[Samba] Samba domain member and rfc2307 user IDs
Kevin Davidson
kevin at indigospring.co.uk
Thu Jul 28 23:09:26 UTC 2016
> On 25 Jul 2016, at 19:49, Rowland penny <rpenny at samba.org> wrote:
>
> On 25/07/16 19:32, Kevin Davidson wrote:
>>> On 25 Jul 2016, at 16:39, Rowland penny <rpenny at samba.org> wrote:
>>>
>>> On 25/07/16 16:02, Kevin Davidson wrote:
>>>> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>>>>
>>>> samba and winbind v 2.4.2.10+dfs
>>>>
>>>> […]
>>>> What have I done wrong?
>>>>
>>> You haven't done anything wrong.
>>>
>>> The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
>>>
>>
>> It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice?
>>
>>
>>
>>
>
> I personally think it would be best practise for debian to release a later version that has the regression patches. As for what you do, your choices are a bit limited. You could use the free Sernet packages or if you can afford it, the paid for Sernet packages. You could compile Samba yourself, this way you could get the latest 4.4.x version or you could contact Louis van Belle (he posts on here frequently), he has a way of creating debian Samba debs using later Samba versions, or you could just wait until debian releases a new version, hopefully this will be sooner rather than later, as the 4.2.x series will go EOL when 4.5.0 comes out in about 6 weeks.
>
So Louis has released his new deb packages of Samba 4.4.5. I’ve installed them (not entirely smoothly as apt-get still wanted to install winbind 4.2.10 and then failed on all the dependencies)
root at terra:~# apt-cache policy samba
samba:
Installed: 2:4.4.5+dfsg-2~bpo8+1
Candidate: 2:4.4.5+dfsg-2~bpo8+1
Version table:
*** 2:4.4.5+dfsg-2~bpo8+1 0
500 file:/var/www/html/debian/ jessie/ Packages
100 /var/lib/dpkg/status
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
root at terra:~# apt-cache policy winbind
winbind:
Installed: (none)
Candidate: 2:4.2.10+dfsg-0+deb8u3
Version table:
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.
Which logs should I be looking in to see what’s going wrong?
I can see this in /var/log/samba/log.winbindd-idmap
[2016/07/28 23:48:52.614025, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.623870, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.632863, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.641460, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.650196, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
And that coincides with the attempts at getent passwd. The SIDs listed do not have any RFC2307 data (they’re the Administrator account, the Samba created dns account, Domain Users group etc).
And log.smbd has this for an attempted SMB connection
[2016/07/29 00:02:16.338378, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/29 00:02:16.338563, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/29 00:02:16.338671, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/29 00:02:16.338736, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 1029) conn 0x0
[2016/07/29 00:02:16.340138, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/29 00:02:16.340202, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/29 00:02:16.340230, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/29 00:02:16.340435, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/29 00:02:16.432338, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/29 00:02:16.471838, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/29 00:02:16.624918, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.711303, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.711450, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.711567, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.711741, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.712184, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.712273, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.712409, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.713201, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.713251, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.725937, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.726003, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726057, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726136, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:16.772344, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.814492, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.814595, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.814676, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.814868, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.815357, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.815460, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.815617, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.815893, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.815940, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.827000, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.827064, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827139, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827205, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:28.359747, 2] ../source3/smbd/server.c:576(remove_child_pid)
Could not find child 1032 -- ignoring
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
More information about the samba
mailing list