[Samba] Samba domain member and rfc2307 user IDs

Kevin Davidson kevin at indigospring.co.uk
Sun Jul 31 22:58:56 UTC 2016 

> On 29 Jul 2016, at 09:13, Rowland penny <rpenny at samba.org> wrote:
> 
> On 29/07/16 00:09, Kevin Davidson wrote:
>> So Louis has released his new deb packages of Samba 4.4.5. I’ve installed them (not entirely smoothly as apt-get still wanted to install winbind 4.2.10 and then failed on all the dependencies)
>> 
>> root at terra:~# apt-cache policy samba
>> samba:
>>   Installed: 2:4.4.5+dfsg-2~bpo8+1
>>   Candidate: 2:4.4.5+dfsg-2~bpo8+1
>>   Version table:
>>  *** 2:4.4.5+dfsg-2~bpo8+1 0
>>         500 file:/var/www/html/debian/ jessie/ Packages
>>         100 /var/lib/dpkg/status
>>      2:4.2.10+dfsg-0+deb8u3 0
>>         500 http://security.debian.org/ jessie/updates/main amd64 Packages
>>      2:4.1.17+dfsg-2+deb8u2 0
>>         500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
>> root at terra:~# apt-cache policy winbind
>> winbind:
>>   Installed: (none)
>>   Candidate: 2:4.2.10+dfsg-0+deb8u3
>>   Version table:
>>      2:4.2.10+dfsg-0+deb8u3 0
>>         500 http://security.debian.org/ jessie/updates/main amd64 Packages
>>         100 /var/lib/dpkg/status
>>      2:4.1.17+dfsg-2+deb8u2 0
>>         500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
>> 
>> And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.
>> 
>> 
> 
> You don't mention adding a uidNumber attribute to the users, have you done this ?

In an earlier message, yes.

> 
> To get the winbind 'ad' backend to work on a domain member, you need to give each AD user a unique uidNumber attribute, you must also give Domain Users a gidNumber attribute.

This last part has solved one problem. Giving Domain Users a gid has fixed the problems with getent passwd. And an ls -l of shared directories now shows the proper ownership of files.

But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER

[2016/07/31 23:53:55.102317,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.102509,  3] ../source3/smbd/oplock.c:1310(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/31 23:53:55.102839,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)
[2016/07/31 23:53:55.107288,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2016/07/31 23:53:55.152956,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.153156,  3] ../source3/smbd/oplock.c:1310(init_oplocks)
  init_oplocks: initializing messages.
[2016/07/31 23:53:55.153255,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 73 (0 toread)
[2016/07/31 23:53:55.153298,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBnegprot (pid 934) conn 0x0
[2016/07/31 23:53:55.154569,  3] ../source3/smbd/negprot.c:601(reply_negprot)
  Requested protocol [NT LM 0.12]
[2016/07/31 23:53:55.154636,  3] ../source3/smbd/negprot.c:601(reply_negprot)
  Requested protocol [SMB 2.002]
[2016/07/31 23:53:55.154658,  3] ../source3/smbd/negprot.c:601(reply_negprot)
  Requested protocol [SMB 2.???]
[2016/07/31 23:53:55.154824,  3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2016/07/31 23:53:55.246565,  3] ../source3/smbd/negprot.c:711(reply_negprot)
  Selected protocol SMB 2.???
[2016/07/31 23:53:55.285751,  3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
  Selected protocol SMB3_02
[2016/07/31 23:54:06.780444,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.823840,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.823991,  3] ../source3/param/loadparm.c:3742(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.824171,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/31 23:54:06.824400,  3] ../source3/param/loadparm.c:2671(lp_do_section)
  Processing section "[global]"
[2016/07/31 23:54:06.824854,  2] ../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[Shared Items]"
[2016/07/31 23:54:06.824948,  2] ../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[Archives]"
[2016/07/31 23:54:06.825113,  3] ../source3/param/loadparm.c:1588(lp_add_ipc)
  adding IPC service
[2016/07/31 23:54:06.825943,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.825990,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.860006,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.860082,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860136,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860214,  3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/31 23:54:06.906727,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.952704,  3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.952816,  3] ../source3/param/loadparm.c:3742(lp_load_ex)
  lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.952907,  3] ../source3/param/loadparm.c:544(init_globals)
  Initialising global parameters
[2016/07/31 23:54:06.953062,  3] ../source3/param/loadparm.c:2671(lp_do_section)
  Processing section "[global]"
[2016/07/31 23:54:06.953547,  2] ../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[Shared Items]"
[2016/07/31 23:54:06.953637,  2] ../source3/param/loadparm.c:2688(lp_do_section)
  Processing section "[Archives]"
[2016/07/31 23:54:06.953771,  3] ../source3/param/loadparm.c:1588(lp_add_ipc)
  adding IPC service
[2016/07/31 23:54:06.954021,  3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.954101,  3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.965389,  3] ../source3/auth/auth_util.c:1229(check_account)
  Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.965457,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965485,  2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965553,  3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134


Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions

More information about the samba mailing list