[Samba] user works on DC, not on DM
Rowland Penny
rpenny at samba.org
Fri Sep 1 07:17:52 UTC 2017
On Fri, 1 Sep 2017 08:49:26 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
> good morning (here)
>
> At a customer we face the issue that a new user (we tested creating
> via RSAT and samba-tool) can't login to the DM server, but works on
> the DC.
>
> DM: gentoo linux, samba 4.6.7
> DC: Debian 9.1, samba 4.6.7
>
> -
>
> on the DM "main":
>
> main ~ # smbclient -L localhost -U hansi%Kwaksi29+
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> main ~ # wbinfo -i hansi
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user hansi
>
> main ~ # wbinfo -a hansi%Kwaksi29+
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> main ~ # wbinfo -u | grep hansi
> hansi
>
> Sure, we restarted the daemons, even rebooted the server.
>
> on DC:
>
> # wbinfo -i hansi
> ARBEITSGRUPPE\hansi:*:3000044:100::/home/ARBEITSGRUPPE/hansi:/bin/false
>
> I noticed the --------^^^^^^^ id ... and checked against the id range
> on the DM:
I noticed that these ^^^^^^^^^^^^ are xidNumbers.
xidNumbers are only used on a DC, they are NOT used anywhere else!
>
> [global]
> realm = ARBEITSGRUPPE.THEIR.TLD
> workgroup = ARBEITSGRUPPE
> log file = /var/log/samba/%m.log
> load printers = No
> printcap name = /dev/null
> security = ADS
> username map = /etc/samba/user.map
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> idmap config arbeitsgruppe:schema_mode = rfc2307
> idmap config arbeitsgruppe:range = 10000-9999999
> idmap config arbeitsgruppe:backend = ad
> idmap config * : range = 2000-2999
> idmap config * : backend = tdb
>
> it was 999999 before, I increased that and restarted/rebooted DM, no
> change.
>
> The user can login to the domain, it only can't connect to a share on
> the DM (group membership is OK, we only filter for "Domain Users", and
> the GPOs are applied).
Have you given the user a 'uidNumber' attribute containing a unique
number inside 10000-9999999 ? and have you given Domain Users a
gidNumber attribute containing a number inside the same range (I don't
think you have, or it wouldn't be '100' above)
Rowland
More information about the samba
mailing list