[Samba] Samba ADS-member-server: FQDNs in /etc/hosts
Rowland Penny
rpenny at samba.org
Tue Jul 11 09:57:35 UTC 2017
On Tue, 11 Jul 2017 10:36:08 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
> [2017/07/11 10:28:51.553290, 3]
> ../source3/auth/auth.c:249(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [mueller]
> succeeded [2017/07/11 10:28:51.553324, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [mueller] -> [mueller]
> -> [mueller] succeeded
> [2017/07/11 10:28:51.553493, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-2940660672-4062535256-4144655499-1029 ->
> getpwuid(11029) failed
> [2017/07/11 10:28:51.553518, 3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
> Failed to finalize nt token
> [2017/07/11 10:28:51.553552, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2017/07/11 10:28:51.553562, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2017/07/11 10:28:51.553601, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2017/07/11 10:28:51.553611, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62088215
> [2017/07/11 10:28:51.553782, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-2940660672-4062535256-4144655499-1029 ->
> getpwuid(11029) failed
> [2017/07/11 10:28:51.553808, 3]
> ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
> Failed to finalize nt token
> [2017/07/11 10:28:51.553818, 1]
> ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
> Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_UNSUCCESSFUL
> [2017/07/11 10:28:51.553864, 3]
> ../source3/smbd/error.c:82(error_packet_set)
> NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115
> (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
> [2017/07/11 10:28:51.554117, 3]
> ../source3/smbd/server_exit.c:246(exit_server_common)
> Server exit (failed to receive smb request)
>
>
>
> ---
>
>
> getpwuid(11029) fails, local group 11029 does not exist.
>
> the SID looks like:# net ads sid
> S-1-5-21-2940660672-4062535256-4144655499-1029
> Got 1 replies
>
> cn: mueller
> instanceType: 4
> whenCreated: 20170524093910.0Z
> uSNCreated: 4231
> name: mueller
> objectGUID: ddbb9928-167d-4cfb-a667-ef4a24600fef
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-2940660672-4062535256-4144655499-1029
> sAMAccountName: mueller
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=secret,DC=at
> pwdLastSet: 130414131350000000
> accountExpires: 137303967990000000
> lastLogoff: 137303967990000000
> userAccountControl: 512
> uidNumber: 1070
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> unixHomeDirectory: /home/mueller
> loginShell: /bin/bash
> gidNumber: 1070
> msSFU30NisDomain: buero
> lastLogonTimestamp: 131439211510194450
> whenChanged: 20170707171231.0Z
> uSNChanged: 6300
> memberOf: CN=Mitarbeiter,OU=secret-Benutzer,DC=secret,DC=at
> lastLogon: 131442246304847030
> logonCount: 14
> distinguishedName: CN=mueller,OU=secret-Benutzer,DC=secret,DC=at
>
>
> created a local group "rettung" with GID 11029 ... no change
Remove this local Unix group, you cannot have a group (or a user) in AD
and /etc/group
>
> I don't find that 11029 in the SID infos ...
Probably because '11029' isn't a 'RID', it will be a uidNumber.
Try running this on your DC:
ldbsearch -H /path/to/sam.ldb -b "dc=secret,dc=at" -s sub
"(&(objectclass=group)(gidnumber=11029))"
Rowland
More information about the samba
mailing list