[Samba] Shares and AD users with winbind
Javier Martí
marti_javmon at gva.es
Mon Jun 15 12:27:47 MDT 2015
Thanks! I have review my configuration and now it works with the
following config:
[global]
netbios name = PCSERVER
workgroup = REALM
security = ADS
realm = FQDN
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m.log
idmap config *:backend = tdb
idmap config *:range = 2000-100000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
map untrusted to domain = yes
El 15/06/15 a las 18:43, Rowland Penny escribió:
> On 15/06/15 17:17, Javier Martí wrote:
>> Hi!
>>
>> I have a problem with a Samba share, in a Windows 2003 AD Domain, I
>> am setting up a machine with Ubuntu 14.04 and Samba 4.1.6 into the AD
>> and I want to make a samba share but I need to use the format
>> user at fqdn to mount the share in a Windows 7 but I have a no_such_user
>> error.
>>
>> ¿It is possible to use this format?
>>
>> If I use the format DOMAIN\user it works perfect, ¿can I change the
>> behavior?
>>
>> My smb.conf:
>>
>> [global]
>> workgroup = REALM
>> security = domain
>> realm = FQDN
>> encrypt passwords = yes
>> log level = 3
>> log file = /var/log/samba/%m.log
>> idmap config *:backend = rid
>> idmap config *:range = 5000-100000
>> winbind allow trusted domains = yes
>> winbind trusted domains only = no
>> winbind use default domain = no
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = yes
>> template shell = /bin/bash
>> winbind nested groups = yes
>> [smbserver]
>> comment = smbserver
>> path = /opt/smbserver
>> browseable = yes
>> guest ok = yes
>> read only = no
>> valid users = @"domain users at fqdn"
>>
>> And my error in /var/samba/auth/IP.log:
>>
>> /[2015/06/15 18:07:25.091446, 3]
>> ../source3/auth/auth.c:177(auth_check_ntlm_password)/
>> / check_ntlm_password: Checking password for unmapped user
>> []\[user at fqdn]@[PCSOURCE] with the new password interface/
>> /[2015/06/15 18:07:25.091482, 3]
>> ../source3/auth/auth.c:180(auth_check_ntlm_password)/
>> / check_ntlm_password: mapped user is:
>> [PCTARGET]\[user at fqdn]@[PCSOURCE]/
>> /[2015/06/15 18:07:25.091568, 3]
>> ../source3/auth/check_samsec.c:399(check_sam_security)/
>> / check_sam_security: Couldn't find user 'user at fqdn' in passdb./
>> /[2015/06/15 18:07:25.091610, 3]
>> ../source3/auth/auth_winbind.c:60(check_winbind_security)/
>> / check_winbind_security: Not using winbind, requested domain
>> [PCTARGET] was for this SAM./
>> /[2015/06/15 18:07:25.091642, 2]
>> ../source3/auth/auth.c:288(auth_check_ntlm_password)/
>> / check_ntlm_password: Authentication for user [user at fqdn] ->
>> [user at fqdn] FAILED with error NT_STATUS_NO_SUCH_USER/
>> /[2015/06/15 18:07:25.091687, 2]
>> ../auth/gensec/spnego.c:743(gensec_spnego_server_negTokenTarg)/
>> / SPNEGO login failed: NT_STATUS_NO_SUCH_USER/
>> /[2015/06/15 18:07:25.092851, 3]
>> ../source3/smbd/server_exit.c:212(exit_server_common)/
>> / Server exit (NT_STATUS_CONNECTION_RESET)/
>>
>> But, if I use DOMAIN\user:
>>
>> /[2015/06/15 18:12:38.262123, 3]
>> ../source3/auth/auth.c:177(auth_check_ntlm_password)//
>> // check_ntlm_password: Checking password for unmapped user
>> [DOMAIN]\[user]@[PCSOURCE] with the new password interface//
>> //[2015/06/15 18:12:38.262199, 3]
>> ../source3/auth/auth.c:180(auth_check_ntlm_password)//
>> // check_ntlm_password: mapped user is: [DOMAIN]\[user]@[PCSOURCE]//
>> //[2015/06/15 18:12:38.372607, 3]
>> ../source3/auth/auth.c:226(auth_check_ntlm_password)//
>> // check_ntlm_password: winbind authentication for user [user]
>> succeeded//
>> //[2015/06/15 18:12:38.372708, 2]
>> ../source3/auth/auth.c:278(auth_check_ntlm_password)//
>> // check_ntlm_password: authentication for user [user] -> [user] ->
>> [DOMAIN\user] succeeded//
>> //[2015/06/15 18:12:38.372774, 3]
>> ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)//
>> // NTLMSSP Sign/Seal - Initialising with flags://
>> //[2015/06/15 18:12:38.372811, 3]
>> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)//
>> // Got NTLMSSP neg_flags=0xe2088215//
>> //[2015/06/15 18:12:38.375181, 3]
>> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
>> // pdb_create_builtin_alias: Could not get a gid out of winbind//
>> //[2015/06/15 18:12:38.375250, 2]
>> ../source3/auth/token_util.c:456(finalize_local_nt_token)//
>> // WARNING: Failed to create BUILTIN\Administrators group! Can
>> Winbind allocate gids?//
>> //[2015/06/15 18:12:38.376633, 3]
>> ../source3/groupdb/mapping.c:830(pdb_create_builtin_alias)//
>> // pdb_create_builtin_alias: Could not get a gid out of winbind//
>> //[2015/06/15 18:12:38.376700, 2]
>> ../source3/auth/token_util.c:480(finalize_local_nt_token)//
>> // WARNING: Failed to create BUILTIN\Users group! Can Winbind
>> allocate gids?//
>> //[2015/06/15 18:12:38.377999, 3]
>> ../source3/smbd/password.c:144(register_homes_share)//
>> // Adding homes service for user 'DOMAIN\user' using home directory:
>> '/home/DOMAIN/user'/
>>
>> ¿Something for investigate?
>>
>> Thank you all in advance
>>
>
> You don't seem to have set up samba correctly, have a look here:
>
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
>
More information about the samba
mailing list