[Samba] Shares and AD users with winbind
Rowland Penny
rowlandpenny at googlemail.com
Mon Jun 15 10:43:55 MDT 2015
On 15/06/15 17:17, Javier Martí wrote:
> Hi!
>
> I have a problem with a Samba share, in a Windows 2003 AD Domain, I am
> setting up a machine with Ubuntu 14.04 and Samba 4.1.6 into the AD and
> I want to make a samba share but I need to use the format user at fqdn to
> mount the share in a Windows 7 but I have a no_such_user error.
>
> ¿It is possible to use this format?
>
> If I use the format DOMAIN\user it works perfect, ¿can I change the
> behavior?
>
> My smb.conf:
>
> [global]
> workgroup = REALM
> security = domain
> realm = FQDN
> encrypt passwords = yes
> log level = 3
> log file = /var/log/samba/%m.log
> idmap config *:backend = rid
> idmap config *:range = 5000-100000
> winbind allow trusted domains = yes
> winbind trusted domains only = no
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> template shell = /bin/bash
> winbind nested groups = yes
> [smbserver]
> comment = smbserver
> path = /opt/smbserver
> browseable = yes
> guest ok = yes
> read only = no
> valid users = @"domain users at fqdn"
>
> And my error in /var/samba/auth/IP.log:
>
> /[2015/06/15 18:07:25.091446, 3]
> ../source3/auth/auth.c:177(auth_check_ntlm_password)/
> / check_ntlm_password: Checking password for unmapped user
> []\[user at fqdn]@[PCSOURCE] with the new password interface/
> /[2015/06/15 18:07:25.091482, 3]
> ../source3/auth/auth.c:180(auth_check_ntlm_password)/
> / check_ntlm_password: mapped user is:
> [PCTARGET]\[user at fqdn]@[PCSOURCE]/
> /[2015/06/15 18:07:25.091568, 3]
> ../source3/auth/check_samsec.c:399(check_sam_security)/
> / check_sam_security: Couldn't find user 'user at fqdn' in passdb./
> /[2015/06/15 18:07:25.091610, 3]
> ../source3/auth/auth_winbind.c:60(check_winbind_security)/
> / check_winbind_security: Not using winbind, requested domain
> [PCTARGET] was for this SAM./
> /[2015/06/15 18:07:25.091642, 2]
> ../source3/auth/auth.c:288(auth_check_ntlm_password)/
> / check_ntlm_password: Authentication for user [user at fqdn] ->
> [user at fqdn] FAILED with error NT_STATUS_NO_SUCH_USER/
> /[2015/06/15 18:07:25.091687, 2]
> ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)/
> / SPNEGO login failed: NT_STATUS_NO_SUCH_USER/
> /[2015/06/15 18:07:25.092851, 3]
> ../source3/smbd/server_exit.c:212(exit_server_common)/
> / Server exit (NT_STATUS_CONNECTION_RESET)/
>
> But, if I use DOMAIN\user:
>
> /[2015/06/15 18:12:38.262123, 3]
> ../source3/auth/auth.c:177(auth_check_ntlm_password)//
> // check_ntlm_password: Checking password for unmapped user
> [DOMAIN]\[user]@[PCSOURCE] with the new password interface//
> //[2015/06/15 18:12:38.262199, 3]
> ../source3/auth/auth.c:180(auth_check_ntlm_password)//
> // check_ntlm_password: mapped user is: [DOMAIN]\[user]@[PCSOURCE]//
> //[2015/06/15 18:12:38.372607, 3]
> ../source3/auth/auth.c:226(auth_check_ntlm_password)//
> // check_ntlm_password: winbind authentication for user [user]
> succeeded//
> //[2015/06/15 18:12:38.372708, 2]
> ../source3/auth/auth.c:278(auth_check_ntlm_password)//
> // check_ntlm_password: authentication for user [user] -> [user] ->
> [DOMAIN\user] succeeded//
> //[2015/06/15 18:12:38.372774, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)//
> // NTLMSSP Sign/Seal - Initialising with flags://
> //[2015/06/15 18:12:38.372811, 3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)//
> // Got NTLMSSP neg_flags=0xe2088215//
> //[2015/06/15 18:12:38.375181, 3]
> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
> // pdb_create_builtin_alias: Could not get a gid out of winbind//
> //[2015/06/15 18:12:38.375250, 2]
> ../source3/auth/token_util.c:456(finalize_local_nt_token)//
> // WARNING: Failed to create BUILTIN\Administrators group! Can
> Winbind allocate gids?//
> //[2015/06/15 18:12:38.376633, 3]
> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
> // pdb_create_builtin_alias: Could not get a gid out of winbind//
> //[2015/06/15 18:12:38.376700, 2]
> ../source3/auth/token_util.c:480(finalize_local_nt_token)//
> // WARNING: Failed to create BUILTIN\Users group! Can Winbind
> allocate gids?//
> //[2015/06/15 18:12:38.377999, 3]
> ../source3/smbd/password.c:144(register_homes_share)//
> // Adding homes service for user 'DOMAIN\user' using home directory:
> '/home/DOMAIN/user'/
>
> ¿Something for investigate?
>
> Thank you all in advance
>
You don't seem to have set up samba correctly, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list