[Samba] why does add_local_groups come up in only one system's logs?
Rowland Penny
rpenny at samba.org
Mon Aug 8 13:54:46 UTC 2016
On Mon, 8 Aug 2016 10:24:03 -0300
francis picabia <fpicabia at gmail.com> wrote:
> I have a couple of Debian 8.5 systems set up in similar manner.
> Samba is version 4.2.10-Debian
>
> Here is the essential config...
>
> # testparm /etc/samba/smb.conf
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> workgroup = MYDOM
> realm = AD.MYDOM.CA
> server string = debian2 Server
> security = ADS
> log file = /var/log/samba/%m.log
> max log size = 50
> unix extensions = No
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> dns proxy = No
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config * : range = 1000-1999999
> idmap config * : backend = tdb
> nt acl support = No
> printing = bsd
>
>
> [homes]
> comment = Home Directories
> path = %H
> valid users = %U at mydom
> read only = No
> create mask = 0700
> directory mask = 0700
> browseable = No
> wide links = Yes
>
> /etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
> configuration on both systems. The first one allows a connection
> to the homes. Here is a tail on the log file:
>
> [2016/08/08 09:42:49.956619, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [MYDOM]\[username]@[DEBIAN1] with the new password interface
> [2016/08/08 09:42:49.956656, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1]
> [2016/08/08 09:42:49.961548, 3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [username]
> succeeded [2016/08/08 09:42:49.961610, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [username] ->
> [username] -> [username] succeeded
> [2016/08/08 09:42:49.961671, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:42:49.961699, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:42:49.961748, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:42:49.961772, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:42:50.271337, 3]
> ../source3/param/loadparm.c:1427(lp_add_home)
> adding home's share [username] for user 'username' at '%H'
>
> The second server fails with the add_local_groups and getpwuid:
>
> [2016/08/08 09:53:55.146840, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [MYDOM]\[username]@[DEBIAN2] with the new password interface
> [2016/08/08 09:53:55.146867, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2]
> [2016/08/08 09:53:55.150852, 3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [username]
> succeeded [2016/08/08 09:53:55.150902, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [username] ->
> [username] -> [username] succeeded
> [2016/08/08 09:53:55.150960, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:53:55.150978, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:53:55.151024, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2016/08/08 09:53:55.151036, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2016/08/08 09:53:55.151321, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-82194667-1315141139-1877560073-12331 ->
> getpwuid(16777216) failed
> [2016/08/08 09:53:55.151348, 3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
> Failed to finalize nt token
>
>
> I am so far unable to find why the getpwuid for add_local_groups
> matters, or why only one system even mentions it in the logfile
> trace. The default group ID is listed in /etc/group for the user and
> the home directory with ls -ld looks fine with 700 chmod
> for the home directory in both servers.
Are you using sssd ?
If not, where are you storing the users & groups ?
Rowland
More information about the samba
mailing list