[Samba] Fwd: Re: Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Edouard Guigné
eguigne at pasteur-cayenne.fr
Wed Jun 19 16:10:26 UTC 2019
Yes :)) It works finally with winbind (and without sssd)
I changed
valid users = @"utilisateurs du domaine at IPGAD.PASTEUR-CAYENNE.FR (sssd
syntax)
to
valid users = @"IPGAD\utilisateurs du domaine" (winbind syntax)
And the share is accessible now with winbind only
In log, I still get NTLMv2 :
/[2019/06/19 13:03:18.727014, 3]
../auth/auth_log.c:760(log_authentication_event_human_readable)//
// Auth: [SMB2,(null)] user [MYDEMAIN]\[usertest] at [mer., 19 juin
2019 13:03:18.726986 -03] with [*NTLMv2*] status [NT_STATUS_OK]
workstation [WORKSTATIONTEST] remote host [ipv4:10.x.x.x:57967] became
[MYDOMAIN]\[usertest] [S-1-5-21-88155730-3905377117-2757874379-2078].
local host [ipv4:10.x.x.x:445]/
How can I switch to Kerberos ?
Le 19/06/2019 à 12:55, Edouard Guigné a écrit :
> The 2 commands works :
> # getent passwd MYDOMAIN\\usertest
> MYDOMAIN\\usertest:*:10430:14513:user TEST:/home/usertest:/bin/bash
>
> # getent group MYDOMAIN\\"Utilisateurs du domaine"
> MYDOMAIN\utilisateurs du domaine:x:14513:
>
> I have to put "Utilisateurs du domaine" instead of Domain\ Users
> because the Windows AD is a french AD.
>
>
> Le 19/06/2019 à 12:32, Rowland penny via samba a écrit :
>> On 19/06/2019 16:16, Edouard Guigné via samba wrote:
>>> So I re run the test with domain users gid 14513
>>>
>>> Still not working (sssd stopped, nsswitch.cnf with "files winbind"
>>> for passwd group, # net cache flush + restart winbindd smb)
>>>
>>> On the samba server :
>>> # wbinfo -i MYDOMAIN\usertest
>>> MYDOMAIN\usertest:*:10430:*14513*:user TEST:/home/usertest:/bin/bash
>>>
>>> In log, I have :
>>>
>>> myw7worstation.log
>>> /[2019/06/19 12:04:29.496822, 1]
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> // create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:04:34.085421, 1]
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> // create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:05:22.113816, 1]
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> // create_connection_session_info failed: NT_STATUS_ACCESS_DENIED//
>>> //[2019/06/19 12:05:27.124307, 1]
>>> ../source3/smbd/service.c:521(make_connection_snum)//
>>> // create_connection_session_info failed: NT_STATUS_ACCESS_DENIED/
>>>
>>> log.winbindd-idmap
>>> /[2019/06/19 12:04:29.464431, 1]
>>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>>> // tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit:
>>> transaction error pending//
>>> //[2019/06/19 12:04:29.464460, 1]
>>> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>>> // Error allocating a new GID//
>>> //[2019/06/19 12:04:29.464606, 1]
>>> ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)//
>>> // tdb(/var/lib/samba/winbindd_idmap.tdb): tdb_transaction_commit:
>>> transaction error pending//
>>> //[2019/06/19 12:04:29.464622, 1]
>>> ../source3/winbindd/idmap_tdb_common.c:138(idmap_tdb_common_allocate_id)//
>>> // Error allocating a new GID/
>>>
>>> And when I try to mount the share manually (same syntax than the one
>>> in the logon script), I get :
>>> net use S: \\mysambaserver\groups /user:MYDOMAIN\usertest
>>> "invalid password for \\mysambaserver\groups"
>>> and System error 5
>>>
>>> In smb.cnf, I set valid users = @"utilisateurs du
>>> domaine at MYDOMAIN.LOCAL"
>>> Can it be the reason ?
>>>
>>>
>> Lets start again:
>>
>> Do your users have a uidNumber attribute ?
>>
>> If so, are the contents of these uidNumber attributes, numbers inside
>> '10000-14999' ?
>>
>> Does 'Domain Users' have a gidNumber attribute containing a number
>> inside '10000-14999' ?
>>
>> Does 'getent passwd <A_DOMAIN_USER>' return output ?
>>
>> Note: Replace '<A_DOMAIN_USER>' with a valid domain username, if you
>> do not have 'winbind use default domain = yes' in smb.conf, this will
>> be in the format 'DOMAIN\\username'
>>
>> Does 'getent group Domain\ Users' return output ?
>>
>> Rowland
>>
>>
>>
More information about the samba
mailing list