[Samba] Samba 4.4.8 AD member ads / nss fails to find group id
Rowland Penny
rpenny at samba.org
Fri Mar 29 13:59:47 UTC 2019
On Fri, 29 Mar 2019 09:30:13 -0400
"Thomas, David via samba" <samba at lists.samba.org> wrote:
> I have a Centos 7.6 server with samba 4.8.3 configured as a member
> of an AD domain using "ads' security and the "nss" idmap backend.
>
> Clients are unable to access the shares on the server - they
> repeatedly get asked for their credentials.
>
> The smbd log shows the user authenticating and a mapping from the
> user's SID to their unix uid is found. However, it seems that access
> is denied after samba attempts and faile to find a mapping from the
> Domain Users group SID to a gid.
>
> This all works on another server running samba 4.4.4.
>
> smb.conf:
>
> [global]
> workgroup = TESTDOM
> netbios name = member
> realm = TESTDOM.COM
> security = ads
> username map = /etc/samba/users.map
> idmap config TESTDOM: backend = nss
> idmap config TESTDOM: range = 1000-99999
> idmap config * : backend = tdb
> idmap config * : range = 100000-200000
> winbind use default domain = Yes
> hosts allow = ALL
>
> log level = 99
>
> [projects]
> comment = Projects
> path = /projects
> read only = no
> create mask = 0775
> directory mask = 0775
> force group = defgrp
>
>
> Log:
>
> sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
> [2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)
> Adding cache entry with
> key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and
> timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the
> past) [2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0),
> real(0, 0)] ../source3/passdb/lookup_sid.c:1550(sid_to_gid)
> winbind failed to find a gid for sid
> S-1-5-21-11111111-222222222-333333333-513
> [2019/03/28 10:24:24.098420, 4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098443, 4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098465, 4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098487, 5, pid=31159, effective(0, 0), real(0,
> 0)] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2019/03/28 10:24:24.098508, 5, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:810(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2019/03/28 10:24:24.098549, 4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
> LEGACY: mapping failed for sid
> S-1-5-21-11111111-222222222-333333333-513 [2019/03/28
> 10:24:24.098600, 1, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:1024(create_token_from_sid)
> sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
> [2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
> create_local_token failed: NT_STATUS_NO_SUCH_USER*
>
> *I have also tried the following settings in the global section
> (copied from the working server), but get the same result:*
> *
> winbind enum users = yes
> winbind enum groups = yes
> use sendfile = Yes
> guest ok = no
> dos filetime resolution = yes
> nt acl support = no
> directory mask = 0775
> follow symlinks = yes
> wide links = yes
> unix extensions = no
> log level = 99
> lanman auth = no
> lm announce = no
> min protocol = NT1
> host msdfs = no
>
> Am I missing something?
> **
> Thanks,
> David
Why are you using a winbind backend that maps Unix users to domain
users in an AD domain, when you should be making your AD users into
Unix users with a backend like the 'rid' or 'ad' ones.
As for your problem, is winbind running ?
Rowland
More information about the samba
mailing list