[Samba] Shares and AD users with winbind

Javier Martí marti_javmon at gva.es
Mon Jun 15 12:27:47 MDT 2015 

Thanks! I have review my configuration and now it works with the 
following config:

[global]

    netbios name = PCSERVER
    workgroup = REALM
    security = ADS
    realm = FQDN
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab


    encrypt passwords = yes

    log level = 3
    log file = /var/log/samba/%m.log

    idmap config *:backend = tdb
    idmap config *:range = 2000-100000

    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = no
    winbind enum users  = yes
    winbind enum groups = yes
    winbind refresh tickets = yes

    map untrusted to domain = yes




El 15/06/15 a las 18:43, Rowland Penny escribió:
> On 15/06/15 17:17, Javier Martí wrote:
>> Hi!
>>
>> I have a problem with a Samba share, in a Windows 2003 AD Domain, I 
>> am setting up a machine with Ubuntu 14.04 and Samba 4.1.6 into the AD 
>> and I want to make a samba share but I need to use the format 
>> user at fqdn to mount the share in a Windows 7 but I have a no_such_user 
>> error.
>>
>> ¿It is possible to use this format?
>>
>> If I use the format DOMAIN\user it works perfect, ¿can I change the 
>> behavior?
>>
>> My smb.conf:
>>
>> [global]
>>    workgroup = REALM
>>    security = domain
>>    realm = FQDN
>>    encrypt passwords = yes
>>    log level = 3
>>    log file = /var/log/samba/%m.log
>>    idmap config *:backend = rid
>>    idmap config *:range = 5000-100000
>>    winbind allow trusted domains = yes
>>    winbind trusted domains only = no
>>    winbind use default domain = no
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = yes
>>    template shell = /bin/bash
>>    winbind nested groups = yes
>> [smbserver]
>>    comment = smbserver
>>    path = /opt/smbserver
>>    browseable = yes
>>    guest ok = yes
>>    read only = no
>>    valid users = @"domain users at fqdn"
>>
>> And my error in /var/samba/auth/IP.log:
>>
>> /[2015/06/15 18:07:25.091446,  3] 
>> ../source3/auth/auth.c:177(auth_check_ntlm_password)/
>> /  check_ntlm_password:  Checking password for unmapped user 
>> []\[user at fqdn]@[PCSOURCE] with the new password interface/
>> /[2015/06/15 18:07:25.091482,  3] 
>> ../source3/auth/auth.c:180(auth_check_ntlm_password)/
>> /  check_ntlm_password:  mapped user is: 
>> [PCTARGET]\[user at fqdn]@[PCSOURCE]/
>> /[2015/06/15 18:07:25.091568,  3] 
>> ../source3/auth/check_samsec.c:399(check_sam_security)/
>> /  check_sam_security: Couldn't find user 'user at fqdn' in passdb./
>> /[2015/06/15 18:07:25.091610,  3] 
>> ../source3/auth/auth_winbind.c:60(check_winbind_security)/
>> /  check_winbind_security: Not using winbind, requested domain 
>> [PCTARGET] was for this SAM./
>> /[2015/06/15 18:07:25.091642,  2] 
>> ../source3/auth/auth.c:288(auth_check_ntlm_password)/
>> /  check_ntlm_password:  Authentication for user [user at fqdn] -> 
>> [user at fqdn] FAILED with error NT_STATUS_NO_SUCH_USER/
>> /[2015/06/15 18:07:25.091687,  2] 
>> ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)/
>> /  SPNEGO login failed: NT_STATUS_NO_SUCH_USER/
>> /[2015/06/15 18:07:25.092851,  3] 
>> ../source3/smbd/server_exit.c:212(exit_server_common)/
>> /  Server exit (NT_STATUS_CONNECTION_RESET)/
>>
>> But, if I use DOMAIN\user:
>>
>> /[2015/06/15 18:12:38.262123,  3] 
>> ../source3/auth/auth.c:177(auth_check_ntlm_password)//
>> //  check_ntlm_password:  Checking password for unmapped user 
>> [DOMAIN]\[user]@[PCSOURCE] with the new password interface//
>> //[2015/06/15 18:12:38.262199,  3] 
>> ../source3/auth/auth.c:180(auth_check_ntlm_password)//
>> //  check_ntlm_password:  mapped user is: [DOMAIN]\[user]@[PCSOURCE]//
>> //[2015/06/15 18:12:38.372607,  3] 
>> ../source3/auth/auth.c:226(auth_check_ntlm_password)//
>> //  check_ntlm_password: winbind authentication for user [user] 
>> succeeded//
>> //[2015/06/15 18:12:38.372708,  2] 
>> ../source3/auth/auth.c:278(auth_check_ntlm_password)//
>> //  check_ntlm_password:  authentication for user [user] -> [user] -> 
>> [DOMAIN\user] succeeded//
>> //[2015/06/15 18:12:38.372774,  3] 
>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)//
>> //  NTLMSSP Sign/Seal - Initialising with flags://
>> //[2015/06/15 18:12:38.372811,  3] 
>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)//
>> //  Got NTLMSSP neg_flags=0xe2088215//
>> //[2015/06/15 18:12:38.375181,  3] 
>> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
>> //  pdb_create_builtin_alias: Could not get a gid out of winbind//
>> //[2015/06/15 18:12:38.375250,  2] 
>> ../source3/auth/token_util.c:456(finalize_local_nt_token)//
>> //  WARNING: Failed to create BUILTIN\Administrators group! Can 
>> Winbind allocate gids?//
>> //[2015/06/15 18:12:38.376633,  3] 
>> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
>> //  pdb_create_builtin_alias: Could not get a gid out of winbind//
>> //[2015/06/15 18:12:38.376700,  2] 
>> ../source3/auth/token_util.c:480(finalize_local_nt_token)//
>> //  WARNING: Failed to create BUILTIN\Users group! Can Winbind 
>> allocate gids?//
>> //[2015/06/15 18:12:38.377999,  3] 
>> ../source3/smbd/password.c:144(register_homes_share)//
>> //  Adding homes service for user 'DOMAIN\user' using home directory: 
>> '/home/DOMAIN/user'/
>>
>> ¿Something for investigate?
>>
>> Thank you all in advance
>>
>
> You don't seem to have set up samba correctly, have a look here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
>

More information about the samba mailing list