[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Wed Jun 19 16:10:26 UTC 2019

Yes  :)) It works finally with winbind (and without sssd)

I changed

valid users = @"utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR (sssd 
syntax)

to

valid users = @"IPGAD\utilisateurs du domaine" (winbind syntax)

And the share is accessible now with winbind only

In log, I still get NTLMv2 :
/[2019/06/19 13:03:18.727014,  3] 
../auth/auth_log.c:760(log_authentication_event_human_readable)//
//  Auth: [SMB2,(null)] user [MYDEMAIN]\[usertest] at [mer., 19 juin 
2019 13:03:18.726986 -03] with [*NTLMv2*] status [NT_STATUS_OK] 
workstation [WORKSTATIONTEST] remote host [ipv4:10.x.x.x:57967] became 
[MYDOMAIN]\[usertest] [S-1-5-21-88155730-3905377117-2757874379-2078]. 
local host [ipv4:10.x.x.x:445]/

How can I switch to Kerberos ?

Le 19/06/2019 à 12:55, Edouard Guigné a écrit :
> The 2 commands works :
> # getent passwd MYDOMAIN\\usertest
> MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash
>
> # getent group MYDOMAIN\\"Utilisateurs du domaine"
> MYDOMAIN\utilisateurs du domaine:x:14513:
>
> I have to put "Utilisateurs du domaine" instead of Domain\ Users 
> because the Windows AD is a french AD.
>
>
> Le 19/06/2019 à 12:32, Rowland penny via samba a écrit :
>> On 19/06/2019 16:16, Edouard Guigné via samba wrote:
>>> So I re run the test with domain users gid 14513
>>>
>>> Still not working (sssd stopped, nsswitch.cnf with  "files winbind" 
>>> for passwd group, # net cache flush + restart winbindd smb)
>>>
>>> On the samba server :
>>> # wbinfo -i MYDOMAIN\usertest
>>> MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash
>>>
>>> In log, I have :
>>>
>>> myw7worstation.log
>>> /[2019/06/19 12:04:29.496822,  1] 
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> //  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:04:34.085421,  1] 
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> //  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:05:22.113816,  1] 
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> //  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:05:27.124307,  1] 
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> //  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/
>>>
>>> log.winbindd-idmap
>>> /[2019/06/19 12:04:29.464431,  1] 
>>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>>> //  tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
>>> transaction error pending//
>>> //[2019/06/19 12:04:29.464460,  1] 
>>> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>>> //  Error allocating a new GID//
>>> //[2019/06/19 12:04:29.464606,  1] 
>>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>>> //  tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit: 
>>> transaction error pending//
>>> //[2019/06/19 12:04:29.464622,  1] 
>>> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>>> //  Error allocating a new GID/
>>>
>>> And when I try to mount the share manually (same syntax than the one 
>>> in the logon script), I get :
>>> net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
>>> "invalid password for \\mysambaserver\groups"
>>> and System error 5
>>>
>>> In smb.cnf, I set valid users = @"utilisateurs du 
>>> domaine at MYDOMAIN.LOCAL"
>>> Can it be the reason ?
>>>
>>>
>> Lets start again:
>>
>> Do your users have a uidNumber attribute ?
>>
>> If so, are the contents of these uidNumber attributes, numbers inside 
>> '10000-14999' ?
>>
>> Does 'Domain Users' have a gidNumber attribute containing a number 
>> inside '10000-14999' ?
>>
>> Does 'getent passwd <A_DOMAIN_USER>' return output ?
>>
>> Note: Replace '<A_DOMAIN_USER>' with a valid domain username, if you 
>> do not have 'winbind use default domain = yes' in smb.conf, this will 
>> be in the format 'DOMAIN\\username'
>>
>> Does 'getent group Domain\ Users' return output ?
>>
>> Rowland
>>
>>
>>