[Samba] Samba login failure: getpwuid failed
Rowland Penny
rpenny at samba.org
Sun May 7 14:34:36 UTC 2017
On Sun, 7 May 2017 09:04:25 -0500
Michael Schwager via samba <samba at lists.samba.org> wrote:
> Hello,
> I cannot access a remote drive using Windows or smbclient; my
> authentication appears successful according to the samba log file, but
> `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
> 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3. The logfile
> shows:
>
> [2017/05/06 22:57:48.729284, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [developer_prod]
> -> [developer_prod] -> [developer_prod] succeeded
> [2017/05/06 22:57:48.731091, 1]
> ../source3/auth/token_util.c:430(add_local_groups)
> SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
> getpwuid(16777216) failed
> [2017/05/06 22:57:48.731164, 1]
> ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
> Failed to generate session_info (user and group token) for
> session setup: NT_STATUS_UNSUCCESSFUL
>
> Strangely, the SID corresponds to a local user:
>
> # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
> NY4010\developer_prod 1
>
> (ny4010 is my samba server machine) Even though on the client I am
> logging in using a domain user:
>
> $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release
> 'password' session setup failed: NT_STATUS_UNSUCCESSFUL
>
> Here is my smb.conf file:
>
> [global]
> workgroup = MYDOMAIN
> password server = my_domain_server.mydomain.local
> realm = MYDOMAIN.LOCAL
> security = ads
> idmap config * : range = 16777216-33554431
> template homedir = /home/%U
> template shell = /bin/bash
> kerberos method = secrets only
> winbind use default domain = true
> winbind offline logon = false
> log level = 2
> encrypt passwords = yes
> unix extensions = no
> server string = Samba Server Version %v
> log file = /var/log/samba/log.%m
> max log size = 50
> security = ads
> passdb backend = tdbsam
> realm = MYDOMAIN.LOCAL
> password server = my_domain_server.mydomain.local
> local master = no
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
> [release]
> comment = Shared directory: /prod
> path = /prod
> browseable = yes
> read only = no
> valid users = developer_prod
> guest ok = yes
> public = yes
> follow symlinks = yes
> wide links = yes
> force user = developer_prod
> [log]
> comment = Shared directory: /prod/log
> path = /prod/log
> browseable = yes
> read only = yes
> guest ok = yes
> public = yes
>
> my nsswitch.conf file looks like:
> passwd: files winbind
>
> I think the smoking gun here is that a local user's SID is showing up
> in that "getpwuid() failed" line...
>
> Thanks.
Are you using sssd, if so then remove 'winbind' from the 'passwd' line
in /etc/nsswitch.conf , put back 'sss' that you must have removed.
Remove winbind and then go and ask on the sssd-users mailing, you
cannot use sssd and winbind.
If however, you are not using sssd, then add winbind to the group line
in /etc/nsswitch.conf then make [global] in smb.conf look like this:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
server string = Samba Server Version %v
security = ads
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
log level = 2
unix extensions = no
log file = /var/log/samba/log.%m
max log size = 50
local master = no
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config MYDOMAIN : backend = rid
idmap config MYDOMAIN : range = 10000-999999
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Rowland
More information about the samba
mailing list