[Samba] Authentication issue after updating samba on CentOS 7 (from yum)

Rowland Penny rpenny at samba.org
Tue Jan 11 17:49:08 UTC 2022 

On Tue, 2022-01-11 at 14:27 +0300, Alex via samba wrote:
> Robert, Rowland,
> 
> I guess I found the root of the issue. Look:
> [2022/01/11 13:33:07.895774,  3]
> ../../source3/smbd/oplock.c:1422(init_oplocks)
>   init_oplocks: initializing messages.
> [2022/01/11 13:33:07.896199,  3]
> ../../source3/smbd/process.c:1948(process_smb)
>   Transaction 0 of length 108 (0 toread)
> [2022/01/11 13:33:07.896674,  3]
> ../../source3/smbd/smb2_negprot.c:293(smbd_smb2_request_process_negpr
> ot)
>   Selected protocol SMB2_10
> [2022/01/11 13:33:07.972677,  3]
> ../../source3/auth/user_util.c:351(map_username)
>   Mapped user ABISOFT\username to username
> [2022/01/11 13:33:07.977752,  3]
> ../../source3/auth/auth_generic.c:171(auth3_generate_session_info_pac
> )
>   Kerberos ticket principal name is [username at ABISOFT.BIZ]
> [2022/01/11 13:33:07.978650,  1]
> ../../source3/auth/token_util.c:1082(create_token_from_sid)
>   sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
> [2022/01/11 13:33:07.978827,  3]
> ../../source3/smbd/smb2_server.c:3213(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at
> ../../source3/smbd/smb2_sesssetup.c:146
> [2022/01/11 13:33:07.980941,  3]
> ../../source3/smbd/server_exit.c:236(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
> 
> Particularly, this line:
>   sid_to_gid(S-1-5-21-3729968760-1240331958-298020672-513) failed
> 
> # wbinfo --domain=ABISOFT -s S-1-5-21-3729968760-1240331958-
> 298020672-513
> ABISOFT\Domain Users 2
> 
> # wbinfo --domain=ABISOFT -Y S-1-5-21-3729968760-1240331958-
> 298020672-513
> failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
> 
> Indeed, Domain Users group (username's primary group) does not have
> unix group id associated with it. However, it didn't create any
> problems before 4.10.16-17. Is it possible to fix it w/o assigning a
> unix group id?

No idea, it has been years since I used nslcd, I do know that if you
use the winbind 'ad' backend on a Unix domain member, then you must
give Domain Users a gidNumber.

Rowland

More information about the samba mailing list