> search ad.nyingma.org
>>>
>>> # cat /usr/local/etc/smb4.conf
>>> # cat /usr/local/etc/smb4.conf
>>> [global]
>>>    netbios name = MS1
>>>    workgroup = NYINGMA
>>>    security = ADS
>>>    realm = AD.NYINGMA.ORG
>>>    dedicated keytab file = /etc/krb5.keytab
>>>    kerberos method = secrets and keytab
>>>
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 2000-9999
>>>    idmap config NYINGMA:backend = ad
>>>    idmap config NYINGMA:schema_mode = rfc2307
>>>    idmap config NYINGMA:range = 10000-99999
>>>
>>>    winbind nss info = rfc2307
>>>    winbind trusted domains only = no
>>>    winbind use default domain = yes
>>>    winbind enum users  = yes
>>>    winbind enum groups = yes
>>>    winbind refresh tickets = Yes
>>>
>>>    log level = 10
>>>
>>> [demoshare]
>>>    path = /srv/samba/test
>>>    read only = no
>>>
>>> # wbinfo -u
>>> administrator
>>> krbtgt
>>> guest
>>> leeb
>>>
>>> # cat /etc/nsswitch.conf
>>> #
>>> # nsswitch.conf(5) - name service switch configuration file
>>> # $FreeBSD: releng/10.1/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z
>>> dougb
>>> $
>>> #
>>> #group: compat
>>> #group_compat: nis
>>> hosts: files dns
>>> networks: files
>>> #passwd: compat
>>> #passwd_compat: nis
>>> shells: files
>>> services: compat
>>> services_compat: nis
>>> protocols: files
>>> rpc: files
>>>
>>> group: files winbind
>>> user: files winbind
>>>
>>> # sockstat -4
>>> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS FOREIGN
>>> ADDRESS
>>> root     winbindd   52698 26 tcp4   10.1.200.98:37794 10.1.200.99:445
>>> root     winbindd   52698 28 tcp4   10.1.200.98:37794 10.1.200.99:445
>>> root     winbindd   52698 30 tcp4   10.1.200.98:59691 10.1.200.99:389
>>> root     winbindd   52698 31 tcp4   10.1.200.98:59026 10.1.200.99:389
>>> root     winbindd   52698 32 tcp4   10.1.200.98:49319 10.1.200.99:1024
>>> root     smbd       52693 35 tcp4   10.1.200.98:445       *:*
>>> root     smbd       52693 36 tcp4   10.1.200.98:139       *:*
>>> root     nmbd       52689 16 udp4   10.1.200.98:137       *:*
>>> root     nmbd       52689 17 udp4   10.1.200.98:138       *:*
>>> root     nmbd       52689 18 udp4   10.1.200.98:137       *:*
>>> root     nmbd       52689 19 udp4   10.1.200.98:137       *:*
>>> root     nmbd       52689 20 udp4   10.1.200.98:138       *:*
>>> root     nmbd       52689 21 udp4   10.1.200.98:138       *:*
>>>
>>> # wbinfo -i leeb
>>> leeb:*:10000:10000:lee:/home/leeb:/bin/sh
>>>
>>> # kinit leeb at AD.NYINGMA.ORG
>>> leeb at AD.NYINGMA.ORG's Password:
>>> # klist
>>> Credentials cache: FILE:/tmp/krb5cc_0
>>>          Principal: leeb at AD.NYINGMA.ORG
>>>
>>>    Issued                Expires               Principal
>>> Jul 10 20:03:32 2015  Jul 11 06:03:32 2015  krbtgt/
>>> AD.NYINGMA.ORG at AD.NYINGMA.ORG
>>>
>>> HOWEVER:
>>> # getent passwd
>>> does not list the above user
>>>
>>> The windows side gets an access denied.
>>> With a debug level of 1:
>>>
>>> # tail log.smbd
>>> [2015/07/10 20:01:31.573768,  0]
>>> ../source3/lib/util_sock.c:455(open_socket_in)
>>>    open_socket_in(): socket() call failed: Protocol not supported
>>> [2015/07/10 20:01:31.573832,  0]
>>> ../source3/smbd/server.c:690(smbd_open_one_socket)
>>>    smbd_open_once_socket: open_socket_in: Protocol not supported
>>> [2015/07/10 20:01:31.574017,  1]
>>> ../source3/printing/printer_list.c:227(printer_list_get_last_refresh)
>>>    Failed to fetch record!
>>> [2015/07/10 20:01:38.007082,  1]
>>> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
>>>    Username NYINGMA\leeb is invalid on this system
>>> [2015/07/10 20:01:38.007103,  1]
>>> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>>>    Failed to map kerberos principal to system user
>>> (NT_STATUS_LOGON_FAILURE)
>>>
>>>
>>> Any clues to where to go next would be very much appreciated.
>>>
>>> -- lee
>>>
>>
>> Hi, i recently set up a freebsd member server to test something and my
>> setup was virtually the same as yours, only real differences I can see are,
>> mine worked and I *didn't* use jails.
>>
>> Rowland
>>
>
> I also just noticed this in nsswitch.conf:
>
> group: files winbind
> user: files winbind
>
> 'user' should be 'passwd'
>

For the record, this was the problem.  After I fixed the rather obvious
typo, all worked as expected.
So this is a jailed DC, jailed MS operating nicely with FreeBSD 10.1.
My jails are very simple.  I untar the distribution base.txz into the jail
directory and use the following jail.conf entries:

 samba42-ad-dc1 {
 path = "/usr/local/Jail-Samba42-AD-DC1";
 host.hostname = "dc1.ad.nyingma.org";
 ip4.addr = 10.1.200.99;
 persist = "true";
 mount.devfs = "true";
}
samba42-ad-ms1 {
 path = "/usr/local/Jail-Samba42-AD-MS1";
 host.hostname = "ms1.ad.nyingma.org";
 ip4.addr = 10.1.200.98;
 persist = "true";
 mount.devfs = "true";
}

there are 20 processes running in the DC jail and 8 in the MS jail.

More information about the samba mailing list