info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] User is invalid on this system
796 views
Skip to first unread message
Kevin Elliott
Nov 29, 2012, 7:51:55 PM11/29/12
to
Hello all.
We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:
Here's an example from my workstation (logging verbosity set at 10):
[2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [kevin_...@CBJ.LOCAL]
[2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
However, I can successfully return login information with winbind:
# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
'getent passwd' will only return the local users from /etc/passwd.
And the relevant section of smb.conf:
[global]
workgroup = CBJ_NT
realm = CBJ.LOCAL
netbios aliases = CITY-LIZA-L90, CITY-LIZA
server string = External FTP Server
interfaces = 192.0.2.87/32, lo
bind interfaces only = Yes
security = ADS
obey pam restrictions = Yes
password server = 192.0.2.25, 192.0.2.50
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 2500
printcap name = cups
os level = 5
local master = No
domain master = No
wins server = 192.0.2.25
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config LIBRARY:range = 65535-79999
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:backend = rid
idmap config * : range = 10000-65533
idmap config * : base_rid = 0
idmap config * : backend = rid
admin users = @CBJ_NT+admin
veto files = /.*/
[ftp]
comment = FTP directory
path = /var/ftp/pub/
valid users = "@CBJ_NT+domain users"
read only = No
create mask = 0775
directory mask = 0775
hide unreadable = Yes
Any ideas? Anyone else see this?
---
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:
Here's an example from my workstation (logging verbosity set at 10):
[2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [kevin_...@CBJ.LOCAL]
[2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
However, I can successfully return login information with winbind:
# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
'getent passwd' will only return the local users from /etc/passwd.
And the relevant section of smb.conf:
[global]
workgroup = CBJ_NT
realm = CBJ.LOCAL
netbios aliases = CITY-LIZA-L90, CITY-LIZA
server string = External FTP Server
interfaces = 192.0.2.87/32, lo
bind interfaces only = Yes
security = ADS
obey pam restrictions = Yes
password server = 192.0.2.25, 192.0.2.50
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 2500
printcap name = cups
os level = 5
local master = No
domain master = No
wins server = 192.0.2.25
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config LIBRARY:range = 65535-79999
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:backend = rid
idmap config * : range = 10000-65533
idmap config * : base_rid = 0
idmap config * : backend = rid
admin users = @CBJ_NT+admin
veto files = /.*/
[ftp]
comment = FTP directory
path = /var/ftp/pub/
valid users = "@CBJ_NT+domain users"
read only = No
create mask = 0775
directory mask = 0775
hide unreadable = Yes
Any ideas? Anyone else see this?
---
Kevin Elliott
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Thomas Mueller
Nov 30, 2012, 1:49:44 AM11/30/12
to
Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott:
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade
> from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the
> ability to map Samba shares from our Windows XP SP3 and Windows 7
> clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
...
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade
> from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the
> ability to map Samba shares from our Windows XP SP3 and Windows 7
> clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
> auth/user_krb5.c:162(get_user_from_kerberos_info)
> Username CBJ_NT+kevin_elliott is invalid on this system
...
> Username CBJ_NT+kevin_elliott is invalid on this system
>
>
> However, I can successfully return login information with winbind:
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
....
>
> However, I can successfully return login information with winbind:
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
>
> Any ideas? Anyone else see this?
maybe the "winbind" in /etc/nsswitch.conf got lost?
> Any ideas? Anyone else see this?
is "getent -s winbind passwd $username" returning something?
is winbindd running ("ps -C winbindd -f")?
any log messages in /var/log/samba/log.winbindd ?
- Thomas
Kevin Elliott
Nov 30, 2012, 12:52:38 PM11/30/12
to
Ah good ideas.
/etc/nsswitch.conf looks correct:
passwd: files winbind
group: files winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Winbind is running too:
# ps -C winbindd -f
UID PID PPID C STIME TTY TIME CMD
root 32102 1 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32108 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32109 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32110 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
I can't get anything for Active Directory users via getent 'though:
# getent -s winbind passwd CBJ_NT+Kevin_Elliott
# getent -s winbind passwd Kevin_Elliott
# wbinfo -i Kevin_Elliott
[2012/11/30 08:41:50.128842, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 28
[2012/11/30 08:41:50.128990, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn INTERFACE_VERSION
[2012/11/30 08:41:50.129052, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 425]: request interface version
[2012/11/30 08:41:50.129127, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:INTERFACE_VERSION]: delivered response to client
[2012/11/30 08:41:50.129215, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/30 08:41:50.129266, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 425]: request location of privileged pipe
[2012/11/30 08:41:50.129346, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2012/11/30 08:41:50.129434, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 28, client exited
[2012/11/30 08:41:50.129506, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 28
[2012/11/30 08:41:50.129582, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:50.129641, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:50.129709, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:41:50.145530, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:50.145630, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:50.145709, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:41:58.866817, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:58.866937, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:58.867034, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:42:05.563565, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 29
[2012/11/30 08:42:05.563716, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn INTERFACE_VERSION
[2012/11/30 08:42:05.563778, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 453]: request interface version
[2012/11/30 08:42:05.563884, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:INTERFACE_VERSION]: delivered response to client
[2012/11/30 08:42:05.563976, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/30 08:42:05.564028, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 453]: request location of privileged pipe
[2012/11/30 08:42:05.564112, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2012/11/30 08:42:05.564201, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 29, client exited
[2012/11/30 08:42:05.564274, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 29
[2012/11/30 08:42:05.564351, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 453:PING
[2012/11/30 08:42:05.564411, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.564480, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:05.585267, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 453:PING
[2012/11/30 08:42:05.585367, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.585443, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:10.081128, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 29, client exited
[2012/11/30 08:42:12.146894, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 28, client exited
If I'm reading the logs correctly it looks like winbind opens the Unix pipe for the client, the client re-establishes the connection and we get a NT_STATUS_OK at the end of it.
Appreciate the help!
/etc/nsswitch.conf looks correct:
passwd: files winbind
group: files winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
Winbind is running too:
# ps -C winbindd -f
UID PID PPID C STIME TTY TIME CMD
root 32102 1 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32108 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32109 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
root 32110 32102 0 08:18 ? 00:00:00 /usr/sbin/winbindd
I can't get anything for Active Directory users via getent 'though:
# getent -s winbind passwd CBJ_NT+Kevin_Elliott
# getent -s winbind passwd Kevin_Elliott
# wbinfo -i Kevin_Elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
log.winbindd seems normal too:
[2012/11/30 08:41:50.128842, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 28
[2012/11/30 08:41:50.128990, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn INTERFACE_VERSION
[2012/11/30 08:41:50.129052, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 425]: request interface version
[2012/11/30 08:41:50.129127, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:INTERFACE_VERSION]: delivered response to client
[2012/11/30 08:41:50.129215, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/30 08:41:50.129266, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 425]: request location of privileged pipe
[2012/11/30 08:41:50.129346, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2012/11/30 08:41:50.129434, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 28, client exited
[2012/11/30 08:41:50.129506, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 28
[2012/11/30 08:41:50.129582, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:50.129641, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:50.129709, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:41:50.145530, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:50.145630, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:50.145709, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:41:58.866817, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 425:PING
[2012/11/30 08:41:58.866937, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:58.867034, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:42:05.563565, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 29
[2012/11/30 08:42:05.563716, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn INTERFACE_VERSION
[2012/11/30 08:42:05.563778, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version)
[ 453]: request interface version
[2012/11/30 08:42:05.563884, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:INTERFACE_VERSION]: delivered response to client
[2012/11/30 08:42:05.563976, 10] winbindd/winbindd.c:643(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/30 08:42:05.564028, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[ 453]: request location of privileged pipe
[2012/11/30 08:42:05.564112, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:WINBINDD_PRIV_PIPE_DIR]: delivered response to client
[2012/11/30 08:42:05.564201, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 29, client exited
[2012/11/30 08:42:05.564274, 6] winbindd/winbindd.c:793(new_connection)
accepted socket 29
[2012/11/30 08:42:05.564351, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 453:PING
[2012/11/30 08:42:05.564411, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.564480, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:05.585267, 10] winbindd/winbindd.c:616(process_request)
process_request: Handling async request 453:PING
[2012/11/30 08:42:05.585367, 10] winbindd/winbindd.c:678(wb_request_done)
wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.585443, 10] winbindd/winbindd.c:739(winbind_client_response_written)
winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:10.081128, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 29, client exited
[2012/11/30 08:42:12.146894, 6] winbindd/winbindd.c:841(winbind_client_request_read)
closing socket 28, client exited
If I'm reading the logs correctly it looks like winbind opens the Unix pipe for the client, the client re-establishes the connection and we get a NT_STATUS_OK at the end of it.
Appreciate the help!
Dale Schroeder
Nov 30, 2012, 1:38:20 PM11/30/12
to
Kevin,
3.6.x has had several issues with idmap rid. I was hit with this one:
https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap
rid issues with 3.6.x will reveal others as well.
Someone indicated that rejoining the domain would fix this issue. As it
so happened, I had to rebuild one of the servers. After joining the
rebuilt system to the domain, it has worked flawlessly ever since. So,
it appears the problem with rid and some of the other idmap backends is
somehow related to upgrading, as newly joined systems work as expected.
Dale
On 11/29/2012 6:51 PM, Kevin Elliott wrote:
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
3.6.x has had several issues with idmap rid. I was hit with this one:
https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap
rid issues with 3.6.x will reveal others as well.
Someone indicated that rejoining the domain would fix this issue. As it
so happened, I had to rebuild one of the servers. After joining the
rebuilt system to the domain, it has worked flawlessly ever since. So,
it appears the problem with rid and some of the other idmap backends is
somehow related to upgrading, as newly joined systems work as expected.
Dale
On 11/29/2012 6:51 PM, Kevin Elliott wrote:
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
> [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message)
> switch message SMBsesssetupX (pid 2517) conn 0x0
> [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 1680
> [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data)
> Found account name from PAC: kevin_elliott [Kevin Elliott]
> [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
> Kerberos ticket principal name is [kevin_...@CBJ.LOCAL]
> [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
> switch message SMBsesssetupX (pid 2517) conn 0x0
> [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 1680
> [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data)
> Found account name from PAC: kevin_elliott [Kevin Elliott]
> [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
> Kerberos ticket principal name is [kevin_...@CBJ.LOCAL]
> Username CBJ_NT+kevin_elliott is invalid on this system
> [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc)
> receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET.
> [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common)
> Server exit (failed to receive smb request)
>
>
>
> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc)
> receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET.
> [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common)
> Server exit (failed to receive smb request)
>
>
>
> However, I can successfully return login information with winbind:
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
>
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
>
> Any ideas? Anyone else see this?
>
>
> ---
> Kevin Elliott
>
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>
>
> Kevin Elliott
>
> Network Specialist
> City and Borough of Juneau, MIS
> (907) 586 - 0905
>
>
Kevin Elliott
Nov 30, 2012, 1:57:14 PM11/30/12
to
Dale,
I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another.
Do you think un-joining and then re-joining the existing system could fix this?
Thanks.
I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another.
Do you think un-joining and then re-joining the existing system could fix this?
Thanks.
Dale Schroeder
Nov 30, 2012, 2:55:22 PM11/30/12
to
With what I've read and what I've seen with the rebuilds, there's a good
chance the rejoin could fix your problem. That being said, there are no
guarantees with winbind. It's the part of the Samba suite that has given
me the most problems over the years, breaking existing configs almost
every time its internal workings are changed.
I wish you good luck!
Dale
> .
chance the rejoin could fix your problem. That being said, there are no
guarantees with winbind. It's the part of the Samba suite that has given
me the most problems over the years, breaking existing configs almost
every time its internal workings are changed.
I wish you good luck!
Dale
0 new messages