[Samba] why does add_local_groups come up in only one system's logs?

francis picabia fpicabia at gmail.com
Mon Aug 8 13:24:03 UTC 2016 

I have a couple of Debian 8.5 systems set up in similar manner.  Samba is
version 4.2.10-Debian

Here is the essential config...

# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = MYDOM
        realm = AD.MYDOM.CA
        server string = debian2 Server
        security = ADS
        log file = /var/log/samba/%m.log
        max log size = 50
        unix extensions = No
        load printers = No
        printcap name = /dev/null
        disable spoolss = Yes
        dns proxy = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config * : range = 1000-1999999
        idmap config * : backend = tdb
        nt acl support = No
        printing = bsd


[homes]
        comment = Home Directories
        path = %H
        valid users = %U at mydom
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No
        wide links = Yes

/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems.  The first one allows a connection
to the homes.  Here is a tail on the log file:

[2016/08/08 09:42:49.956619,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN1] with the new password interface
[2016/08/08 09:42:49.956656,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [MYDOM]\[username]@[DEBIAN1]
[2016/08/08 09:42:49.961548,  3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:42:49.961610,  2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:42:49.961671,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961699,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961772,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337,  3]
../source3/param/loadparm.c:1427(lp_add_home)
  adding home's share [username] for user 'username' at '%H'

The second server fails with the add_local_groups and getpwuid:

[2016/08/08 09:53:55.146840,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN2] with the new password interface
[2016/08/08 09:53:55.146867,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [MYDOM]\[username]@[DEBIAN2]
[2016/08/08 09:53:55.150852,  3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
  check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:53:55.150902,  2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:53:55.150960,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.150978,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.151036,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 09:53:55.151348,  3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token


I am so far unable to find why the getpwuid for add_local_groups matters,
or why only one system even mentions it in the logfile trace.  The default
group ID is listed in /etc/group for the user and the home directory with
ls -ld looks fine with 700 chmod
for the home directory in both servers.

More information about the samba mailing list