[Samba] lookup_name_smbconf for <user> failed
Rowland Penny
rpenny at samba.org
Fri Feb 22 13:50:36 UTC 2019
On Fri, 22 Feb 2019 14:34:49 +0100
Hans Schou via samba <samba at lists.samba.org> wrote:
> Hi
>
> I have a Red Hat 7.6 server with samba-4.8.3 which report
> lookup_name_smbconf failed when running "smbclient -L" from another
> console on the same server. smbclient works fine on an old server
> running Suse and samba version 3 and thew the
> user.
>
> Any ideas of where to look or what to try?
>
> I got this in the logfile:
>
> # grep "^ " /var/log/samba/log.172.23.10.25
> init_oplocks: initializing messages.
> Transaction 0 of length 216 (0 toread)
> switch message SMBnegprot (pid 25189) conn 0x0
> Requested protocol [PC NETWORK PROGRAM 1.0]
> Requested protocol [MICROSOFT NETWORKS 1.03]
> Requested protocol [MICROSOFT NETWORKS 3.0]
> Requested protocol [LANMAN1.0]
> Requested protocol [LM1.2X002]
> Requested protocol [DOS LANMAN2.1]
> Requested protocol [LANMAN2.1]
> Requested protocol [Samba]
> Requested protocol [NT LANMAN 1.0]
> Requested protocol [NT LM 0.12]
> Requested protocol [SMB 2.002]
> Requested protocol [SMB 2.???]
> Selected protocol SMB2_FF
> Selected protocol SMB 2.???
> Selected protocol SMB3_11
> Found account name from PAC: zmir2 [Hans Schou]
> Kerberos ticket principal name is [zmir2 at ACME.COM]
> lp_load_ex: refreshing parameters
> Initialising global parameters
> Processing section "[global]"
> Processing section "[global]"
> Processing section "[homes]"
> Processing section "[fiks_filer]"
> Processing section "[fikslog-b]"
> Processing section "[tmp]"
> adding IPC service
> lookup_name_smbconf for ACME.DOM\zmir2 at acme.com failed
> Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_ACCESS_DENIED] ||
> at ../source3/smbd/smb2_sesssetup.c:137 Server exit
> (NT_STATUS_END_OF_FILE)
>
> smb.conf:
> [global]
> log level = 3
> unix charset = UTF8
> dos charset = ISO-8859-1
> workgroup = ACME.DOM
> realm = ACME.COM
Your REALM MUST be the DNS domain in uppercase.
Your workgroup CANNOT be the same as your REALM.
> server string = Samba %v paa %L(%h)
> security = ads
> encrypt passwords = yes
> kerberos method = secrets and keytab
If you are going to set the above, you also need to add:
dedicated keytab file = /etc/krb5.keytab
> password server = srv-addc1.acme.com
You should let Samba find the 'password server', so remove the line
above.
> winbind use default domain = yes
> idmap config ACME.DOM : backend = rid
> idmap config ACME.DOM : range = 1000 - 999999
> idmap config * : backend = tdb
> idmap config * : range = 1000 - 999999
You are using the same ranges for both domains, this is not allowed,
also you really should start from a different number than '1000'
The 'ACME.DOM' should be the workgroup.
> winbind enum users = yes
> winbind enum groups = yes
Once everything is working okay, remove the two lines above.
> deadtime = 10
> winbind cache time = 10
> winbind nested groups = yes
> template homedir = /home/%U
> template shell = /bin/bash
> client use spnego = yes
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> ldap idmap suffix = dc=acme,dc=dk
> ldap admin dn = sn=Administrator,cn=Users,dc=acme,dc=dk
> ldap suffix = dc=acme,dc=dk
Remove the 'ldap' lines they are not used on a Unix domain member and
if they are correct, your REALM should be 'ACME.DK'
> log file = /var/log/samba/log.%m
> max log size = 100
> local master = No
> dns proxy = No
> wins server = srv-dhcp3.acme.com
No, you don't use wins with active directory.
> include = /etc/samba/smb.conf.%h
What is in '/etc/samba/smb.conf.%h' ?
Rowland
More information about the samba
mailing list