[Samba] setting up a new ADS infrastructure

Rowland penny rpenny at samba.org
Mon Jun 24 11:56:28 UTC 2019 

On 24/06/2019 12:41, Stefan Froehlich via samba wrote:
> On Mon, Jun 24, 2019 at 10:22:41AM +0100, Rowland penny via samba wrote:
>> On 24/06/2019 10:00, Stefan Froehlich via samba wrote:
>>> On Mon, Jun 24, 2019 at 10:52:07AM +0200, Stefan Froehlich via samba wrote:
>>>> <http://froehlich.priv.at/www/samba/>
>>> Always try your own links before posting them... it must be
>>> <http://froehlich.priv.at/samba/> of course, sorry.
>>>
>> No problem, I just refreshed the old page I had open ;-)
>>
>> You have this on the DC: [...]
>> And this on the fileserver: [...]
>>
>> It might help if they were both in the same subnet.
> Was a typo when migrating from my own test environment, thanks. I
> changed that (and 2 others as well), name resolution is working now.
>
>> You do not seem to be setting up a time server.
> Changed that.
>
>> At the bottom of the 'controller' page, you are creating the user
>> test, you set the '--gid-number' to '100'. I take it you got this
>> from a DC. I say this because this is the default from idmap.ldb
>> on a DC. I would use the ID for Domain Users, '10000' in your
>> case.
> Changed that as well.
>
> The "username invalid" problem remains though. Interesting observation, if I
> enter a *wrong* password I get a different error message; in the log file
> things start to be different here:
>
> | [2019/06/24 13:32:03.026596,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:32:03.026634,  5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism ntlmssp
> | [2019/06/24 13:32:03.026651,  3] ../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> |   Got NTLMSSP neg_flags=0x62088215
> |     NTLMSSP_NEGOTIATE_UNICODE
> |     NTLMSSP_REQUEST_TARGET
> |     NTLMSSP_NEGOTIATE_SIGN
> |     NTLMSSP_NEGOTIATE_NTLM
> |     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> |     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> |     NTLMSSP_NEGOTIATE_VERSION
> |     NTLMSSP_NEGOTIATE_128
> |     NTLMSSP_NEGOTIATE_KEY_EXCH
>
> Whereas with the correct password this reads:
>
> | [2019/06/24 13:33:06.220212,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220255,  5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> |   Starting GENSEC submechanism gse_krb5
> | [2019/06/24 13:33:06.220749,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220788,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220800,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220808,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220816,  5] ../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220830,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.220850,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220873,  4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> |   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220883,  4] ../source3/smbd/uid.c:558(push_conn_ctx)
> |   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.220890,  4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> |   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> | [2019/06/24 13:33:06.220898,  5] ../libcli/security/security_token.c:53(security_token_debug)
> |   Security token: (NULL)
> | [2019/06/24 13:33:06.220906,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> |   UNIX token of user 0
> |   Primary group is 0 and contains 0 supplementary groups
> | [2019/06/24 13:33:06.221934,  4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> |   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> | [2019/06/24 13:33:06.222005,  3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> |   Found account name from PAC: test [Max Mustermann]
> | [2019/06/24 13:33:06.222024,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> |   Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> | [2019/06/24 13:33:06.222044,  4] ../source3/auth/user_util.c:375(map_username)
> |   Scanning username map /etc/samba/user.map
> | [2019/06/24 13:33:06.222067,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user SYNTHESIS\test
> | [2019/06/24 13:33:06.222076,  5] ../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is synthesis\test
> | [2019/06/24 13:33:06.222106,  5] ../source3/lib/username.c:128(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as given is SYNTHESIS\test
> | [2019/06/24 13:33:06.222129,  5] ../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
> | [2019/06/24 13:33:06.222148,  5] ../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in synthesis\test
> | [2019/06/24 13:33:06.222156,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
> | [2019/06/24 13:33:06.222164,  5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
> |   Finding user test
> | [2019/06/24 13:33:06.222172,  5] ../source3/lib/username.c:120(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as lowercase is test
> | [2019/06/24 13:33:06.223193,  5] ../source3/lib/username.c:141(Get_Pwnam_internals)
> |   Trying _Get_Pwnam(), username as uppercase is TEST
> | [2019/06/24 13:33:06.223734,  5] ../source3/lib/username.c:153(Get_Pwnam_internals)
> |   Checking combinations of 0 uppercase letters in test
> | [2019/06/24 13:33:06.223755,  5] ../source3/lib/username.c:159(Get_Pwnam_internals)
> |   Get_Pwnam_internals didn't find user [test]!
> | [2019/06/24 13:33:06.223970,  3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> |   get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> | [2019/06/24 13:33:06.223989,  3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> |   auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> | [2019/06/24 13:33:06.224023,  3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> |   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
>
> I have no idea where _Get_Pwnam() tries to look up usernames, but
> it obviousley fails *after* the verification of the password (how
> can this be verified without a valid username?).
>
> There must be some rather basic mistake left, I suppose, but which...
>
> Bye,
> Stefan
>
Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test' produce 
output when run on the fileserver ?

Rowland

More information about the samba mailing list