[Samba] Authentication issue after updating samba on CentOS 7 (from yum)
Rowland Penny
rpenny at samba.org
Tue Jan 11 17:49:08 UTC 2022
On Tue, 2022-01-11 at 14:27 +0300, Alex via samba wrote:
> Robert, Rowland,
>
> I guess I found the root of the issue. Look:
> [2022/01/11 13:33:07.895774, 3]
> ../../source3/smbd/oplock.c:1422(init_oplocks)
> init_oplocks: initializing messages.
> [2022/01/11 13:33:07.896199, 3]
> ../../source3/smbd/process.c:1948(process_smb)
> Transaction 0 of length 108 (0 toread)
> [2022/01/11 13:33:07.896674, 3]
> ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negpr
> ot)
> Selected protocol SMB2_10
> [2022/01/11 13:33:07.972677, 3]
> ../../source3/auth/user_util.c:351(map_username)
> Mapped user ABISOFT\username to username
> [2022/01/11 13:33:07.977752, 3]
> ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac
> )
> Kerberos ticket principal name is [username at ABISOFT.BIZ]
> [2022/01/11 13:33:07.978650, 1]
> ../../source3/auth/token_util.c:1082(create_token_from_sid)
> sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
> [2022/01/11 13:33:07.978827, 3]
> ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at
> ../../source3/smbd/smb2_sesssetup.c:146
> [2022/01/11 13:33:07.980941, 3]
> ../../source3/smbd/server_exit.c:236(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
> Particularly, this line:
> sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
>
> # wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-
> 298020672-513
> ABISOFT\Domain Users 2
>
> # wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-
> 298020672-513
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
>
> Indeed, Domain Users group (username's primary group) does not have
> unix group id associated with it. However, it didn't create any
> problems before 4.10.16-17. Is it possible to fix it w/o assigning a
> unix group id?
No idea, it has been years since I used nslcd, I do know that if you
use the winbind 'ad' backend on a Unix domain member, then you must
give Domain Users a gidNumber.
Rowland
More information about the samba
mailing list