[Samba] Samba 4.4.8 AD member ads / nss fails to find group id
Thomas, David
dt.listmail at gmail.com
Fri Mar 29 13:30:13 UTC 2019
I have a Centos 7.6 server with samba 4.8.3 configured as a member of
an AD domain using "ads' security and the "nss" idmap backend.
Clients are unable to access the shares on the server - they repeatedly
get asked for their credentials.
The smbd log shows the user authenticating and a mapping from the user's
SID to their unix uid is found. However, it seems that access is denied
after samba attempts and faile to find a mapping from the Domain Users
group SID to a gid.
This all works on another server running samba 4.4.4.
smb.conf:
[global]
workgroup = TESTDOM
netbios name = member
realm = TESTDOM.COM
security = ads
username map = /etc/samba/users.map
idmap config TESTDOM: backend = nss
idmap config TESTDOM: range = 1000-99999
idmap config * : backend = tdb
idmap config * : range = 100000-200000
winbind use default domain = Yes
hosts allow = ALL
log level = 99
[projects]
comment = Projects
path = /projects
read only = no
create mask = 0775
directory mask = 0775
force group = defgrp
Log:
sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
[2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0, 0),
class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)
Adding cache entry with
key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and
timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the past)
[2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:1550(sid_to_gid)
winbind failed to find a gid for sid
S-1-5-21-11111111-222222222-333333333-513
[2019/03/28 10:24:24.098420, 4, pid=31159, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:216(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098443, 4, pid=31159, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:491(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098465, 4, pid=31159, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098487, 5, pid=31159, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2019/03/28 10:24:24.098508, 5, pid=31159, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:810(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2019/03/28 10:24:24.098549, 4, pid=31159, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0, 0)]
../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
LEGACY: mapping failed for sid S-1-5-21-11111111-222222222-333333333-513
[2019/03/28 10:24:24.098600, 1, pid=31159, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:1024(create_token_from_sid)
sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
[2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
create_local_token failed: NT_STATUS_NO_SUCH_USER*
*I have also tried the following settings in the global section (copied
from the working server), but get the same result:*
*
winbind enum users = yes
winbind enum groups = yes
use sendfile = Yes
guest ok = no
dos filetime resolution = yes
nt acl support = no
directory mask = 0775
follow symlinks = yes
wide links = yes
unix extensions = no
log level = 99
lanman auth = no
lm announce = no
min protocol = NT1
host msdfs = no
Am I missing something?
**
Thanks,
David
More information about the samba
mailing list