[Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users
Martin Decker
martin.decker at gmx.net
Mon Aug 21 15:25:31 UTC 2017
Dear Rowland,
our windows admin assured me that they have set uidNumber and gidNumber in
the range. I have requested screenshots for confirmation.
Now we are one step further: "getent passwd | grep mdecker" now lists the
AD account.
mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
With "getent passwd mdecker" however, it shows "NT_STATUS_NO_SUCH_USER".
getent passwd mdecker
winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER
Also not working:
getnet passwd mdecker
getent passwd "MYDOM\\mdecker"
What is working though is when i give REALM Suffix ".ADS"
getent passwd "MYDOM.ADS\\mdecker"
mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false
For "getent group" currently, the issue is: "rejecting getgrsid()", altough
the Group "DOMAIN USERS" was sucessfully resolved from name to SID.
getent group "MYDOM\\DOMÄNEN-BENUTZER"
wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER ->
S-1-5-21-1585417398-3384821309-2524188735-513
(NT_STATUS_OK)
winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-513
Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513:
NT_STATUS_NO_SUCH_GROUP
Is there anything else to set up on Windows side in order for getgrsid to
work?
With wbinfo, i can do these sucessfully:
wbinfo --sid-to-uid "S-1-5-21-1585417398-3384821309-2524188735-13667"
13667
root at solaris1:/# wbinfo --uid-info=13667
mdecker:*:13667:7142::/home/MYDOM/mdecker:/bin/false
... but "wbinfo -r" does not work:
root at solaris1:/# wbinfo -r mdecker
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user mdecker
Testing access to a Solaris SMB Share from Windows, reports this error when
trying to mount the share:
[2017/08/21 17:19:44.281527, 3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [mdecker at MYDOM.ADS]
[2017/08/21 17:19:44.281680, 10]
auth/user_krb5.c:82(get_user_from_kerberos_info)
Domain is [MYDOM] (using PAC)
[2017/08/21 17:19:44.281747, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user MYDOM\mdecker
[2017/08/21 17:19:44.281805, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is MYDOM\mdecker
[2017/08/21 17:19:44.283946, 5] lib/username.c:123(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is MYDOM\mdecker
[2017/08/21 17:19:44.284685, 5] lib/username.c:133(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is MYDOM\MDECKER
[2017/08/21 17:19:44.285073, 5] lib/username.c:142(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in MYDOM\mdecker
[2017/08/21 17:19:44.285150, 5] lib/username.c:148(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [MYDOM\mdecker]!
[2017/08/21 17:19:44.285222, 5] lib/username.c:171(Get_Pwnam_alloc)
Finding user mdecker
[2017/08/21 17:19:44.285323, 5] lib/username.c:116(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is mdecker
[2017/08/21 17:19:44.285755, 5] lib/username.c:133(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is MDECKER
[2017/08/21 17:19:44.286128, 5] lib/username.c:142(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in mdecker
[2017/08/21 17:19:44.286197, 5] lib/username.c:148(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [mdecker]!
[2017/08/21 17:19:44.287762, 1]
auth/user_krb5.c:161(get_user_from_kerberos_info)
Username MYDOM\mdecker is invalid on this system
[2017/08/21 17:19:44.287963, 3] smbd/error.c:77(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Any ideas?
Best regards,
Martin
2017-08-18 17:48 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Fri, 18 Aug 2017 17:32:34 +0200
> Martin Decker via samba <samba at lists.samba.org> wrote:
>
> > Thank you for your feedback. I have changed the parameters, but still
> > no success.
> >
> > winbind use default domain = yes
> > idmap config * : range = 1000000-1999999
> > idmap config MYDOM : range = 100-999999
> >
>
> You are using the winbind 'ad' backend, so do your AD domain users
> have a uidNumber attribute containing a unique number inside the range
> '100-999999' AND does 'Domain Users' have a gidNumber attribute
> containing a number in the same range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
--
Martin Decker
More information about the samba
mailing list