[Samba] winbind joining NT4-style domain - two strange issues
Stefan Froehlich
samba at froehlich.priv.at
Sat Dec 17 21:12:28 UTC 2016
A new Debian(unstable) machine with Samba 4.5.2 is trying to join an
NT4-style Samba domain hosted on a Debian(wheezy) Server with 3.6.6
which can't be changed but has been working for some years now with a
couple of windows clients.
Joining the domain was quite easy (only surprise was "client ipc
signing"), and "wbinfo -u" gives me a list with all domain users.
BUT (issue one) "getent passwd" listed only local users in the
beginning. Google has many hits for this with many different reasons.
Learning from them I now have a smb.conf with the following relevant
entries:
| netbios name = DALET-STG
| workgroup = SYNTH
| wins support = no
| wins server = herkules.synth.intern
| client ipc signing = auto
| server role = member server
| security = domain
| password server = herkules.synth.intern
| idmap config *:backend = tdb
| idmap config *:range = 1000-9999
| idmap config SYNTH:backend = rid
| idmap config SYNTH:range = 10000-19999
| winbind separator = +
| winbind enum groups = yes
| winbind enum users = yes
| winbind use default domain = no
After configuring "idmap config SYNTH:backend=rid" to my surprise
"getent passwd" now returns exactly ONE domain user (actually it
returns *my* user). So I can do:
| $ wbinfo -a SYNTH+user1%pass1
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ wbinfo -a SYNTH+user2%pass2
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
|
| $ getent passwd SYNTH+user1
| SYNTH+user1:*:13000:10513:Stefan Froehlich:/home/SYNTH/user1:/bin/bash
|
| $ getent passwd SYNTH+user2
| [no output at all]
ONLY user1 is found, nothing else, whatever I do (I was desperate
enough to even reboot the machine, but... well, I did not expect it
to help and it did not).
Does anyone have a clue what is going on here? What to try next?
The seccond odd thing is PAM authentication. I configured
pam_winbind and tried to connect via ssh and via postgresql - using
the non-mapped account of user2 in the example above. Both of them
are running through exactly the same PAM configuration, but still
postgrseql succeeds and ssh login fails. I had a look at the level 9
debug logs on the server side and found out the following (so most
likely this is an issue on the rather ancient 3.6.6 machine, but
still I would be REALLY thankful for help).
Connection attempt from postgres:
| [2016/12/17 20:55:55.268015, 3] auth/auth.c:219(check_ntlm_password)
| check_ntlm_password: Checking password for unmapped user [SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:55.268040, 3] auth/auth.c:222(check_ntlm_password)
| check_ntlm_password: mapped user is: [SYNTH]\[user2]@[\\DALET-STG]
[about 50 lines snipped]
| [2016/12/17 20:55:55.268723, 5] lib/username.c:171(Get_Pwnam_alloc)
| Finding user user2
| [2016/12/17 20:55:55.268746, 5] lib/username.c:116(Get_Pwnam_internals)
| Trying _Get_Pwnam(), username as lowercase is user2
| [2016/12/17 20:55:55.268773, 5] lib/username.c:149(Get_Pwnam_internals)
| Get_Pwnam_internals did find user [user2]!
| [2016/12/17 20:55:55.268808, 3] passdb/lookup_sid.c:1754(get_primary_group_sid)
| Forcing Primary Group to 'Domain Users' for user2
| [2016/12/17 20:55:55.268835, 4] smbd/sec_ctx.c:214(push_sec_ctx)
| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268860, 4] smbd/uid.c:460(push_conn_ctx)
| push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.268884, 4] smbd/sec_ctx.c:314(set_sec_ctx)
| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.268908, 5] ../libcli/security/security_token.c:53(security_token_debug)
| Security token: (NULL)
| [2016/12/17 20:55:55.268931, 5] auth/token_util.c:527(debug_unix_user_token)
| UNIX token of user 0
| Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.268972, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269007, 4] lib/substitute.c:527(automount_server)
| Home server: herkules
| [2016/12/17 20:55:55.269039, 4] lib/substitute.c:527(automount_server)
| Home server: herkules
| [2016/12/17 20:55:55.269070, 4] smbd/sec_ctx.c:214(push_sec_ctx)
| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269095, 4] smbd/uid.c:460(push_conn_ctx)
| push_conn_ctx(100) : conn_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269119, 4] smbd/sec_ctx.c:314(set_sec_ctx)
| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
| [2016/12/17 20:55:55.269142, 5] ../libcli/security/security_token.c:53(security_token_debug)
| Security token: (NULL)
| [2016/12/17 20:55:55.269165, 5] auth/token_util.c:527(debug_unix_user_token)
| UNIX token of user 0
| Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:55.269208, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269243, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
| pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:55.269274, 4] auth/check_samsec.c:183(sam_account_ok)
| sam_account_ok: Checking SMB password for user user2
| [2016/12/17 20:55:55.269302, 5] auth/check_samsec.c:165(logon_hours_ok)
| logon_hours_ok: user user2 allowed to logon at this time (Sat Dec 17 19:55:55 2016
| )
| [2016/12/17 20:55:55.269334, 4] smbd/sec_ctx.c:214(push_sec_ctx)
| push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:55.269360, 4] smbd/uid.c:460(push_conn_ctx)
| push_conn_ctx(100) : conn_ctx_stack_ndx = 0
Connection attempt from ssh:
| [2016/12/17 20:55:19.843012, 3] auth/auth.c:219(check_ntlm_password)
| check_ntlm_password: Checking password for unmapped user [SYNTH]\[user2]@[\\DALET-STG] with the new password interface
| [2016/12/17 20:55:19.843038, 3] auth/auth.c:222(check_ntlm_password)
| check_ntlm_password: mapped user is: [SYNTH]\[user2]@[\\DALET-STG]
[completely identical lines to the above log file snipped]
| [2016/12/17 20:55:19.844194, 5] auth/token_util.c:527(debug_unix_user_token)
| UNIX token of user 0
| Primary group is 0 and contains 0 supplementary groups
| [2016/12/17 20:55:19.844236, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844271, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
| pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
| [2016/12/17 20:55:19.844301, 3] ../libcli/auth/ntlm_check.c:238(hash_password_check)
| ntlm_password_check: Interactive logon: NT password check failed for user user2
| [2016/12/17 20:55:19.844329, 4] smbd/sec_ctx.c:214(push_sec_ctx)
| push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
| [2016/12/17 20:55:19.844354, 4] smbd/uid.c:460(push_conn_ctx)
| push_conn_ctx(100) : conn_ctx_stack_ndx = 0
This seems completely irrational to me - in both cases the same
password has been entered, exactly the same piece of software is
called, but - reproducible! - a different result is returned.
Again, I highly welcome any hints and suggestions. If any additional
file or configuration information is needed of either client or
server, or if I should try out something, just tell.
Bye,
Stefan
More information about the samba
mailing list