[Samba] Users can't mount shares on a domain member file server

MAS Jean-Louis jean-louis.mas at imag.fr
Fri Dec 18 14:15:51 UTC 2020 

Le 16/12/2020 à 18:25, Rowland penny via samba a écrit :

> I think I might know what is the problem, but first, you do not need these:
> 
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: inetOrgPerson

Those objectclass provides a lot of attributes we currently use, mostly 
for our Linux users.
If I delete them, I guess our users will not be able to connect to Linux 
servers, which are not part of our Samba domain but use our AD for 
authentication (with nslcd mappings)

> You have changed the primaryGroupID, why ?

Old accounts, such as mine as been created like that, most of them has 
been changed to 'Domain users' times ago. Now my primaryGroupID is correct

# ldbsearch --url=/var/lib/samba/private/sam.ldb -b dc=example,dc=com 
sAMAccountName=jlmas | grep primaryGroupID

primaryGroupID: 513

I checked our AD, and all our users have the right primaryGroupID

> Windows expects that every users primary group is Domain Users and now 
> it is whatever '2906' is, this is what I think your problem is. Samba 
> also requires Domain Users, though to be honest I am unsure whether it 
> requires the name or the numeric ID, but it looks like which ever it is 
> that winbind does not like this.

I have flushed the winbind cache

Now uid and gid are OK, but unixHomeDirectory and loginShell are not

$ getent passwd jlmas
  jlmas:*:20025:20000:MAS Jean-Louis:/home/EXAMPLE/jlmas:/bin/false

I followed all the tips in the troubleshooting page : 
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

The only wrong point came from 'net ads testjoin'

# net ads testjoin

kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
An invalid parameter was passed to a service or function.
kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed for 
ldap/our-ad.example.com with user[OUR-FILESERVER$] realm[EXAMPLE.COM]: 
An invalid parameter was passed to a service or function.
Join to domain is not valid: An invalid parameter was passed to a 
service or function.

same command with full debug (-d 10) we've got this just before the 
above logs

gensec_update_done: gse_krb5[0x5642b959ab30]: 
NT_STATUS_INVALID_PARAMETER 
tevent_req[0x5642b95a6f70/../../source3/librpc/crypto/gse.c:843]: 
state[3] error[-7963671676338569203 (0x917B5ACDC000000D)]  state[struct 
gensec_gse_update_state (0x5642b95a7120)] timer[(nil)] 
finish[../../source3/librpc/crypto/gse.c:856]
gensec_spnego_create_negTokenInit_step: gse_krb5: creating 
NEG_TOKEN_INIT for ldap/our-ad.example.com failed (next[(null)]): 
NT_STATUS_INVALID_PARAMETER
gensec_update_done: spnego[0x5642b95a2780]: NT_STATUS_INVALID_PARAMETER 
tevent_req[0x5642b95a73d0/../../auth/gensec/spnego.c:1631]: state[3] 
error[-7963671676338569203 (0x917B5ACDC000000D)]  state[struct 
gensec_spnego_update_state (0x5642b95a7580)] timer[(nil)] 
finish[../../auth/gensec/spnego.c:2038]


Regards


-- 
Jean Louis Mas

More information about the samba mailing list