[Samba] setting up a new ADS infrastructure
Stefan Froehlich
samba at froehlich.priv.at
Mon Jun 24 12:34:39 UTC 2019
On Mon, Jun 24, 2019 at 12:56:28PM +0100, Rowland penny via samba wrote:
> On 24/06/2019 12:41, Stefan Froehlich via samba wrote:
> >| [2019/06/24 13:33:06.220212, 5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> >| UNIX token of user 0
> >| Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.220255, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
> >| Starting GENSEC submechanism gse_krb5
> >| [2019/06/24 13:33:06.220749, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220788, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220800, 4] ../source3/smbd/uid.c:558(push_conn_ctx)
> >| push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220808, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220816, 5] ../libcli/security/security_token.c:53(security_token_debug)
> >| Security token: (NULL)
> >| [2019/06/24 13:33:06.220830, 5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> >| UNIX token of user 0
> >| Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.220850, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220873, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> >| push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220883, 4] ../source3/smbd/uid.c:558(push_conn_ctx)
> >| push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.220890, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> >| setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> >| [2019/06/24 13:33:06.220898, 5] ../libcli/security/security_token.c:53(security_token_debug)
> >| Security token: (NULL)
> >| [2019/06/24 13:33:06.220906, 5] ../source3/auth/token_util.c:866(debug_unix_user_token)
> >| UNIX token of user 0
> >| Primary group is 0 and contains 0 supplementary groups
> >| [2019/06/24 13:33:06.221934, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> >| pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> >| [2019/06/24 13:33:06.222005, 3] ../auth/kerberos/kerberos_pac.c:413(kerberos_decode_pac)
> >| Found account name from PAC: test [Max Mustermann]
> >| [2019/06/24 13:33:06.222024, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> >| Kerberos ticket principal name is [test at SYNTHESIS.SYNTH.INTERN]
> >| [2019/06/24 13:33:06.222044, 4] ../source3/auth/user_util.c:375(map_username)
> >| Scanning username map /etc/samba/user.map
> >| [2019/06/24 13:33:06.222067, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
> >| Finding user SYNTHESIS\test
> >| [2019/06/24 13:33:06.222076, 5] ../source3/lib/username.c:120(Get_Pwnam_internals)
> >| Trying _Get_Pwnam(), username as lowercase is synthesis\test
> >| [2019/06/24 13:33:06.222106, 5] ../source3/lib/username.c:128(Get_Pwnam_internals)
> >| Trying _Get_Pwnam(), username as given is SYNTHESIS\test
> >| [2019/06/24 13:33:06.222129, 5] ../source3/lib/username.c:141(Get_Pwnam_internals)
> >| Trying _Get_Pwnam(), username as uppercase is SYNTHESIS\TEST
> >| [2019/06/24 13:33:06.222148, 5] ../source3/lib/username.c:153(Get_Pwnam_internals)
> >| Checking combinations of 0 uppercase letters in synthesis\test
> >| [2019/06/24 13:33:06.222156, 5] ../source3/lib/username.c:159(Get_Pwnam_internals)
> >| Get_Pwnam_internals didn't find user [SYNTHESIS\test]!
> >| [2019/06/24 13:33:06.222164, 5] ../source3/lib/username.c:181(Get_Pwnam_alloc)
> >| Finding user test
> >| [2019/06/24 13:33:06.222172, 5] ../source3/lib/username.c:120(Get_Pwnam_internals)
> >| Trying _Get_Pwnam(), username as lowercase is test
> >| [2019/06/24 13:33:06.223193, 5] ../source3/lib/username.c:141(Get_Pwnam_internals)
> >| Trying _Get_Pwnam(), username as uppercase is TEST
> >| [2019/06/24 13:33:06.223734, 5] ../source3/lib/username.c:153(Get_Pwnam_internals)
> >| Checking combinations of 0 uppercase letters in test
> >| [2019/06/24 13:33:06.223755, 5] ../source3/lib/username.c:159(Get_Pwnam_internals)
> >| Get_Pwnam_internals didn't find user [test]!
> >| [2019/06/24 13:33:06.223970, 3] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> >| get_user_from_kerberos_info: Username SYNTHESIS\test is invalid on this system
> >| [2019/06/24 13:33:06.223989, 3] ../source3/auth/auth_generic.c:147(auth3_generate_session_info_pac)
> >| auth3_generate_session_info_pac: Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
> >| [2019/06/24 13:33:06.224023, 3] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
> >| smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
> >
> >I have no idea where _Get_Pwnam() tries to look up usernames, but
> >it obviousley fails *after* the verification of the password (how
> >can this be verified without a valid username?).
> >
> >There must be some rather basic mistake left, I suppose, but which...
> >
> Does 'getent passwd test' or 'getent passwd SYNTHESIS\\test'
> produce output when run on the fileserver ?
Both of them, yes, and wbinfo(1) works as well:
| sfroehli at herakles:~$ getent passwd test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ getent passwd SYNTHESIS\\test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ wbinfo --uid-info=10001
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
| sfroehli at herakles:~$ wbinfo --user-info=test
| test:*:10001:10000:Max Mustermann:/home/test:/bin/bash
I can also chown files to this user and pretty much everything. But
as soon as I want to connect to the server (be it "-L" or be it a
certain share) this failure occurs.
Bye,
Stefan
--
Stefan, mit dem dussligen Geschrei der Dekadenz.
Sloganizer, https://www.poetron-zone.de/
More information about the samba
mailing list