[Samba] why does add_local_groups come up in only one system's logs?

Rowland Penny rpenny at samba.org
Mon Aug 8 13:54:46 UTC 2016 

On Mon, 8 Aug 2016 10:24:03 -0300
francis picabia <fpicabia at gmail.com> wrote:

> I have a couple of Debian 8.5 systems set up in similar manner.
> Samba is version 4.2.10-Debian
> 
> Here is the essential config...
> 
> # testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> 
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>         workgroup = MYDOM
>         realm = AD.MYDOM.CA
>         server string = debian2 Server
>         security = ADS
>         log file = /var/log/samba/%m.log
>         max log size = 50
>         unix extensions = No
>         load printers = No
>         printcap name = /dev/null
>         disable spoolss = Yes
>         dns proxy = No
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         idmap config * : range = 1000-1999999
>         idmap config * : backend = tdb
>         nt acl support = No
>         printing = bsd
> 
> 
> [homes]
>         comment = Home Directories
>         path = %H
>         valid users = %U at mydom
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         wide links = Yes
> 
> /etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
> configuration on both systems.  The first one allows a connection
> to the homes.  Here is a tail on the log file:
> 
> [2016/08/08 09:42:49.956619,  3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [MYDOM]\[username]@[DEBIAN1] with the new password interface
> [2016/08/08 09:42:49.956656,  3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [MYDOM]\[username]@[DEBIAN1]
> [2016/08/08 09:42:49.961548,  3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [username]
> succeeded [2016/08/08 09:42:49.961610,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [username] ->
> [username] -> [username] succeeded
> [2016/08/08 09:42:49.961671,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:42:49.961699,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:42:49.961748,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:42:49.961772,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:42:50.271337,  3]
> ../source3/param/loadparm.c:1427(lp_add_home)
>   adding home's share [username] for user 'username' at '%H'
> 
> The second server fails with the add_local_groups and getpwuid:
> 
> [2016/08/08 09:53:55.146840,  3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [MYDOM]\[username]@[DEBIAN2] with the new password interface
> [2016/08/08 09:53:55.146867,  3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [MYDOM]\[username]@[DEBIAN2]
> [2016/08/08 09:53:55.150852,  3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [username]
> succeeded [2016/08/08 09:53:55.150902,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [username] ->
> [username] -> [username] succeeded
> [2016/08/08 09:53:55.150960,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:53:55.150978,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:53:55.151024,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:53:55.151036,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:53:55.151321,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>   SID S-1-5-21-82194667-1315141139-1877560073-12331 ->
> getpwuid(16777216) failed
> [2016/08/08 09:53:55.151348,  3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
>   Failed to finalize nt token
> 
> 
> I am so far unable to find why the getpwuid for add_local_groups
> matters, or why only one system even mentions it in the logfile
> trace.  The default group ID is listed in /etc/group for the user and
> the home directory with ls -ld looks fine with 700 chmod
> for the home directory in both servers.

Are you using sssd ?
If not, where are you storing the users & groups ?

Rowland

More information about the samba mailing list