[Samba] setting up a new ADS infrastructure

Stefan Froehlich samba at froehlich.priv.at
Mon Jun 24 11:41:44 UTC 2019 

On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba wrote:
> On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
> >On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via samba wrote:
> >><http://froehlich.priv.at/www/samba/>
> >Always try your own links before posting them... it must be
> ><http://froehlich.priv.at/samba/> of course, sorry.
> >
> No problem, I just refreshed the old page I had open ;-)
> 
> You have this on the DC: [...]
> And this on the fileserver: [...]
> 
> It might help if they were both in the same subnet.

Was a typo when migrating from my own test environment, thanks. I
changed that (and 2 others as well), name resolution is working now.

> You do not seem to be setting up a time server.

Changed that.

> At the bottom of the 'controller' page, you are creating the user
> test, you set the '--gid-number' to '100'. I take it you got this
> from a DC. I say this because this is the default from idmap.ldb
> on a DC. I would use the ID for Domain Users, '10000' in your
> case.

Changed that as well.

The "username invalid" problem remains though. Interesting observation, if I
enter a *wrong* password I get a different error message; in the log file
things start to be different here:

| [2019/06/24 13:32:03.026596,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:32:03.026634,  5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
|   Starting GENSEC submechanism ntlmssp
| [2019/06/24 13:32:03.026651,  3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
|   Got NTLMSSP neg_flags=0x62088215
|     NTLMSSP_NEGOTIATE_UNICODE
|     NTLMSSP_REQUEST_TARGET
|     NTLMSSP_NEGOTIATE_SIGN
|     NTLMSSP_NEGOTIATE_NTLM
|     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
|     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
|     NTLMSSP_NEGOTIATE_VERSION
|     NTLMSSP_NEGOTIATE_128
|     NTLMSSP_NEGOTIATE_KEY_EXCH

Whereas with the correct password this reads:

| [2019/06/24 13:33:06.220212,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.220255,  5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
|   Starting GENSEC submechanism gse_krb5
| [2019/06/24 13:33:06.220749,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220788,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220800,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220808,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220816,  5] ../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2019/06/24 13:33:06.220830,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.220850,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220873,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
|   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220883,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
|   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.220890,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
|   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
| [2019/06/24 13:33:06.220898,  5] ../libcli/security/security_token.c:53(security_token_debug)
|   Security token: (NULL)
| [2019/06/24 13:33:06.220906,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
|   UNIX token of user 0
|   Primary group is 0 and contains 0 supplementary groups
| [2019/06/24 13:33:06.221934,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
|   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
| [2019/06/24 13:33:06.222005,  3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
|   Found account name from PAC: test [Max Mustermann]
| [2019/06/24 13:33:06.222024,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
|   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
| [2019/06/24 13:33:06.222044,  4] ../source3/auth/user_util.c:375(map_username)
|   Scanning username map /etc/samba/user.map
| [2019/06/24 13:33:06.222067,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
|   Finding user SYNTHESIS\test
| [2019/06/24 13:33:06.222076,  5] ../source3/lib/username.c:120(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is synthesis\test
| [2019/06/24 13:33:06.222106,  5] ../source3/lib/username.c:128(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
| [2019/06/24 13:33:06.222129,  5] ../source3/lib/username.c:141(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
| [2019/06/24 13:33:06.222148,  5] ../source3/lib/username.c:153(Get_Pwnam_internals)
|   Checking combinations of 0 uppercase letters in synthesis\test
| [2019/06/24 13:33:06.222156,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
|   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
| [2019/06/24 13:33:06.222164,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
|   Finding user test
| [2019/06/24 13:33:06.222172,  5] ../source3/lib/username.c:120(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as lowercase is test
| [2019/06/24 13:33:06.223193,  5] ../source3/lib/username.c:141(Get_Pwnam_internals)
|   Trying _Get_Pwnam(), username as uppercase is TEST
| [2019/06/24 13:33:06.223734,  5] ../source3/lib/username.c:153(Get_Pwnam_internals)
|   Checking combinations of 0 uppercase letters in test
| [2019/06/24 13:33:06.223755,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
|   Get_Pwnam_internals didn't find user [test]!
| [2019/06/24 13:33:06.223970,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
|   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
| [2019/06/24 13:33:06.223989,  3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
|   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
| [2019/06/24 13:33:06.224023,  3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
|   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137

I have no idea where _Get_Pwnam() tries to look up usernames, but
it obviousley fails *after* the verification of the password (how
can this be verified without a valid username?).

There must be some rather basic mistake left, I suppose, but which...

Bye,
Stefan

-- 
Stefan - Liebe, die nimmerdar aalt.
Sloganizer, https://www.poetron-zone.de/

More information about the samba mailing list