[Samba] Shares and AD users with winbind

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 15 10:43:55 MDT 2015 

On 15/06/15 17:17, Javier Martí wrote:
> Hi!
>
> I have a problem with a Samba share, in a Windows 2003 AD Domain, I am 
> setting up a machine with Ubuntu 14.04 and Samba 4.1.6 into the AD and 
> I want to make a samba share but I need to use the format user at fqdn to 
> mount the share in a Windows 7 but I have a no_such_user error.
>
> ¿It is possible to use this format?
>
> If I use the format DOMAIN\user it works perfect, ¿can I change the 
> behavior?
>
> My smb.conf:
>
> [global]
>    workgroup = REALM
>    security = domain
>    realm = FQDN
>    encrypt passwords = yes
>    log level = 3
>    log file = /var/log/samba/%m.log
>    idmap config *:backend = rid
>    idmap config *:range = 5000-100000
>    winbind allow trusted domains = yes
>    winbind trusted domains only = no
>    winbind use default domain = no
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = yes
>    template shell = /bin/bash
>    winbind nested groups = yes
> [smbserver]
>    comment = smbserver
>    path = /opt/smbserver
>    browseable = yes
>    guest ok = yes
>    read only = no
>    valid users = @"domain users at fqdn"
>
> And my error in /var/samba/auth/IP.log:
>
> /[2015/06/15 18:07:25.091446,  3] 
> ../source3/auth/auth.c:177(auth_check_ntlm_password)/
> /  check_ntlm_password:  Checking password for unmapped user 
> []\[user at fqdn]@[PCSOURCE] with the new password interface/
> /[2015/06/15 18:07:25.091482,  3] 
> ../source3/auth/auth.c:180(auth_check_ntlm_password)/
> /  check_ntlm_password:  mapped user is: 
> [PCTARGET]\[user at fqdn]@[PCSOURCE]/
> /[2015/06/15 18:07:25.091568,  3] 
> ../source3/auth/check_samsec.c:399(check_sam_security)/
> /  check_sam_security: Couldn't find user 'user at fqdn' in passdb./
> /[2015/06/15 18:07:25.091610,  3] 
> ../source3/auth/auth_winbind.c:60(check_winbind_security)/
> /  check_winbind_security: Not using winbind, requested domain 
> [PCTARGET] was for this SAM./
> /[2015/06/15 18:07:25.091642,  2] 
> ../source3/auth/auth.c:288(auth_check_ntlm_password)/
> /  check_ntlm_password:  Authentication for user [user at fqdn] -> 
> [user at fqdn] FAILED with error NT_STATUS_NO_SUCH_USER/
> /[2015/06/15 18:07:25.091687,  2] 
> ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)/
> /  SPNEGO login failed: NT_STATUS_NO_SUCH_USER/
> /[2015/06/15 18:07:25.092851,  3] 
> ../source3/smbd/server_exit.c:212(exit_server_common)/
> /  Server exit (NT_STATUS_CONNECTION_RESET)/
>
> But, if I use DOMAIN\user:
>
> /[2015/06/15 18:12:38.262123,  3] 
> ../source3/auth/auth.c:177(auth_check_ntlm_password)//
> //  check_ntlm_password:  Checking password for unmapped user 
> [DOMAIN]\[user]@[PCSOURCE] with the new password interface//
> //[2015/06/15 18:12:38.262199,  3] 
> ../source3/auth/auth.c:180(auth_check_ntlm_password)//
> //  check_ntlm_password:  mapped user is: [DOMAIN]\[user]@[PCSOURCE]//
> //[2015/06/15 18:12:38.372607,  3] 
> ../source3/auth/auth.c:226(auth_check_ntlm_password)//
> //  check_ntlm_password: winbind authentication for user [user] 
> succeeded//
> //[2015/06/15 18:12:38.372708,  2] 
> ../source3/auth/auth.c:278(auth_check_ntlm_password)//
> //  check_ntlm_password:  authentication for user [user] -> [user] -> 
> [DOMAIN\user] succeeded//
> //[2015/06/15 18:12:38.372774,  3] 
> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)//
> //  NTLMSSP Sign/Seal - Initialising with flags://
> //[2015/06/15 18:12:38.372811,  3] 
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)//
> //  Got NTLMSSP neg_flags=0xe2088215//
> //[2015/06/15 18:12:38.375181,  3] 
> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
> //  pdb_create_builtin_alias: Could not get a gid out of winbind//
> //[2015/06/15 18:12:38.375250,  2] 
> ../source3/auth/token_util.c:456(finalize_local_nt_token)//
> //  WARNING: Failed to create BUILTIN\Administrators group! Can 
> Winbind allocate gids?//
> //[2015/06/15 18:12:38.376633,  3] 
> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
> //  pdb_create_builtin_alias: Could not get a gid out of winbind//
> //[2015/06/15 18:12:38.376700,  2] 
> ../source3/auth/token_util.c:480(finalize_local_nt_token)//
> //  WARNING: Failed to create BUILTIN\Users group! Can Winbind 
> allocate gids?//
> //[2015/06/15 18:12:38.377999,  3] 
> ../source3/smbd/password.c:144(register_homes_share)//
> //  Adding homes service for user 'DOMAIN\user' using home directory: 
> '/home/DOMAIN/user'/
>
> ¿Something for investigate?
>
> Thank you all in advance
>

You don't seem to have set up samba correctly, have a look here:

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland

More information about the samba mailing list