[Samba] Samba with AD : SID rejected
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 26 11:40:48 UTC 2019
My first guess..
Your missing one of these i think.
apt install libpam-winbind libnss-winbind libpam-krb5
Beside that, is exact my setting ;-)
Ow. Ps, almost.
> netbios name= share << set hostname but in CAPS..
Max 15chars.
> winbind enum users = yes
> winbind enum groups = yes
Remove them not really needed.
Just with : getent passwd/group username/groupname
Or id username
> map to guest = bad user
Remove that, thats asking for problems.
After above changes, and if you still have problems, i suggest read :
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
If you do exact what there, you have a working setup. Read it and see whats diffent compaired to your setup.
If you think to difficult or to much work, fine also, then get :
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
Run it and post the output.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Vincent Ducot via samba
> Verzonden: vrijdag 26 april 2019 10:40
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Samba with AD : SID rejected
>
> Hello,
> I'm building a samba share with Active Directory authentication, based
> on samba wiki documentation.
> I'm using Samba Version 4.7.6-Ubuntu (Ubuntu 18.04) and
> Windows Server 2019.
> I added manually Unix fields in my AD users attributes (based on
> https://wiki.samba.org/index.php/Installing_RSAT#Missing_Unix_
> Attributes_tab_in_ADUC_on_Windows_10_and_Windows_Server_2016)
> I joined correctly the domain, I see my computer in my AD.
>
> The problem is I can't list users/groups with getent command
> or get some
> info with wbinfo.
>
> The commands that work :
> wbinfo -t returns "checking the trust secret for domain FOO via RPC
> calls succeeded"
> wbinfo -u correctly displays users
> wbinfo -g correctly displays groups
> wbinfo -D FOO
> wbinfo -n FOO\\vincent shows me the SID
>
> but wbinfo --user-sids=<SID> returns
> failed to call wbcLookupUserSids: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get group SIDs for user SID
> S-1-5-21-2816186202-4468957523-2022743653-4403
>
> wbinfo -r FOO\\vincent returns
> failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get groups for user FOO\vincent
>
> I got these logs in winbindd.log :
>
> [2019/04/26 10:11:27.061645, 1, pid=3586, effective(0, 0),
> real(0, 0)]
> ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'FOO'
> name : *
> name : 'VINCENT'
> flags : 0x00000008 (8)
> [2019/04/26 10:11:27.061974, 1, pid=3586, effective(0, 0),
> real(0, 0)]
> ../librpc/ndr/ndr.c:468(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-2816186202-4468957523-2022743653-4403
> result : NT_STATUS_OK
> [2019/04/26 10:11:27.062006, 3, pid=3586, effective(0, 0),
> real(0, 0),
> class=winbind]
> ../source3/winbindd/wb_queryuser.c:59(wb_queryuser_send)
> wb_queryuser_send: My domain -- rejecting
> S-1-5-21-2816186202-4468957523-2022743653-4403
> [2019/04/26 10:11:27.062019, 5, pid=3586, effective(0, 0),
> real(0, 0),
> class=winbind]
> ../source3/winbindd/winbindd_getgroups.c:235(winbindd_getgroups_recv)
> Could not convert sid
> S-1-5-21-2816186202-4468957523-2022743653-4403:
> NT_STATUS_NO_SUCH_USER
>
> What I am missing ?
> Thanks in advance.
>
> Vincent
> ------------------------------------------
> Here are my config files:
>
> /etc/krb5.conf
>
> [libdefaults]
> default_realm = FOO.LAB
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> # The following krb5.conf variables are only for MIT Kerberos.
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> FOO.LAB = {
> kdc = dc.test.lan
> }
>
> /etc/nsswitch.conf with
> passwd: compat winbind
> group: compat winbind
>
> /etc/samba/user.map
>
> !root = FOO\administrateur
>
> /etc/samba/smb.conf
>
> [global]
>
> security = ADS
> workgroup = FOO
> realm = FOO.LAB
> netbios name= share
>
> log file = /var/log/samba/%m.log
> log level = 10
>
> preferred master = no
> domain master = no
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> # - You must set a DOMAIN backend configuration
> # idmap config for the FOO domain
> idmap config FOO:backend = ad
> idmap config FOO:schema_mode = rfc2307
> idmap config FOO:range = 10000-999999
> idmap config FOO:unix_nss_info = yes
> idmap config FOO:unix_primary_group = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
> # Template settings for login shell and home directory
> template shell = /bin/bash
> template homedir = /home/%U
>
> username map = /etc/samba/user.map
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind trusted domains only = yes
> winbind nss info = rfc2307
> winbind expand groups = 4
>
> server role = member server
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = bad user
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list