Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1002059: Same problem?
60 views
Skip to first unread message
Thibault Roulet
Apr 4, 2022, 5:30:03 AM4/4/22
to
Hi all,
I'm not sure if my problem is the same but it looks pretty similar.
Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
Last time I reverted to 4.13.5 but as there must be a solution to this
problem, I'm trying again to fix that.
## Setup description ##
Server running debian stable and up to date.
This server is an active directory domain member (member only)
krb5.conf is correctly configured
## samba configuration ##
[global]
client signing = required
deadtime = 30
disable spoolss = Yes
dns proxy = No
domain master = No
load printers = No
local master = No
log file = /var/log/samba/log.%I
max log size = 3000
panic action = /usr/share/samba/panic-action %d
password server = AD1.MYDOMAIN.ORG
realm = MYDOMAIN.ORG
security = ADS
server min protocol = SMB2
server signing = required
server string = srv.mydomain.org
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/smbusers
username map script = /bin/echo
usershare allow guests = Yes
wins server = 123.123.15.44
workgroup = MYDOMAIN
idmap config MYDOMAIN:unix_primary_group = no
idmap config MYDOMAIN:unix_nss_info = no
idmap config MYDOMAIN:range = 9000 - 90000000
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:backend = ad
idmap config * : range = 3000 - 8500
idmap config * : backend = tdb
hosts allow = 123.123. 127. 10.95.
map acl inherit = Yes
vfs objects = acl_xattr
##samba access log when connecting a share (either from windows 11 or
from a debian client using mount.cifs##
Got user=[myusername] domain=[MYDOMAIN] workstation=[DRX1] len1=24
len2=266
[2022/04/04 10:48:44.844975, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user myusername to myusername
[2022/04/04 10:48:44.845054, 3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[myusername]@[DRX1] with the new password interface
[2022/04/04 10:48:44.845078, 3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[myusername]@[DRX1]
[2022/04/04 10:48:44.854933, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user MYDOMAIN\myusername to MYDOMAIN\myusername
[2022/04/04 10:48:44.859318, 3]
../../source3/auth/auth_util.c:1928(check_account)
Failed to find authenticated user MYDOMAIN\myusername via getpwnam(),
denying access.
[2022/04/04 10:48:44.859392, 2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [myusername] ->
[myusername] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/04/04 10:48:44.859459, 2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Mon, 04 Apr 2022
10:48:44.859434 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [DRX1] remote host [ipv4:123.123254.190:61314] mapped to
[MYDOMAIN]\[myusername]. local host [ipv4:123.123.241.3:445]
{"timestamp": "2022-04-04T10:48:44.859606+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:123.123.241.3:445",
"remoteAddress": "ipv4:123.123254.190:61314", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "MYDOMAIN",
"clientAccount": "myusername", "workstation": "DRX1", "becameAccount":
null, "becameDomain": null, "becameSid": null, "mappedAccount":
"myusername", "mappedDomain": "MYDOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 28332}}
[2022/04/04 10:48:44.859743, 3]
../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2022/04/04 10:48:44.859817, 3]
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at
../../source3/smbd/smb2_sesssetup.c:146
[2022/04/04 10:48:44.870240, 3]
../../source3/smbd/server_exit.c:220(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
==> log.wb-MYDOMAIN <==
[2022/04/04 10:48:44.845896, 3]
../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_auth_crap)
[193664]: pam auth crap domain: MYDOMAIN user: myusername
[2022/04/04 10:48:44.849490, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 193664] user [MYDOMAIN]\[myusername]
at [Mon, 04 Apr 2022 10:48:44.849462 CEST] with [NTLMv2] status
[NT_STATUS_OK] workstation [DRX1] remote host [unix:] became
[MYDOMAIN]\[myusername] [S-1-5-21-12345678-123456789-839522115-142182].
local host [unix:]
{"timestamp": "2022-04-04T10:48:44.849557+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4624, "logonId": "37e7d1fb0fe95725", "logonType": 3,
"status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH,
smbd, 193664", "clientDomain": "MYDOMAIN", "clientAccount":
"myusername", "workstation": "DRX1", "becameAccount": "myusername",
"becameDomain": "MYDOMAIN", "becameSid":
"S-1-5-21-12345678-123456789-839522115-142182", "mappedAccount": null,
"mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 3687}}
I tried lots of different configs, always with a full reload of smbd,
winbind, nscd and removed tdb files in /var/lib/samba/
Can't make it works.
Thanks in advance for your help!
--
Thibault Roulet
Linux system engineer
ISIC-GE - BCH 1212
T: +41 21 69 39397
I'm not sure if my problem is the same but it looks pretty similar.
Everything was working fine when running samba 2:4.13.5+dfsg-2 and it
broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
Last time I reverted to 4.13.5 but as there must be a solution to this
problem, I'm trying again to fix that.
## Setup description ##
Server running debian stable and up to date.
This server is an active directory domain member (member only)
krb5.conf is correctly configured
## samba configuration ##
[global]
client signing = required
deadtime = 30
disable spoolss = Yes
dns proxy = No
domain master = No
load printers = No
local master = No
log file = /var/log/samba/log.%I
max log size = 3000
panic action = /usr/share/samba/panic-action %d
password server = AD1.MYDOMAIN.ORG
realm = MYDOMAIN.ORG
security = ADS
server min protocol = SMB2
server signing = required
server string = srv.mydomain.org
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/smbusers
username map script = /bin/echo
usershare allow guests = Yes
wins server = 123.123.15.44
workgroup = MYDOMAIN
idmap config MYDOMAIN:unix_primary_group = no
idmap config MYDOMAIN:unix_nss_info = no
idmap config MYDOMAIN:range = 9000 - 90000000
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:backend = ad
idmap config * : range = 3000 - 8500
idmap config * : backend = tdb
hosts allow = 123.123. 127. 10.95.
map acl inherit = Yes
vfs objects = acl_xattr
##samba access log when connecting a share (either from windows 11 or
from a debian client using mount.cifs##
Got user=[myusername] domain=[MYDOMAIN] workstation=[DRX1] len1=24
len2=266
[2022/04/04 10:48:44.844975, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user myusername to myusername
[2022/04/04 10:48:44.845054, 3]
../../source3/auth/auth.c:200(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[myusername]@[DRX1] with the new password interface
[2022/04/04 10:48:44.845078, 3]
../../source3/auth/auth.c:203(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN]\[myusername]@[DRX1]
[2022/04/04 10:48:44.854933, 3]
../../source3/auth/user_util.c:353(map_username)
Mapped user MYDOMAIN\myusername to MYDOMAIN\myusername
[2022/04/04 10:48:44.859318, 3]
../../source3/auth/auth_util.c:1928(check_account)
Failed to find authenticated user MYDOMAIN\myusername via getpwnam(),
denying access.
[2022/04/04 10:48:44.859392, 2]
../../source3/auth/auth.c:344(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [myusername] ->
[myusername] FAILED with error NT_STATUS_NO_SUCH_USER, authoritative=1
[2022/04/04 10:48:44.859459, 2]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [MYDOMAIN]\[myusername] at [Mon, 04 Apr 2022
10:48:44.859434 CEST] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER]
workstation [DRX1] remote host [ipv4:123.123254.190:61314] mapped to
[MYDOMAIN]\[myusername]. local host [ipv4:123.123.241.3:445]
{"timestamp": "2022-04-04T10:48:44.859606+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:123.123.241.3:445",
"remoteAddress": "ipv4:123.123254.190:61314", "serviceDescription":
"SMB2", "authDescription": null, "clientDomain": "MYDOMAIN",
"clientAccount": "myusername", "workstation": "DRX1", "becameAccount":
null, "becameDomain": null, "becameSid": null, "mappedAccount":
"myusername", "mappedDomain": "MYDOMAIN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 28332}}
[2022/04/04 10:48:44.859743, 3]
../../auth/gensec/spnego.c:1443(gensec_spnego_server_negTokenTarg_step)
gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
NT_STATUS_NO_SUCH_USER
[2022/04/04 10:48:44.859817, 3]
../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at
../../source3/smbd/smb2_sesssetup.c:146
[2022/04/04 10:48:44.870240, 3]
../../source3/smbd/server_exit.c:220(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
==> log.wb-MYDOMAIN <==
[2022/04/04 10:48:44.845896, 3]
../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_auth_crap)
[193664]: pam auth crap domain: MYDOMAIN user: myusername
[2022/04/04 10:48:44.849490, 3]
../../auth/auth_log.c:635(log_authentication_event_human_readable)
Auth: [winbind,NTLM_AUTH, smbd, 193664] user [MYDOMAIN]\[myusername]
at [Mon, 04 Apr 2022 10:48:44.849462 CEST] with [NTLMv2] status
[NT_STATUS_OK] workstation [DRX1] remote host [unix:] became
[MYDOMAIN]\[myusername] [S-1-5-21-12345678-123456789-839522115-142182].
local host [unix:]
{"timestamp": "2022-04-04T10:48:44.849557+0200", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4624, "logonId": "37e7d1fb0fe95725", "logonType": 3,
"status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress":
"unix:", "serviceDescription": "winbind", "authDescription": "NTLM_AUTH,
smbd, 193664", "clientDomain": "MYDOMAIN", "clientAccount":
"myusername", "workstation": "DRX1", "becameAccount": "myusername",
"becameDomain": "MYDOMAIN", "becameSid":
"S-1-5-21-12345678-123456789-839522115-142182", "mappedAccount": null,
"mappedDomain": null, "netlogonComputer": null, "netlogonTrustAccount":
null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 3687}}
I tried lots of different configs, always with a full reload of smbd,
winbind, nscd and removed tdb files in /var/lib/samba/
Can't make it works.
Thanks in advance for your help!
--
Thibault Roulet
Linux system engineer
ISIC-GE - BCH 1212
T: +41 21 69 39397
Michael Tokarev
Apr 4, 2022, 3:10:04 PM4/4/22
to
04.04.2022 12:16, Thibault Roulet wrote:
> Hi all,
>
> I'm not sure if my problem is the same but it looks pretty similar.
> Everything was working fine when running samba 2:4.13.5+dfsg-2 and it broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
>
> Last time I reverted to 4.13.5 but as there must be a solution to this problem, I'm trying again to fix that.
...
> Hi all,
>
> I'm not sure if my problem is the same but it looks pretty similar.
> Everything was working fine when running samba 2:4.13.5+dfsg-2 and it broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
>
> Last time I reverted to 4.13.5 but as there must be a solution to this problem, I'm trying again to fix that.
> Got user=[myusername] domain=[MYDOMAIN] workstation=[DRX1] len1=24 len2=266
> [2022/04/04 10:48:44.844975, 3] ../../source3/auth/user_util.c:353(map_username)
> Mapped user myusername to myusername
> [2022/04/04 10:48:44.845054, 3] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[myusername]@[DRX1] with the new password interface
> [2022/04/04 10:48:44.845078, 3] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [MYDOMAIN]\[myusername]@[DRX1]
> [2022/04/04 10:48:44.854933, 3] ../../source3/auth/user_util.c:353(map_username)
> Mapped user MYDOMAIN\myusername to MYDOMAIN\myusername
> [2022/04/04 10:48:44.859318, 3] ../../source3/auth/auth_util.c:1928(check_account)
> Failed to find authenticated user MYDOMAIN\myusername via getpwnam(), denying access.
this most likely means your winbind does not work correctly or
> [2022/04/04 10:48:44.844975, 3] ../../source3/auth/user_util.c:353(map_username)
> Mapped user myusername to myusername
> [2022/04/04 10:48:44.845054, 3] ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[myusername]@[DRX1] with the new password interface
> [2022/04/04 10:48:44.845078, 3] ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [MYDOMAIN]\[myusername]@[DRX1]
> [2022/04/04 10:48:44.854933, 3] ../../source3/auth/user_util.c:353(map_username)
> Mapped user MYDOMAIN\myusername to MYDOMAIN\myusername
> [2022/04/04 10:48:44.859318, 3] ../../source3/auth/auth_util.c:1928(check_account)
> Failed to find authenticated user MYDOMAIN\myusername via getpwnam(), denying access.
nss_winbind isn't set up. It is unlikely the same problem.
FWIW, I'm definitely not an expert in this part of samba, you
should really ask on the samba mailing list, I guess.
Thanks,
/mjt
0 new messages