[Samba] Understanding ID mapping between a campus AD and a local LDAP
Jonathon A Anderson
jonathon.anderson at colorado.edu
Tue Mar 23 23:48:34 UTC 2021
This was still unsuccessful, but hopefully this is enough information for us to figure out what I'm doing wrong.
Forgive the redactions; I hope they don't get in the way; but if they do let me know. In general, if I'm using the same string as a redaction, the values are the same.
First, here's my record in AD. (There's more to it, of course, but I think these are the relevant bits.)
-
[root at opsdev1 ~]# ldapsearch -LLL -x -H ldap://ad.[redacted]:389 -b ou=people,dc=ad,dc=[redacted] -D 'AD\[myusername]' -W '(sAMAccountName=[myusername])' CN sAMAccountName uidNumber
Enter LDAP Password:
dn: CN=[myusername],OU=People,DC=ad,DC=[redacted]
cn: [myusername]
sAMAccountName: [myusername]
uidNumber: 416810
-
Then here's my identity as seen via NSS on my test server:
-
[root at opsdev1 ~]# id [myusername]
uid=999999([myusername]) gid=416810([myusername]pgrp) groups=[redacted group list]
[root at opsdev1 ~]# getent passwd [myusername]
[myusername]:*:999999:416810:Jonathon Anderson,,,:/home/[myusername]:/bin/bash
[root at opsdev1 ~]# getent passwd 999999
[myusername]:*:999999:416810:Jonathon Anderson,,,:/home/[myusername]:/bin/bash
-
Finally, here's my new [global] section. I added an idmap config * section, and disabled winbind use default domain.
-
[global]
dns proxy = no
encrypt passwords = yes
kerberos method = system keytab
load printers = no
map to guest = Bad User
max log size = 5000
passdb backend = tdbsam
password server = *
realm = AD.[redacted]
restrict anonymous = 2
security = ADS
server string = %h samba
workgroup = AD
dos charset = CP850
unix charset = UTF-8
idmap config * : backend = tdb
idmap config * : range = 20000001-20001000
idmap config AD : backend = nss
idmap config AD : range = 1000-20000000
winbind enum groups = yes
winbind enum users = yes
winbind expand groups = 1
winbind use default domain = no
log level = 3
-
I started tailing all the Samba logs, and then tried to log in once, as AD\[myusername], via macOS Finder. Those logs are included below. I particularly note that it says authentication succeeded, but it's still trying to use 416810 (the uidNumber from AD) to look me up in NSS, rather than [myusername] or the uidNumber from NSS.
Thank you both so much for helping me out.
-
[root at opsdev1 ~]# tail -F /var/log/samba/log.* -n0
==> /var/log/samba/log.smbd <==
==> /var/log/samba/log.wb-AD <==
==> /var/log/samba/log.wb-BUILTIN <==
==> /var/log/samba/log.wb-OPSDEV1 <==
==> /var/log/samba/log.winbindd <==
==> /var/log/samba/log.winbindd-dc-connect <==
==> /var/log/samba/log.winbindd-idmap <==
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:20.396730, 2] ../../source3/lib/tallocmsg.c:87(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2021/03/23 15:53:20.397310, 3] ../../lib/util/access.c:371(allow_access)
Allowed connection from 172.21.35.68 (172.21.35.68)
[2021/03/23 15:53:20.398941, 3] ../../source3/smbd/oplock.c:1413(init_oplocks)
init_oplocks: initializing messages.
[2021/03/23 15:53:20.556493, 3] ../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (failed to receive smb request)
[2021/03/23 15:53:20.583297, 2] ../../source3/lib/tallocmsg.c:87(register_msg_pool_usage)
Registered MSG_REQ_POOL_USAGE
[2021/03/23 15:53:20.583804, 3] ../../lib/util/access.c:371(allow_access)
Allowed connection from 172.21.35.68 (172.21.35.68)
[2021/03/23 15:53:20.585007, 3] ../../source3/smbd/oplock.c:1413(init_oplocks)
init_oplocks: initializing messages.
[2021/03/23 15:53:20.585233, 3] ../../source3/smbd/process.c:1958(process_smb)
Transaction 0 of length 73 (0 toread)
[2021/03/23 15:53:20.585334, 3] ../../source3/smbd/process.c:1550(switch_message)
switch message SMBnegprot (pid 25399) conn 0x0
[2021/03/23 15:53:20.586231, 3] ../../source3/smbd/negprot.c:637(reply_negprot)
Requested protocol [NT LM 0.12]
[2021/03/23 15:53:20.586321, 3] ../../source3/smbd/negprot.c:637(reply_negprot)
Requested protocol [SMB 2.002]
[2021/03/23 15:53:20.586357, 3] ../../source3/smbd/negprot.c:637(reply_negprot)
Requested protocol [SMB 2.???]
[2021/03/23 15:53:20.587126, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2021/03/23 15:53:20.591372, 3] ../../source3/smbd/negprot.c:776(reply_negprot)
Selected protocol SMB 2.???
[2021/03/23 15:53:20.619939, 3] ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2021/03/23 15:53:36.427821, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:36.533696, 3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:36.533880, 3] ../../source3/param/loadparm.c:3933(lp_load_ex)
lp_load_ex: refreshing parameters
[2021/03/23 15:53:36.534044, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2021/03/23 15:53:36.534255, 3] ../../source3/param/loadparm.c:2845(lp_do_section)
Processing section "[global]"
[2021/03/23 15:53:36.534323, 1] ../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:36.534808, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[dds_template]"
[2021/03/23 15:53:36.535384, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:36.535518, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:36.535547, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[pl_active_template]"
[2021/03/23 15:53:36.535617, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:36.535659, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:36.535677, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rcops_samba]"
[2021/03/23 15:53:36.535808, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[local_rcops]"
[2021/03/23 15:53:36.535852, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.535930, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rittger_esp_public]"
[2021/03/23 15:53:36.535959, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.536031, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[PLT1]"
[2021/03/23 15:53:36.536091, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service dds_template
[2021/03/23 15:53:36.536193, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:36.536224, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.536367, 3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
adding IPC service
[2021/03/23 15:53:36.536471, 3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:36.536530, 3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[[myusername]]@[CRIPPS2]
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.540433, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version)
winbindd_interface_version: [smbd (25399)]: request interface version (version = 31)
[2021/03/23 15:53:36.541554, 3] ../../source3/winbindd/winbindd_misc.c:470(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [smbd (25399)]: request location of privileged pipe
[2021/03/23 15:53:36.541654, 3] ../../source3/winbindd/winbindd_misc.c:483(winbindd_priv_pipe_dir)
winbindd_priv_pipe_dir: [smbd (25399)]: response location of privileged pipe: (null)
[2021/03/23 15:53:36.542424, 3] ../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
[25399]: pam auth crap domain: [AD] user: [myusername]
==> /var/log/samba/log.wb-AD <==
[2021/03/23 15:53:36.542923, 3] ../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
[25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:36.548869, 3] ../../source3/winbindd/winbindd_ads.c:1332(sequence_number)
ads: fetch sequence_number for AD
[2021/03/23 15:53:36.549148, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.550058, 3] ../../source3/libads/ldap.c:654(ads_connect)
Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.550190, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.551119, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.553288, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.554009, 3] ../../source3/libads/ldap.c:654(ads_connect)
Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.554135, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.554917, 3] ../../source3/libsmb/namequery.c:3126(get_dc_list)
get_dc_list: preferred server list: "DC14.ad.[redacted], *"
[2021/03/23 15:53:36.557417, 3] ../../source3/libads/ldap.c:654(ads_connect)
Successfully contacted LDAP server 128.138.129.119
[2021/03/23 15:53:36.557584, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 128.138.129.119 at port 389
[2021/03/23 15:53:36.571646, 3] ../../source3/libads/ldap.c:697(ads_connect)
Connected to LDAP server DC14.ad.[redacted]
[2021/03/23 15:53:36.572951, 3] ../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
[2021/03/23 15:53:36.573003, 3] ../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2021/03/23 15:53:36.573023, 3] ../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2021/03/23 15:53:36.573041, 3] ../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2021/03/23 15:53:36.573058, 3] ../../source3/libads/sasl.c:714(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2021/03/23 15:53:36.599130, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:36.599087 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [unix:] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
{"timestamp": "2021-03-23T15:53:36.599307-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "e93854666071091a", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, smbd, 25376", "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 56471}}
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.612364, 3] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [[myusername]] succeeded
[2021/03/23 15:53:36.612509, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:36.612475 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [ipv4:10.225.160.143:445]
{"timestamp": "2021-03-23T15:53:36.612638-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.225.160.143:445", "remoteAddress": "ipv4:172.21.35.68:58480", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": "[myusername]", "mappedDomain": "AD", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 185135}}
[2021/03/23 15:53:36.612714, 2] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [[myusername]] -> [[myusername]] -> [[myusername]] succeeded
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.612993, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.627656, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.627834, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:36.627944, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.627972, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:36.628057, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.628083, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.628673, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.629480, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.629561, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:36.629618, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:36.750201, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:36.856860, 3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:36.856980, 3] ../../source3/param/loadparm.c:3933(lp_load_ex)
lp_load_ex: refreshing parameters
[2021/03/23 15:53:36.857082, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2021/03/23 15:53:36.857239, 3] ../../source3/param/loadparm.c:2845(lp_do_section)
Processing section "[global]"
[2021/03/23 15:53:36.857285, 1] ../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:36.857715, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[dds_template]"
[2021/03/23 15:53:36.858315, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:36.858394, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:36.858418, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[pl_active_template]"
[2021/03/23 15:53:36.858491, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:36.858531, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:36.858550, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rcops_samba]"
[2021/03/23 15:53:36.858664, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[local_rcops]"
[2021/03/23 15:53:36.858700, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.858798, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rittger_esp_public]"
[2021/03/23 15:53:36.858843, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.858928, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[PLT1]"
[2021/03/23 15:53:36.858971, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service dds_template
[2021/03/23 15:53:36.859094, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:36.859128, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:36.859253, 3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
adding IPC service
[2021/03/23 15:53:36.859298, 3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:36.859321, 3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[[myusername]]@[CRIPPS2]
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.859535, 3] ../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
[25399]: pam auth crap domain: [AD] user: [myusername]
==> /var/log/samba/log.wb-AD <==
[2021/03/23 15:53:36.862566, 3] ../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
[25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:36.868628, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:36.868597 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [unix:] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
{"timestamp": "2021-03-23T15:53:36.868729-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "e292e8463b652ba3", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, smbd, 25376", "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 6198}}
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.870404, 3] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [[myusername]] succeeded
[2021/03/23 15:53:36.870539, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:36.870516 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [ipv4:10.225.160.143:445]
{"timestamp": "2021-03-23T15:53:36.870611-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.225.160.143:445", "remoteAddress": "ipv4:172.21.35.68:58480", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": "[myusername]", "mappedDomain": "AD", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 120648}}
[2021/03/23 15:53:36.870687, 2] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [[myusername]] -> [[myusername]] -> [[myusername]] succeeded
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.870986, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.871984, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.872097, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:36.872159, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.872192, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:36.872270, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:36.872296, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:36.872981, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:36.874006, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:36.874122, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:36.874174, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:36.960852, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2021/03/23 15:53:37.046383, 3] ../../auth/ntlmssp/ntlmssp_server.c:513(ntlmssp_server_preauth)
Got user=[[myusername]] domain=[AD] workstation=[CRIPPS2] len1=24 len2=286
[2021/03/23 15:53:37.046819, 3] ../../source3/param/loadparm.c:3933(lp_load_ex)
lp_load_ex: refreshing parameters
[2021/03/23 15:53:37.046925, 3] ../../source3/param/loadparm.c:550(init_globals)
Initialising global parameters
[2021/03/23 15:53:37.047078, 3] ../../source3/param/loadparm.c:2845(lp_do_section)
Processing section "[global]"
[2021/03/23 15:53:37.047126, 1] ../../lib/param/loadparm.c:1853(lpcfg_do_global_parameter)
WARNING: The "encrypt passwords" option is deprecated
[2021/03/23 15:53:37.047577, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[dds_template]"
[2021/03/23 15:53:37.048228, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service dds_template - making it unavailable!
[2021/03/23 15:53:37.048313, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service dds_template is flagged unavailable.
[2021/03/23 15:53:37.048344, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[pl_active_template]"
[2021/03/23 15:53:37.048411, 0] ../../lib/param/loadparm.c:1033(lpcfg_service_ok)
WARNING: No path in service pl_active_template - making it unavailable!
[2021/03/23 15:53:37.048455, 1] ../../lib/param/loadparm.c:1039(lpcfg_service_ok)
NOTE: Service pl_active_template is flagged unavailable.
[2021/03/23 15:53:37.048483, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rcops_samba]"
[2021/03/23 15:53:37.048583, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[local_rcops]"
[2021/03/23 15:53:37.048619, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:37.048700, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[rittger_esp_public]"
[2021/03/23 15:53:37.048731, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:37.048835, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[PLT1]"
[2021/03/23 15:53:37.048882, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service dds_template
[2021/03/23 15:53:37.048992, 2] ../../source3/param/loadparm.c:2862(lp_do_section)
Processing section "[kk-ataqdisk]"
[2021/03/23 15:53:37.049028, 3] ../../lib/param/loadparm.c:1227(handle_copy)
Copying service from service pl_active_template
[2021/03/23 15:53:37.049168, 3] ../../source3/param/loadparm.c:1646(lp_add_ipc)
adding IPC service
[2021/03/23 15:53:37.049220, 3] ../../source3/auth/auth.c:201(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [AD]\[[myusername]]@[CRIPPS2] with the new password interface
[2021/03/23 15:53:37.049245, 3] ../../source3/auth/auth.c:204(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[[myusername]]@[CRIPPS2]
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:37.050234, 3] ../../source3/winbindd/winbindd_pam_auth_crap.c:113(winbindd_pam_auth_crap_send)
[25399]: pam auth crap domain: [AD] user: [myusername]
==> /var/log/samba/log.wb-AD <==
[2021/03/23 15:53:37.050438, 3] ../../source3/winbindd/winbindd_pam.c:2684(winbindd_dual_pam_auth_crap)
[25376]: pam auth crap domain: AD user: [myusername]
[2021/03/23 15:53:37.056128, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 25376] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:37.056099 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [unix:] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [unix:]
{"timestamp": "2021-03-23T15:53:37.056210-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "81a0c835895a3c5b", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress": "unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH, smbd, 25376", "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": null, "mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 5797}}
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:37.057498, 3] ../../source3/auth/auth.c:268(auth_check_ntlm_password)
auth_check_ntlm_password: winbind authentication for user [[myusername]] succeeded
[2021/03/23 15:53:37.057614, 3] ../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [AD]\[[myusername]] at [Tue, 23 Mar 2021 15:53:37.057593 MDT] with [NTLMv2] status [NT_STATUS_OK] workstation [CRIPPS2] remote host [ipv4:172.21.35.68:58480] became [AD]\[[myusername]] [S-1-5-21-1275210071-492894223-682003330-475493]. local host [ipv4:10.225.160.143:445]
{"timestamp": "2021-03-23T15:53:37.057673-0600", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.225.160.143:445", "remoteAddress": "ipv4:172.21.35.68:58480", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "AD", "clientAccount": "[myusername]", "workstation": "CRIPPS2", "becameAccount": "[myusername]", "becameDomain": "AD", "becameSid": "S-1-5-21-1275210071-492894223-682003330-475493", "mappedAccount": "[myusername]", "mappedDomain": "AD", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 97055}}
[2021/03/23 15:53:37.057740, 2] ../../source3/auth/auth.c:329(auth_check_ntlm_password)
check_ntlm_password: authentication for user [[myusername]] -> [[myusername]] -> [[myusername]] succeeded
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:37.058160, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:37.059082, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:37.059165, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:37.059217, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:37.059238, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2021/03/23 15:53:37.059309, 3] ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2021/03/23 15:53:37.059332, 3] ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
==> /var/log/samba/log.winbindd <==
[2021/03/23 15:53:37.059918, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping)
winbindd_ping: [smbd (25399)]: ping
==> /var/log/samba/log.smbd <==
[2021/03/23 15:53:37.060744, 0] ../../source3/auth/token_util.c:567(add_local_groups)
add_local_groups: SID S-1-5-21-1275210071-492894223-682003330-475493 -> getpwuid(416810) failed, is nsswitch configured?
[2021/03/23 15:53:37.060851, 3] ../../source3/auth/token_util.c:403(create_local_nt_token_from_info3)
Failed to add local groups
[2021/03/23 15:53:37.060894, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../../source3/smbd/smb2_sesssetup.c:146
[2021/03/23 15:53:38.621345, 3] ../../source3/smbd/server_exit.c:250(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
________________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland penny via samba <samba at lists.samba.org>
Sent: Tuesday, March 23, 2021 3:07 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Understanding ID mapping between a campus AD and a local LDAP
On 23/03/2021 21:02, Jonathon A Anderson via samba wrote:
> This is encouraging! I'm going to try again with
>
> winbind use default domain = no
>
> and see if it works. If it doesn't I'll send some shell logs and Samba logs.
>
> ~jonathon
>
don't forget to add the 'idmap config *' lines as well.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list