[Samba] Samba domain member and rfc2307 user IDs
Kevin Davidson
kevin at indigospring.co.uk
Sun Jul 31 22:58:56 UTC 2016
> On 29 Jul 2016, at 09:13, Rowland penny <rpenny at samba.org> wrote:
>
> On 29/07/16 00:09, Kevin Davidson wrote:
>> So Louis has released his new deb packages of Samba 4.4.5. I’ve installed them (not entirely smoothly as apt-get still wanted to install winbind 4.2.10 and then failed on all the dependencies)
>>
>> root at terra:~# apt-cache policy samba
>> samba:
>> Installed: 2:4.4.5+dfsg-2~bpo8+1
>> Candidate: 2:4.4.5+dfsg-2~bpo8+1
>> Version table:
>> *** 2:4.4.5+dfsg-2~bpo8+1 0
>> 500 file:/var/www/html/debian/ jessie/ Packages
>> 100 /var/lib/dpkg/status
>> 2:4.2.10+dfsg-0+deb8u3 0
>> 500 http://security.debian.org/ jessie/updates/main amd64 Packages
>> 2:4.1.17+dfsg-2+deb8u2 0
>> 500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
>> root at terra:~# apt-cache policy winbind
>> winbind:
>> Installed: (none)
>> Candidate: 2:4.2.10+dfsg-0+deb8u3
>> Version table:
>> 2:4.2.10+dfsg-0+deb8u3 0
>> 500 http://security.debian.org/ jessie/updates/main amd64 Packages
>> 100 /var/lib/dpkg/status
>> 2:4.1.17+dfsg-2+deb8u2 0
>> 500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
>>
>> And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.
>>
>>
>
> You don't mention adding a uidNumber attribute to the users, have you done this ?
In an earlier message, yes.
>
> To get the winbind 'ad' backend to work on a domain member, you need to give each AD user a unique uidNumber attribute, you must also give Domain Users a gidNumber attribute.
This last part has solved one problem. Giving Domain Users a gid has fixed the problems with getent passwd. And an ls -l of shared directories now shows the proper ownership of files.
But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER
[2016/07/31 23:53:55.102317, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.102509, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.102839, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2016/07/31 23:53:55.107288, 3] ../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2016/07/31 23:53:55.152956, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.153156, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.153255, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/31 23:53:55.153298, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 934) conn 0x0
[2016/07/31 23:53:55.154569, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/31 23:53:55.154636, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/31 23:53:55.154658, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/31 23:53:55.154824, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/31 23:53:55.246565, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/31 23:53:55.285751, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/31 23:54:06.780444, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.823840, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.823991, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.824171, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.824400, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.824854, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.824948, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.825113, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.825943, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.825990, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.860006, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.860082, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860136, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860214, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/31 23:54:06.906727, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.952704, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.952816, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.952907, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.953062, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.953547, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.953637, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.953771, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.954021, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.954101, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.965389, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.965457, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965485, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965553, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
More information about the samba
mailing list