[Samba] getpwuid failed for single user on single file share

Arne Zachlod arne at nerdkeller.org
Wed Feb 14 18:05:34 UTC 2018 

Hello,

I have a problem with my samba installation I can not get my head
around, maybe some of you have a good idea about what is going on.

I have a file share called "adfs02" and an AD DC called "addc02" in the
same site. The error occurs only with this one user, and it worked til
the last password change of that user two days ago.

Here are the outputs of my test case (both on done on adfs02):

root at adfs02:~# smbclient -L localhost -U brokenuser at int.domain
Enter brokenuser at int.domain's password:
session setup failed: NT_STATUS_UNSUCCESSFUL

root at magneto:~# smbclient -L localhost -U arne at int.domain
Enter arne at int.domain's password:
Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
...

root at magneto:~# smbclient -L addc02.int.becit.de -U brokenuser at int.domain
Enter brokenuser at int.domain's password:
Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
...

So, as we can see, the broken user is only broken on the domain member,
but not on the AD DC, how can that be? I tried deleting
/var/lib/samba/wimbindd_cache.tdb, but it didn't change anything.
I also checked all the DCs with "samba-tool checkdb", but no errors
where detected.

The configs of both, addc02 and adfs02 are attached to this mail.

I would greatly appreciate any help or ideas.
Arne
-------------- next part --------------
[global]
	netbios name = ADFS02
	security = ADS
	workgroup = DOMAIN
	realm = INT.DOMAIN

	logfile = /var/log/samba/%m.log
	log level = 1

	# Default idmap config used for BUILTIN and local windows accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain DOMAIN
	idmap config DOMAIN:backend = ad
	idmap config DOMAIN:schema_mode = rfc2307
	idmap config DOMAIN:range = 10000-99999

	# Use settings from AD for login shell and home directory
	winbind nss info = rfc2307
	
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	# fileshare options
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

# test share

[test]
	path = /srv/samba/test
	read only = no

-------------- next part --------------
# Global parameters
[global]
	workgroup = DOMAIN
	realm = int.domain
	netbios name = ADDC02
	server role = active directory domain controller
	server signing = Auto
	dns forwarder = 10.2.1.1
	idmap_ldb:use rfc2307 = yes

[netlogon]
	path = /var/lib/samba/sysvol/int.domain/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

More information about the samba mailing list