[Samba] user works on DC, not on DM
Stefan G. Weichinger
lists at xunil.at
Fri Sep 1 06:49:26 UTC 2017
good morning (here)
At a customer we face the issue that a new user (we tested creating via
RSAT and samba-tool) can't login to the DM server, but works on the DC.
DM: gentoo linux, samba 4.6.7
DC: Debian 9.1, samba 4.6.7
-
on the DM "main":
main ~ # smbclient -L localhost -U hansi%Kwaksi29+
session setup failed: NT_STATUS_LOGON_FAILURE
main ~ # wbinfo -i hansi
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user hansi
main ~ # wbinfo -a hansi%Kwaksi29+
plaintext password authentication succeeded
challenge/response password authentication succeeded
main ~ # wbinfo -u | grep hansi
hansi
Sure, we restarted the daemons, even rebooted the server.
on DC:
# wbinfo -i hansi
ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false
I noticed the --------^^^^^^^ id ... and checked against the id range
on the DM:
[global]
realm = ARBEITSGRUPPE.THEIR.TLD
workgroup = ARBEITSGRUPPE
log file = /var/log/samba/%m.log
load printers = No
printcap name = /dev/null
security = ADS
username map = /etc/samba/user.map
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind use default domain = Yes
idmap config arbeitsgruppe:schema_mode = rfc2307
idmap config arbeitsgruppe:range = 10000-9999999
idmap config arbeitsgruppe:backend = ad
idmap config * : range = 2000-2999
idmap config * : backend = tdb
it was 999999 before, I increased that and restarted/rebooted DM, no change.
The user can login to the domain, it only can't connect to a share on
the DM (group membership is OK, we only filter for "Domain Users", and
the GPOs are applied).
Any hints? What can I provide to help you help me?
Thanks, Stefan
More information about the samba
mailing list