[Samba] lookup_name_smbconf for <user> failed

Fri Feb 22 13:50:36 UTC 2019

On Fri, 22 Feb 2019 14:34:49 +0100
Hans Schou via samba <samba at lists.samba.org> wrote:

> Hi
> 
> I have a Red Hat 7.6 server with samba-4.8.3 which report
> lookup_name_smbconf failed when running "smbclient -L" from another
> console on the same server. smbclient works fine on an old server
> running Suse and samba version 3 and thew the
> user.
> 
> Any ideas of where to look or what to try?
> 
> I got this in the logfile:
> 
> # grep "^ " /var/log/samba/log.172.23.10.25
>   init_oplocks: initializing messages.
>   Transaction 0 of length 216 (0 toread)
>   switch message SMBnegprot (pid 25189) conn 0x0
>   Requested protocol [PC NETWORK PROGRAM 1.0]
>   Requested protocol [MICROSOFT NETWORKS 1.03]
>   Requested protocol [MICROSOFT NETWORKS 3.0]
>   Requested protocol [LANMAN1.0]
>   Requested protocol [LM1.2X002]
>   Requested protocol [DOS LANMAN2.1]
>   Requested protocol [LANMAN2.1]
>   Requested protocol [Samba]
>   Requested protocol [NT LANMAN 1.0]
>   Requested protocol [NT LM 0.12]
>   Requested protocol [SMB 2.002]
>   Requested protocol [SMB 2.???]
>   Selected protocol SMB2_FF
>   Selected protocol SMB 2.???
>   Selected protocol SMB3_11
>   Found account name from PAC: zmir2 [Hans Schou]
>   Kerberos ticket principal name is [zmir2 at ACME.COM]
>   lp_load_ex: refreshing parameters
>   Initialising global parameters
>   Processing section "[global]"
>   Processing section "[global]"
>   Processing section "[homes]"
>   Processing section "[fiks_filer]"
>   Processing section "[fikslog-b]"
>   Processing section "[tmp]"
>   adding IPC service
>   lookup_name_smbconf for ACME.DOM\zmir2 at acme.com failed
>   Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] ||
> at ../source3/smbd/smb2_sesssetup.c:137 Server exit
> (NT_STATUS_END_OF_FILE)
> 
> smb.conf:
> [global]
>         log level = 3
>         unix charset = UTF8
>         dos charset = ISO-8859-1
>         workgroup = ACME.DOM
> realm = ACME.COM

Your REALM MUST be the DNS domain in uppercase.
Your workgroup CANNOT be the same as your REALM.

>         server string = Samba %v paa %L(%h)
>         security = ads
> encrypt passwords = yes
>         kerberos method = secrets and keytab

If you are going to set the above, you also need to add:
dedicated keytab file = /etc/krb5.keytab

>         password server = srv-addc1.acme.com

You should let Samba find the 'password server', so remove the line
above.

> winbind use default domain = yes
>         idmap config ACME.DOM : backend = rid
>         idmap config ACME.DOM : range = 1000 - 999999
>         idmap config * : backend = tdb
>         idmap config * : range = 1000 - 999999

You are using the same ranges for both domains, this is not allowed,
also you really should start from a different number than '1000'
The 'ACME.DOM' should be the workgroup.

> winbind enum users = yes
> winbind enum groups = yes

Once everything is working okay, remove the two lines above.

> deadtime = 10
> winbind cache time = 10
> winbind nested groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
> client use spnego = yes
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> ldap idmap suffix = dc=acme,dc=dk
> ldap admin dn = sn=Administrator,cn=Users,dc=acme,dc=dk
> ldap suffix = dc=acme,dc=dk

Remove the 'ldap' lines they are not used on a Unix domain member and
if they are correct, your REALM should be 'ACME.DK'

>         log file = /var/log/samba/log.%m
>         max log size = 100
>         local master = No
>         dns proxy = No
>         wins server = srv-dhcp3.acme.com

No, you don't use wins with active directory.

>         include = /etc/samba/smb.conf.%h

What is in '/etc/samba/smb.conf.%h' ?

Rowland