[Samba] (no subject)

jmpatagonia jmpatagonia at gmail.com
Thu Jul 2 19:32:39 UTC 2020


Ok, know from desktop logon apparently the user logon right,  look user
'policia\gafranchello' granted access on the trace below, but still tel me
"Invalid password please try again"

Jul  2 16:15:03 samba-cliente polkitd(authority=local): Unregistered
Authentication Agent for unix-session:c6 (system bus name :1.231, object
path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
(disconnected from bus)
Jul  2 16:15:05 samba-cliente lightdm: pam_unix(lightdm:session): session
closed for user jmperrote
Jul  2 16:15:05 samba-cliente lightdm: pam_kwallet(lightdm:session):
pam_kwallet: pam_sm_close_session
Jul  2 16:15:05 samba-cliente lightdm: pam_kwallet5(lightdm:session):
pam_kwallet5: pam_sm_close_session
Jul  2 16:15:05 samba-cliente systemd-logind[635]: Removed session c6.
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet(lightdm-greeter:setcred): (null): pam_sm_setcred
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet5(lightdm-greeter:setcred): (null): pam_sm_setcred
Jul  2 16:15:05 samba-cliente lightdm: pam_unix(lightdm-greeter:session):
session opened for user lightdm by (uid=0)
Jul  2 16:15:05 samba-cliente systemd-logind[635]: New session c7 of user
lightdm.
Jul  2 16:15:05 samba-cliente systemd: pam_unix(systemd-user:session):
session opened for user lightdm by (uid=0)
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet(lightdm-greeter:session): (null): pam_sm_open_session
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet(lightdm-greeter:session): pam_kwallet: open_session called
without kwallet_key
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet5(lightdm-greeter:session): (null): pam_sm_open_session
Jul  2 16:15:05 samba-cliente lightdm:
pam_kwallet5(lightdm-greeter:session): pam_kwallet5: open_session called
without kwallet5_key
Jul  2 16:15:25 samba-cliente lightdm: pam_winbind(lightdm:auth): getting
password (0x00000000)
Jul  2 16:15:28 samba-cliente lightdm: pam_winbind(lightdm:auth): user
'policia\gafranchello' granted access
Jul  2 16:15:28 samba-cliente lightdm: pam_unix(lightdm:account): could not
identify user (from getpwnam(gafranchello))
Jul  2 16:15:31 samba-cliente dbus[653]: [system] Failed to activate
service 'org.bluez': timed out

And from unix console not work , same error

ul  2 16:20:41 samba-cliente sshd[13844]: Invalid user
policia\\gafranchello from 172.33.10.1
Jul  2 16:20:41 samba-cliente sshd[13844]: input_userauth_request: invalid
user policia\\\\gafranchello [preauth]
Jul  2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): getting
password (0x00000000)
Jul  2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7),
NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password
Jul  2 16:20:43 samba-cliente sshd[13844]: pam_winbind(sshd:auth): user
'policia\gafranchello' denied access (incorrect password or invalid
membership)
Jul  2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth): check pass;
user unknown
Jul  2 16:20:43 samba-cliente sshd[13844]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=172.33.10.1
Jul  2 16:20:45 samba-cliente sshd[13844]: Failed password for invalid user
policia\\gafranchello from 172.33.10.1 port 55002 ssh2

This commands work fine-->

root at samba-cliente:/etc/samba# wbinfo -m
BUILTIN
SAMBA-CLIENTE
POLICIA

root at samba-cliente:/etc/samba# net rpc testjoin -U jmperrote
Join to 'POLICIA' is OK

root at samba-cliente:/etc/samba# net rpc info -U jmperrote
Enter jmperrote's password:
Domain Name: POLICIA
Domain SID: S-1-5-21-2536628940-703160423-1994053749
Sequence number: 1593717825
Num users: 9469
Num domain groups: 82
Num local groups: 0


root at samba-cliente:/etc/samba# wbinfo -g | grep repar
fs_dg2_repar
root at samba-cliente:/etc/samba# getent group fs_dg2_repar
fs_dg2_repar:x:10000036:

root at samba-cliente:/etc/samba# wbinfo -N samba-cliente
10.11.37.149    samba-cliente

root at samba-cliente:/etc/samba# id
uid=0(root) gid=0(root) groups=0(root),15001(BUILTIN\users)

But 'getent pass' and 'getent group' not work , running for a various
second and only get users/groups locals.



El jue., 2 jul. 2020 a las 15:46, Rowland penny via samba (<
samba at lists.samba.org>) escribió:

> On 02/07/2020 18:27, jmpatagonia via samba wrote:
> > 1) Does 'getent passwd policia\gafranchello' produce output when run on a
> > Unix client ?
> > If try to logon on unis console
> >
> > --> auth.log
> > Jul  2 14:13:59 samba-cliente sshd[11654]: Invalid user
> > POLICIA+gafranchello from 172.33.10.1
>
> Try adding these lines to all of your Unix machines:
>
> client max protocol = NT1
> server max protocol = NT1
>
> They will force your Samba machines to use SMBv1 and you need it for an
> NT4-style domain (so yet another reason to upgrade)
>
> I take it that the machine is running headless, so can you log in via
> ssh as a Unix user and run the getent command ?
>
> Until your users are known via 'getent' or 'id', then you will not get
> Samba to work correctly.
>
> > The think is very complex because we have various products authenticating
> > whith ldap squid/git/syspass/moodle/openfire/zentyal/etc  and we are
> > modified and adapted the ldap schema with some ldap entries for this
> > products, the samba schema in the same schema (we have only one lsap
> > schema), and we interactive with this via a ad hoc developed interface.
> > Change or update samba to samba 4 AD implies that we have change the unis
> > schema, receding the interface, proves, etc it is to much time.
> Not half as much time as you will spend if your domain totally stops
> working. Take smbldap-tools for instance, this isn't just EOL, it is
> dead and disappeared, you cannot find the source code repository
> anywhere on the internet, it is no longer maintained, so sooner or later
> it will be removed by the distro's.
> > We try once to implemente samba 4 AD and notice that the ldap schema are
> > very different that we have, so many changes, that implies to many
> > development on the interface.
> Yes AD uses its own schema and must be extended differently from
> openldap etc, but it can be extended.
> > Know I thinking that is posible to make another ldap schema just for
> samba
> > 4 AD and continue using the other for rest of products, but this implies
> to
> > redising the interface to update users, groups on both schemas.
> That is the problem with trying to maintain two ldap versions
> > Another question: Thinking on samba 4 AD, when a user logon on desktop
> > client, it can map o access direct to resources shared on samba server or
> > need to authenticate almost at once ? Because actually on windows clients
> > this is not needed, when a user logon on domain can map or access shared
> > folders whitout authentication again.
>
> In this instance, a Samba AD client or server should work like a Windows
> client or server.
>
>  From the list of programs you listed above, I can not see one that
> cannot be used with Samba AD, Zentyal (for instance) now uses Samba AD.
>
> If you require help in upgrading, we are here to help you.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list