[Samba] [samba] Member server winbind issue

mathias dufresne infractory at gmail.com
Sun Jul 23 09:10:35 UTC 2017 

Hi all,

Thank you both for your replies. I did tried both options (removing both
keytab related lines as proposed by Andrew then using both lines proposed
by Rowland) without success.

Kerberos client is working:
"kinit administrator" gives me a valid ticket as do "kinit -k -t
/etc/krb5.keytab smbsrv"

So now the smb.conf is the following:

[global]
        realm = AD.INFRACTORY.ORG
        workgroup = AD
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        security = ADS
        winbind nss info = rfc2307
        winbind use default domain = Yes
        idmap config ad:unix_primary_group = yes
        idmap config ad:range = 1500-99999999
        idmap config ad:schema_mode = rfc2307
        idmap config ad:backend = ad
        idmap config * : range = 1200-1499
        idmap config * : backend = tdb
        log level = 6

logs in log.winbindd are the following:

smbsrv:/etc/samba# wbinfo -n testuser
S-1-5-21-3491498633-2139045408-86603964-2607 SID_USER (1)

[2017/07/23 11:00:43.951016,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 27
[2017/07/23 11:00:43.951351,  3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
  [ 2464]: request interface version (version = 28)
[2017/07/23 11:00:43.951710,  3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
  [ 2464]: request location of privileged pipe
[2017/07/23 11:00:43.952052,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 30
[2017/07/23 11:00:43.952300,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 27, client exited
[2017/07/23 11:00:43.952521,  3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
  [ 2464]: request interface version (version = 28)
[2017/07/23 11:00:43.952780,  3]
../source3/winbindd/winbindd_misc.c:384(winbindd_info)
  [ 2464]: request misc info
[2017/07/23 11:00:43.953101,  3]
../source3/winbindd/winbindd_misc.c:417(winbindd_netbios_name)
  [ 2464]: request netbios name
[2017/07/23 11:00:43.953398,  3]
../source3/winbindd/winbindd_misc.c:406(winbindd_domain_name)
  [ 2464]: request domain name
[2017/07/23 11:00:43.953734,  3]
../source3/winbindd/winbindd_misc.c:238(winbindd_domain_info)
  [ 2464]: domain_info [AD]
[2017/07/23 11:00:43.954049,  3]
../source3/winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
  lookupname AD\testuser
[2017/07/23 11:00:43.959921,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 30, client exited


smbsrv:/etc/samba# wbinfo -S S-1-5-21-3491498633-2139045408-86603964-2607
10000001

[2017/07/23 11:01:39.600059,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 27
[2017/07/23 11:01:39.600408,  3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
  [ 2469]: request interface version (version = 28)
[2017/07/23 11:01:39.600756,  3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
  [ 2469]: request location of privileged pipe
[2017/07/23 11:01:39.601111,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 30
[2017/07/23 11:01:39.601301,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 27, client exited
[2017/07/23 11:01:39.601562,  3]
../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send)
  sids_to_xids
[2017/07/23 11:01:39.867902,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 30, client exited


smbsrv:/etc/samba# wbinfo -i testuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser

[2017/07/23 11:02:06.047987,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 27
[2017/07/23 11:02:06.048103,  3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
  [ 2479]: request interface version (version = 28)
[2017/07/23 11:02:06.048369,  3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
  [ 2479]: request location of privileged pipe
[2017/07/23 11:02:06.048559,  6]
../source3/winbindd/winbindd.c:918(new_connection)
  accepted socket 30
[2017/07/23 11:02:06.048607,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 27, client exited
[2017/07/23 11:02:06.048647,  3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
  getpwnam testuser
[2017/07/23 11:02:06.234602,  5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
  Could not convert sid S-1-5-21-3491498633-2139045408-86603964-2607:
NT_STATUS_NONE_MAPPED
[2017/07/23 11:02:06.235151,  6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
  closing socket 30, client exited

This system is Debian 9.0, PAM configuration was auto-generated during
installation of libpam-winbind and libnss-winbind.

Related packages are:
# dpkg -l | egrep 'samba|winbind'
ii  libnss-winbind:amd64           2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64           2:4.5.8+dfsg-2+deb9u1+b1
amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64             2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba winbind client library
ii  python-samba                   2:4.5.8+dfsg-2+deb9u1+b1
amd64        Python bindings for Samba
ii  samba                          2:4.5.8+dfsg-2+deb9u1+b1
amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.5.8+dfsg-2+deb9u1
all          common files used by both the Samba server and client
ii  samba-common-bin               2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules             2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba Directory Services Database
ii  samba-libs:amd64               2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba core libraries
ii  samba-vfs-modules              2:4.5.8+dfsg-2+deb9u1+b1
amd64        Samba Virtual FileSystem plugins
ii  winbind                        2:4.5.8+dfsg-2+deb9u1+b1
amd64        service to resolve user and group information from Windows NT
servers

As I've still no idea about what I did wrong, I'm installing Samba on some
Gentoo to reproduce that configuration and see how it behaves. I expect the
behavior would the same.


2017-07-23 9:56 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Sun, 23 Jul 2017 14:14:20 +1200
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>
> > It may or may not be your issue, but lets start by getting your
> > configuration 'typical':
> >
> > On Sun, 2017-07-23 at 01:33 +0200, mathias dufresne via samba wrote:
> > >   security = ADS
> >
> > This (security=ads) is a contradiction with:
> >
> > >   kerberos method = dedicated keytab
> > >   dedicated keytab file = /etc/krb5.keytab
> >
> > Just remove these two lines, and let Samba handle the keytab and
> > domain membership.  You do need to join the domain.
> >
> > Andrew Bartlett
> >
>
> You only need the 'dedicated keytab' line if you also need something
> else to be able to read the keytab (dovecot etc)
>
> If you are going to use a dedicated keytab, I would use 'kerberos
> method = secrets and keytab'
>
> With this in smb.conf:
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>
> 'wbinfo -i username' works.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list