Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Unable to browse system shares of a newly migrated AD DC
49 views
Skip to first unread message
Andrey Repin
Mar 27, 2015, 4:10:03 PM3/27/15
to
Greetings, All!
I'm trying final steps of my long upgrade process, but I've got hit by the
unexpected.
When everything seemingly run fine in the end, I'm unable to browse the local
shares of the DC.
# smbclient -L localhost -U%
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
At the same time,
# wbinfo -t
checking the trust secret for domain CCENTER via RPC calls succeeded
and `wbinfo -u' correctly listing the domain members.
I've tried to instal libnss-winbind, but that seems to not have helped.
# ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 30001 544 4096 Mar 27 21:41 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
[global]
workgroup = CCENTER
realm = ads.ccenter.lan
interfaces = lo, 192.168.17.0/24
server role = active directory domain controller
passdb backend = samba_dsdb
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config CCENTER:range = 1000 - 50000
idmap config CCENTER:backend = ad
idmap config *:range = 100000 - 999999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Anything I can try to resolve the problem? Or should I try upgrade with
different options?
Upgrade log attached.
(This is a test installation, so don't be concerned with passwords. I'd
likely restart it several more times before I get the process all straight.)
--
WBR,
Andrey Repin (anrd...@yandex.ru) 27.03.2015, <22:40>
Sorry for my terrible english...
I'm trying final steps of my long upgrade process, but I've got hit by the
unexpected.
When everything seemingly run fine in the end, I'm unable to browse the local
shares of the DC.
# smbclient -L localhost -U%
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
At the same time,
# wbinfo -t
checking the trust secret for domain CCENTER via RPC calls succeeded
and `wbinfo -u' correctly listing the domain members.
I've tried to instal libnss-winbind, but that seems to not have helped.
# ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 30001 544 4096 Mar 27 21:41 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
# testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
[global]
workgroup = CCENTER
realm = ads.ccenter.lan
interfaces = lo, 192.168.17.0/24
server role = active directory domain controller
passdb backend = samba_dsdb
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
idmap config CCENTER:range = 1000 - 50000
idmap config CCENTER:backend = ad
idmap config *:range = 100000 - 999999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4, acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Anything I can try to resolve the problem? Or should I try upgrade with
different options?
Upgrade log attached.
(This is a test installation, so don't be concerned with passwords. I'd
likely restart it several more times before I get the process all straight.)
--
WBR,
Andrey Repin (anrd...@yandex.ru) 27.03.2015, <22:40>
Sorry for my terrible english...
Rowland Penny
Mar 27, 2015, 4:40:04 PM3/27/15
to
something like this:
[global]
workgroup = CCENTER
realm = ads.ccenter.lan
server role = active directory domain controller
forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
interfaces = lo, 192.168.17.0/24
[netlogon]
path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
libpam-winbind libpam-krb5
check that the passwd & group lines in /etc/nsswitch.conf have 'winbind'
added to them.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrey Repin
Mar 27, 2015, 7:00:02 PM3/27/15
to
Greetings, Rowland Penny!
I tried with that config initially, with same results, but ok. I'll try again.
> [global]
> workgroup = CCENTER
> realm = ads.ccenter.lan
> netbios name = DC_NAME
> server role = active directory domain controller
> forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> interfaces = lo, 192.168.17.0/24
> [netlogon]
> path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> Check that you have these packages are installed: libnss-winbind
> libpam-winbind
Um. Missed! x.x
> libpam-krb5
No such package. Is it known by any other name? Ubuntu 12.04 here, if that
matters. Samba from ppa:9v-shaun-42/samba4.
> check that the passwd & group lines in /etc/nsswitch.conf have 'winbind'
> added to them.
I've added
passwd: compat winbind
group: compat winbind
and restarted the migration one more time.
Something... happened.
# ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 CCENTER\Administrator 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
# ls -lnd /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 30001 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
But
# smbclient -L localhost -U%
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
# samba-tool testparm --suppress-prompt
# Global parameters
dns forwarder = 192.168.17.1
WBR,
Andrey Repin (anrd...@yandex.ru) 28.03.2015, <01:20>
Sorry for my terrible english...
> [global]
> workgroup = CCENTER
> realm = ads.ccenter.lan
> netbios name = DC_NAME
> server role = active directory domain controller
> forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> interfaces = lo, 192.168.17.0/24
> [netlogon]
> path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
> read only = No
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> Check that you have these packages are installed: libnss-winbind
> libpam-winbind
> libpam-krb5
No such package. Is it known by any other name? Ubuntu 12.04 here, if that
matters. Samba from ppa:9v-shaun-42/samba4.
> check that the passwd & group lines in /etc/nsswitch.conf have 'winbind'
> added to them.
passwd: compat winbind
group: compat winbind
and restarted the migration one more time.
Something... happened.
# ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 CCENTER\Administrator 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
# ls -lnd /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 30001 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
But
# smbclient -L localhost -U%
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
# samba-tool testparm --suppress-prompt
# Global parameters
[global]
workgroup = CCENTER
realm = ads.ccenter.lan
netbios name = DC1
workgroup = CCENTER
realm = ads.ccenter.lan
dns forwarder = 192.168.17.1
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
--
path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
WBR,
Andrey Repin (anrd...@yandex.ru) 28.03.2015, <01:20>
Sorry for my terrible english...
Andrey Repin
Mar 29, 2015, 6:30:03 PM3/29/15
to
Greetings, Rowland Penny!
Got some logs. But... they do not make much sense.
It seems to fail to chdir to /tmp. But I can do it with sudo just fine under
the same credentials.
What's going on?
[2015/03/30 01:05:38.027147, 3, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/03/30 01:05:38.027425, 3, effective(0, 0), real(0, 0)] ../source3/smbd/oplock.c:870(init_oplocks)
init_oplocks: initializing messages.
[2015/03/30 01:05:38.027695, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 0 of length 194 (0 toread)
[2015/03/30 01:05:38.027728, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBnegprot (pid 882) conn 0x0
[2015/03/30 01:05:38.033749, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/03/30 01:05:38.033869, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2015/03/30 01:05:38.033930, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2015/03/30 01:05:38.033989, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LANMAN1.0]
[2015/03/30 01:05:38.034055, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LM1.2X002]
[2015/03/30 01:05:38.034116, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [DOS LANMAN2.1]
[2015/03/30 01:05:38.034177, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LANMAN2.1]
[2015/03/30 01:05:38.034234, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [Samba]
[2015/03/30 01:05:38.034323, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [NT LANMAN 1.0]
[2015/03/30 01:05:38.034376, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [NT LM 0.12]
[2015/03/30 01:05:38.066076, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'samba4' loaded
[2015/03/30 01:05:38.067018, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2015/03/30 01:05:38.067085, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2015/03/30 01:05:38.067129, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2015/03/30 01:05:38.067173, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'schannel' registered
[2015/03/30 01:05:38.067215, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'spnego' registered
[2015/03/30 01:05:38.067280, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'ntlmssp' registered
[2015/03/30 01:05:38.067330, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'krb5' registered
[2015/03/30 01:05:38.067371, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2015/03/30 01:05:38.068387, 3, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2015/03/30 01:05:38.069598, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'sam' registered
[2015/03/30 01:05:38.069684, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'sam_ignoredomain' registered
[2015/03/30 01:05:38.069729, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'anonymous' registered
[2015/03/30 01:05:38.069802, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'winbind' registered
[2015/03/30 01:05:38.069848, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'winbind_wbclient' registered
[2015/03/30 01:05:38.069910, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'name_to_ntstatus' registered
[2015/03/30 01:05:38.069958, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'unix' registered
[2015/03/30 01:05:38.088423, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:384(reply_nt1)
using SPNEGO
[2015/03/30 01:05:38.088497, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:671(reply_negprot)
Selected protocol NT LANMAN 1.0
[2015/03/30 01:05:38.088901, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 1 of length 92 (0 toread)
[2015/03/30 01:05:38.088973, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBsesssetupX (pid 882) conn 0x0
[2015/03/30 01:05:38.094128, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:604(reply_sesssetup_and_X)
wct=13 flg2=0xc843
[2015/03/30 01:05:38.094250, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:818(reply_sesssetup_and_X)
Domain=[] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[null]
[2015/03/30 01:05:38.094299, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:834(reply_sesssetup_and_X)
sesssetupX:name=[]\[]@[127.0.0.1]
[2015/03/30 01:05:38.094367, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:89(check_guest_password)
Got anonymous request
[2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user []\[]@[]
auth_check_password_send: mapped user is: [CCENTER]\[]@[]
[2015/03/30 01:05:38.098786, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 2 of length 88 (0 toread)
[2015/03/30 01:05:38.098854, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtconX (pid 882) conn 0x0
[2015/03/30 01:05:38.099031, 3, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/03/30 01:05:38.099142, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:612(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2015/03/30 01:05:38.099903, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2015/03/30 01:05:38.099972, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2015/03/30 01:05:38.100022, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2015/03/30 01:05:38.118613, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'acl_xattr' loaded
[2015/03/30 01:05:38.118757, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [dfs_samba4]
[2015/03/30 01:05:38.125409, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'dfs_samba4' loaded
[2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
[2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:856(make_connection_snum)
127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882)
[2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] ../source3/smbd/reply.c:1024(reply_tcon_and_X)
tconX service=IPC$
[2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 3 of length 106 (0 toread)
[2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBntcreateX (pid 882) conn 0xb893b588
[2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/service.c:197(set_current_service)
chdir (/tmp) failed, reason: Permission denied
[2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/process.c(1524) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
[2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 4 of length 118 (0 toread)
[2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtrans (pid 882) conn 0xb893b588
[2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/service.c:197(set_current_service)
chdir (/tmp) failed, reason: Permission denied
[2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/process.c(1524) cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
[2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 5 of length 39 (0 toread)
[2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtdis (pid 882) conn 0xb893b588
[2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:1130(close_cnum)
127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to service IPC$
[2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:221(exit_server_common)
Server exit (failed to receive smb request)
--
WBR,
Andrey Repin (anrd...@yandex.ru) 30.03.2015, <01:15>
Sorry for my terrible english...
Got some logs. But... they do not make much sense.
It seems to fail to chdir to /tmp. But I can do it with sudo just fine under
the same credentials.
What's going on?
[2015/03/30 01:05:38.027147, 3, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/03/30 01:05:38.027425, 3, effective(0, 0), real(0, 0)] ../source3/smbd/oplock.c:870(init_oplocks)
init_oplocks: initializing messages.
[2015/03/30 01:05:38.027695, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 0 of length 194 (0 toread)
[2015/03/30 01:05:38.027728, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBnegprot (pid 882) conn 0x0
[2015/03/30 01:05:38.033749, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/03/30 01:05:38.033869, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2015/03/30 01:05:38.033930, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2015/03/30 01:05:38.033989, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LANMAN1.0]
[2015/03/30 01:05:38.034055, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LM1.2X002]
[2015/03/30 01:05:38.034116, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [DOS LANMAN2.1]
[2015/03/30 01:05:38.034177, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [LANMAN2.1]
[2015/03/30 01:05:38.034234, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [Samba]
[2015/03/30 01:05:38.034323, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [NT LANMAN 1.0]
[2015/03/30 01:05:38.034376, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:563(reply_negprot)
Requested protocol [NT LM 0.12]
[2015/03/30 01:05:38.066076, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'samba4' loaded
[2015/03/30 01:05:38.067018, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2015/03/30 01:05:38.067085, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2015/03/30 01:05:38.067129, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2015/03/30 01:05:38.067173, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'schannel' registered
[2015/03/30 01:05:38.067215, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'spnego' registered
[2015/03/30 01:05:38.067280, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'ntlmssp' registered
[2015/03/30 01:05:38.067330, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'krb5' registered
[2015/03/30 01:05:38.067371, 3, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:870(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2015/03/30 01:05:38.068387, 3, effective(0, 0), real(0, 0)] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
ldb_wrap open of secrets.ldb
[2015/03/30 01:05:38.069598, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'sam' registered
[2015/03/30 01:05:38.069684, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'sam_ignoredomain' registered
[2015/03/30 01:05:38.069729, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'anonymous' registered
[2015/03/30 01:05:38.069802, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'winbind' registered
[2015/03/30 01:05:38.069848, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'winbind_wbclient' registered
[2015/03/30 01:05:38.069910, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'name_to_ntstatus' registered
[2015/03/30 01:05:38.069958, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:673(auth_register)
AUTH backend 'unix' registered
[2015/03/30 01:05:38.088423, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:384(reply_nt1)
using SPNEGO
[2015/03/30 01:05:38.088497, 3, effective(0, 0), real(0, 0)] ../source3/smbd/negprot.c:671(reply_negprot)
Selected protocol NT LANMAN 1.0
[2015/03/30 01:05:38.088901, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 1 of length 92 (0 toread)
[2015/03/30 01:05:38.088973, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBsesssetupX (pid 882) conn 0x0
[2015/03/30 01:05:38.094128, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:604(reply_sesssetup_and_X)
wct=13 flg2=0xc843
[2015/03/30 01:05:38.094250, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:818(reply_sesssetup_and_X)
Domain=[] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[null]
[2015/03/30 01:05:38.094299, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:834(reply_sesssetup_and_X)
sesssetupX:name=[]\[]@[127.0.0.1]
[2015/03/30 01:05:38.094367, 3, effective(0, 0), real(0, 0)] ../source3/smbd/sesssetup.c:89(check_guest_password)
Got anonymous request
[2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)] ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
auth_check_password_send: Checking password for unmapped user []\[]@[]
auth_check_password_send: mapped user is: [CCENTER]\[]@[]
[2015/03/30 01:05:38.098786, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 2 of length 88 (0 toread)
[2015/03/30 01:05:38.098854, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtconX (pid 882) conn 0x0
[2015/03/30 01:05:38.099031, 3, effective(0, 0), real(0, 0)] ../source3/lib/access.c:338(allow_access)
Allowed connection from 127.0.0.1 (127.0.0.1)
[2015/03/30 01:05:38.099142, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:612(make_connection_snum)
Connect path is '/tmp' for service [IPC$]
[2015/03/30 01:05:38.099903, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:113(vfs_init_default)
Initialising default vfs hooks
[2015/03/30 01:05:38.099972, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [/[Default VFS]/]
[2015/03/30 01:05:38.100022, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [acl_xattr]
[2015/03/30 01:05:38.118613, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'acl_xattr' loaded
[2015/03/30 01:05:38.118757, 3, effective(0, 0), real(0, 0)] ../source3/smbd/vfs.c:139(vfs_init_custom)
Initialising custom vfs hooks from [dfs_samba4]
[2015/03/30 01:05:38.125409, 2, effective(0, 0), real(0, 0)] ../lib/util/modules.c:191(do_smb_load_module)
Module 'dfs_samba4' loaded
[2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)] ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service IPC$
[2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:856(make_connection_snum)
127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882)
[2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)] ../source3/smbd/reply.c:1024(reply_tcon_and_X)
tconX service=IPC$
[2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 3 of length 106 (0 toread)
[2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBntcreateX (pid 882) conn 0xb893b588
[2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/service.c:197(set_current_service)
chdir (/tmp) failed, reason: Permission denied
[2015/03/29 22:05:38.128674, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/process.c(1524) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
[2015/03/29 22:05:38.138398, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 4 of length 118 (0 toread)
[2015/03/29 22:05:38.138453, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtrans (pid 882) conn 0xb893b588
[2015/03/29 22:05:38.138494, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/service.c:197(set_current_service)
chdir (/tmp) failed, reason: Permission denied
[2015/03/29 22:05:38.138529, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/process.c(1524) cmd=37 (SMBtrans) NT_STATUS_ACCESS_DENIED
[2015/03/29 22:05:38.139702, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1802(process_smb)
Transaction 5 of length 39 (0 toread)
[2015/03/29 22:05:38.139771, 3, effective(65534, 3000009), real(65534, 0)] ../source3/smbd/process.c:1405(switch_message)
switch message SMBtdis (pid 882) conn 0xb893b588
[2015/03/30 01:05:38.139897, 3, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:1130(close_cnum)
127.0.0.1 (ipv4:127.0.0.1:45066) closed connection to service IPC$
[2015/03/30 01:05:38.141264, 3, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:221(exit_server_common)
Server exit (failed to receive smb request)
--
WBR,
Andrey Repin (anrd...@yandex.ru) 30.03.2015, <01:15>
Sorry for my terrible english...
Andrey Repin
Mar 29, 2015, 7:10:02 PM3/29/15
to
Greetings, Rowland Penny!
> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user []\[]@[]
> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
Admins?
Andrey Repin, 30.03.2015, <01:54>
> [2015/03/30 01:05:38.096168, 3, effective(0, 0), real(0, 0)]
> ../source4/auth/ntlm/auth.c:270(auth_check_password_send)
> auth_check_password_send: Checking password for unmapped user []\[]@[]
> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
> [2015/03/30 01:05:38.125440, 2, effective(0, 0), real(0, 0)]
> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service IPC$
> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:856(make_connection_snum)
> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ initially as
> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882)
> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/reply.c:1024(reply_tcon_and_X)
> tconX service=IPC$
> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/process.c:1802(process_smb)
> Transaction 3 of length 106 (0 toread)
> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/process.c:1405(switch_message)
> switch message SMBntcreateX (pid 882) conn 0xb893b588
> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), real(65534, 0)]
By the way, what the group 3000009 is supposed to be? Domain Users? Domain
> ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr)
> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and 'force unknown acl user = true' for service IPC$
> [2015/03/30 01:05:38.127532, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/service.c:856(make_connection_snum)
> 127.0.0.1 (ipv4:127.0.0.1:45066) connect to service IPC$ initially as
> user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009) (pid 882)
> [2015/03/30 01:05:38.127627, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/reply.c:1024(reply_tcon_and_X)
> tconX service=IPC$
> [2015/03/30 01:05:38.128477, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/process.c:1802(process_smb)
> Transaction 3 of length 106 (0 toread)
> [2015/03/30 01:05:38.128537, 3, effective(0, 0), real(0, 0)]
> ../source3/smbd/process.c:1405(switch_message)
> switch message SMBntcreateX (pid 882) conn 0xb893b588
> [2015/03/29 22:05:38.128622, 3, effective(65534, 3000009), real(65534, 0)]
Admins?
Rowland Penny
Mar 30, 2015, 5:00:04 AM3/30/15
to
directory, it should be readable and writeable by anybody i.e. on my DC
ls -la / shows:
drwxrwxrwt 14 root root 4096 Mar 30 09:17 tmp
As for who '3000009' is, you can find out this by running (on the DC)
'ldbedit -e nano -H /var/lib/samba/private/idmap.ldb' and searching for
'3000009', on my DC this results in this:
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid: S-1-5-32-545
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545
So '3000009' has the SID 'S-1-5-32-545'
To find out who this is go here:
http://support.microsoft.com/en-us/kb/243330
This reveals that this is the SID of the 'Users' group
This is probably true for your DC, but I would check your DC, as you can
have differences between DCs.
Rowland
L.P.H. van Belle
Mar 30, 2015, 5:10:03 AM3/30/15
to
I think this wont work since the user connectig isnt known in the AD,
since the user connecting is mapped to user nobody.
auth_check_password_send: Checking password for unmapped user []\[]@[]
auth_check_password_send: mapped user is: [CCENTER]\[]@[]
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
and by default "Guest" (nobody) is disabled in the AD.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 30 maart 2015 10:49
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Unable to browse system shares of a
>newly migrated AD DC
since the user connecting is mapped to user nobody.
auth_check_password_send: Checking password for unmapped user []\[]@[]
auth_check_password_send: mapped user is: [CCENTER]\[]@[]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
and 'force unknown acl user = true' for service IPC$
cat /etc/passwd | grep nobody
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
and by default "Guest" (nobody) is disabled in the AD.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 30 maart 2015 10:49
>Aan: sa...@lists.samba.org
>Onderwerp: Re: [Samba] Unable to browse system shares of a
>newly migrated AD DC
Rowland Penny
Mar 30, 2015, 5:30:03 AM3/30/15
to
This appears in log.smbd on my DC when I run the same command:
[2015/03/30 10:15:42.442881, 3]
../source3/smbd/service.c:856(make_connection_snum)
dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
3000013 on my DC is SID S-1-1-0, which is 'Everyone'
So the questions are, what are the permissions on /tmp and is user
'3000009' on the DC 'Everyone'
L.P.H. van Belle
Mar 30, 2015, 5:40:03 AM3/30/15
to
I've never got this to work ok with "Guest" users.
I'll watch the thread... if you manage to get this working.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 30 maart 2015 11:26
I'll watch the thread... if you manage to get this working.
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlan...@googlemail.com
>[mailto:samba-...@lists.samba.org] Namens Rowland Penny
Rowland Penny
Mar 30, 2015, 6:20:03 AM3/30/15
to
root@dc01:~# smbclient -L localhost -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]
Sharename Type Comment
--------- ---- -------
sysvol Disk
testshare Disk
IPC$ IPC IPC Service (Samba 4.1.17-Debian)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
If I then run virtually the same command an a client (replacing
'localhost' with the DCs name), I get:
rowland@ThinkPad ~ $ smbclient -L dc01 -U%
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]
Sharename Type Comment
--------- ---- -------
sysvol Disk
testshare Disk
IPC$ IPC IPC Service (Samba 4.1.17-Debian)
Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.17-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
Andrey Repin
Mar 30, 2015, 10:30:04 AM3/30/15
to
Greetings, Rowland Penny!
<Trying to resend, sorry for possible duplicates.>
> On 30/03/15 10:06, L.P.H. van Belle wrote:
Please don't top-post. It make messages very hard to read.
>> I think this wont work since the user connectig isnt known in the AD,
>> since the user connecting is mapped to user nobody.
I'm doing s simple check (anonymous listing of DC shares) as per instructions.
>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>> and 'force unknown acl user = true' for service IPC$
>>
>> cat /etc/passwd | grep nobody
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>
>> and by default "Guest" (nobody) is disabled in the AD.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
How can I resolve it?
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
# getent group
...
CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
CCENTER\Domain Admins:*:512:
CCENTER\Domain Users:*:513:
CCENTER\Domain Guests:*:514:
CCENTER\Domain Computers:*:515:
CCENTER\Domain Controllers:*:3000013:
CCENTER\Schema Admins:*:3000006:
CCENTER\Enterprise Admins:*:3000005:
CCENTER\Group Policy Creator Owners:*:3000003:
CCENTER\Read-Only Domain Controllers:*:3000014:
CCENTER\DnsUpdateProxy:*:3000015:
--
With best regards,
Andrey Repin
Monday, March 30, 2015 15:51:58
Sorry for my terrible english...
<Trying to resend, sorry for possible duplicates.>
> On 30/03/15 10:06, L.P.H. van Belle wrote:
>> I think this wont work since the user connectig isnt known in the AD,
>> since the user connecting is mapped to user nobody.
>> auth_check_password_send: Checking password for unmapped user []\[]@[]
>> auth_check_password_send: mapped user is: [CCENTER]\[]@[]
>> connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
>> connect to service IPC$ initially as user NT AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000009)
>> and 'force unknown acl user = true' for service IPC$
>>
>> cat /etc/passwd | grep nobody
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>
>> and by default "Guest" (nobody) is disabled in the AD.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
> Hi Louis, It works for me
> This appears in log.smbd on my DC when I run the same command:
> [2015/03/30 10:15:42.442881, 3]
> ../source3/smbd/service.c:856(make_connection_snum)
> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
> So the questions are, what are the permissions on /tmp and is user
> '3000009' on the DC 'Everyone'
Permissions are fine, but migration did not create "Users" group in AD.
> This appears in log.smbd on my DC when I run the same command:
> [2015/03/30 10:15:42.442881, 3]
> ../source3/smbd/service.c:856(make_connection_snum)
> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
> So the questions are, what are the permissions on /tmp and is user
> '3000009' on the DC 'Everyone'
How can I resolve it?
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
# getent group
...
CCENTER\Enterprise Read-Only Domain Controllers:*:3000012:
CCENTER\Domain Admins:*:512:
CCENTER\Domain Users:*:513:
CCENTER\Domain Guests:*:514:
CCENTER\Domain Computers:*:515:
CCENTER\Domain Controllers:*:3000013:
CCENTER\Schema Admins:*:3000006:
CCENTER\Enterprise Admins:*:3000005:
CCENTER\Group Policy Creator Owners:*:3000003:
CCENTER\Read-Only Domain Controllers:*:3000014:
CCENTER\DnsUpdateProxy:*:3000015:
--
With best regards,
Andrey Repin
Monday, March 30, 2015 15:51:58
Sorry for my terrible english...
Rowland Penny
Mar 30, 2015, 11:20:04 AM3/30/15
to
will not show it though, try this:
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
'(&(objectclass=group)(cn=users))'
and the same command will show who '3000009' is:
ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
If you haven't get 'ldbedit', install ldb-tools
When you run the second command, what does the line that starts 'cn:' show ?
Rowland
Andrey Repin
Mar 30, 2015, 5:00:03 PM3/30/15
to
Greetings, Rowland Penny!
>>> Hi Louis, It works for me
>>> This appears in log.smbd on my DC when I run the same command:
>>> [2015/03/30 10:15:42.442881, 3]
>>> ../source3/smbd/service.c:856(make_connection_snum)
>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>> So the questions are, what are the permissions on /tmp and is user
>>> '3000009' on the DC 'Everyone'
>> Permissions are fine, but migration did not create "Users" group in AD.
>> How can I resolve it?
# record 1
dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
cn: Users
description: Users are prevented from making accidental or intentional system-
wide changes and can run most applications
member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
instanceType: 4
whenCreated: 20150329223248.0Z
uSNCreated: 3563
name: Users
objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
objectSid: S-1-5-32-545
sAMAccountName: Users
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
isCriticalSystemObject: TRUE
gidNumber: 30002
whenChanged: 20150329223254.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: ccenter
uSNChanged: 3798
distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
> and the same command will show who '3000009' is:
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
> '(&(objectClass=sidMap)(xidNumber=3000009))'
> If you haven't get 'ldbedit', install ldb-tools
That is one handy tool, I may say!
> When you run the second command, what does the line that starts 'cn:' show ?
Nothing useful, unfortunately.
# ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
# editing 1 records
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid: S-1-1-0
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-1-0
# 0 adds 0 modifies 0 deletes
I suppose, the group mapping is screwed somehow.
May be I've copied the wrong tdb from PDC?
--
With best regards,
Andrey Repin
Monday, March 30, 2015 23:44:13
Sorry for my terrible english...
>>> Hi Louis, It works for me
>>> This appears in log.smbd on my DC when I run the same command:
>>> [2015/03/30 10:15:42.442881, 3]
>>> ../source3/smbd/service.c:856(make_connection_snum)
>>> dc01 (ipv6:::1:43602) connect to service IPC$ initially as user NT
>>> AUTHORITY\ANONYMOUS LOGON (uid=65534, gid=3000013) (pid 16566)
>>> 3000013 on my DC is SID S-1-1-0, which is 'Everyone'
>>> So the questions are, what are the permissions on /tmp and is user
>>> '3000009' on the DC 'Everyone'
>> Permissions are fine, but migration did not create "Users" group in AD.
>> How can I resolve it?
> I would be very very surprised if it hasn't been created, 'wbinfo -g'
> will not show it though, try this:
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
> '(&(objectclass=group)(cn=users))'
# editing 1 records
> will not show it though, try this:
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb
> '(&(objectclass=group)(cn=users))'
# record 1
dn: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
cn: Users
description: Users are prevented from making accidental or intentional system-
wide changes and can run most applications
member: CN=Domain Users,CN=Users,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=ads,DC=ccenter,DC=lan
instanceType: 4
whenCreated: 20150329223248.0Z
uSNCreated: 3563
name: Users
objectGUID: 509b16e2-e317-4c9b-937c-e3480a498961
objectSid: S-1-5-32-545
sAMAccountName: Users
sAMAccountType: 536870912
systemFlags: -1946157056
groupType: -2147483643
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=ads,DC=ccenter,DC=lan
isCriticalSystemObject: TRUE
gidNumber: 30002
whenChanged: 20150329223254.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: ccenter
uSNChanged: 3798
distinguishedName: CN=Users,CN=Builtin,DC=ads,DC=ccenter,DC=lan
> and the same command will show who '3000009' is:
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
> '(&(objectClass=sidMap)(xidNumber=3000009))'
> If you haven't get 'ldbedit', install ldb-tools
> When you run the second command, what does the line that starts 'cn:' show ?
# ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
# editing 1 records
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid: S-1-1-0
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-1-0
# 0 adds 0 modifies 0 deletes
I suppose, the group mapping is screwed somehow.
May be I've copied the wrong tdb from PDC?
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Rowland Penny
Mar 30, 2015, 5:20:04 PM3/30/15
to
It shows that your '3000009' is like my '3000013' is the group 'Everyone'
>
> # ldbedit -e cat -H /var/lib/samba/private/idmap.ldb '(&(objectClass=sidMap)(xidNumber=3000009))'
> # editing 1 records
> # record 1
> dn: CN=S-1-1-0
> cn: S-1-1-0
> objectClass: sidMap
> objectSid: S-1-1-0
> type: ID_TYPE_BOTH
> xidNumber: 3000009
> distinguishedName: CN=S-1-1-0
>
> # 0 adds 0 modifies 0 deletes
>
> I suppose, the group mapping is screwed somehow.
> May be I've copied the wrong tdb from PDC?
>
>
command as mine and mine works, we need to look at what is different
between your DC and mine. This would seem to be that samba cannot write
to the /tmp directory, so I will ask again (but in a slightly different
way), what does 'ls -la / | grep tmp' show ??
Mine shows this:
root@dc01:~# ls -la / | grep tmp
drwxrwxrwt 8 root root 4096 Mar 30 22:09 tmp
Which shows that any user or group can read,write or enter the /tmp
directory.
Rowland
Andrey Repin
Mar 30, 2015, 7:40:04 PM3/30/15
to
I was intended to include it, but lost in resend somehow.
# ls -ld /tmp
drwxrwxrwt 2 root root 4096 Mar 30 23:47 /tmp
# ls -lnd /tmp
drwxrwxrwt 2 0 0 4096 Mar 30 23:47 /tmp
That's why I'm puzzled to no end.
Any logs I can enable to get better info?
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Andrey Repin
Mar 31, 2015, 6:40:03 PM3/31/15
to
Greetings, All!
Anyone? Please?
Wednesday, April 1, 2015 01:33:13
Anyone? Please?
Andrey Repin
Apr 2, 2015, 7:40:03 PM4/2/15
to
Greetings, All!
> I'm trying final steps of my long upgrade process, but I've got hit by the
> unexpected.
> When everything seemingly run fine in the end, I'm unable to browse the local
> shares of the DC.
> # smbclient -L localhost -U%
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
> Sharename Type Comment
> --------- ---- -------
> Error returning browse list: NT_STATUS_ACCESS_DENIED
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
> Server Comment
> --------- -------
> Workgroup Master
> --------- -------
Turned out, the /tmp directory was not accessible to the user "nobody" for
> I'm trying final steps of my long upgrade process, but I've got hit by the
> unexpected.
> When everything seemingly run fine in the end, I'm unable to browse the local
> shares of the DC.
> # smbclient -L localhost -U%
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
> Sharename Type Comment
> --------- ---- -------
> Error returning browse list: NT_STATUS_ACCESS_DENIED
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
> Server Comment
> --------- -------
> Workgroup Master
> --------- -------
some mysterious reason. (So that
sudo -u '#65534' ls -l /tmp || echo 'Fail!'
resulted in "Fail!")
Repeating the tests with freshly generated setup turned out successfully.
At least, in this specific case.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
Rowland Penny
Apr 3, 2015, 4:50:02 AM4/3/15
to
On 03/04/15 00:27, Andrey Repin wrote:
> Greetings, All!
>
>> I'm trying final steps of my long upgrade process, but I've got hit by the
>> unexpected.
>> When everything seemingly run fine in the end, I'm unable to browse the local
>> shares of the DC.
>> # smbclient -L localhost -U%
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>> Sharename Type Comment
>> --------- ---- -------
>> Error returning browse list: NT_STATUS_ACCESS_DENIED
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>> Server Comment
>> --------- -------
>> Workgroup Master
>> --------- -------
> Turned out, the /tmp directory was not accessible to the user "nobody" for
> some mysterious reason. (So that
>
> sudo -u '#65534' ls -l /tmp || echo 'Fail!'
>
> resulted in "Fail!")
>
> Repeating the tests with freshly generated setup turned out successfully.
> At least, in this specific case.
>
>
I said that you probably had a problem with /tmp 3 days ago (but not in
> Greetings, All!
>
>> I'm trying final steps of my long upgrade process, but I've got hit by the
>> unexpected.
>> When everything seemingly run fine in the end, I'm unable to browse the local
>> shares of the DC.
>> # smbclient -L localhost -U%
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>> Sharename Type Comment
>> --------- ---- -------
>> Error returning browse list: NT_STATUS_ACCESS_DENIED
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>> Server Comment
>> --------- -------
>> Workgroup Master
>> --------- -------
> Turned out, the /tmp directory was not accessible to the user "nobody" for
> some mysterious reason. (So that
>
> sudo -u '#65534' ls -l /tmp || echo 'Fail!'
>
> resulted in "Fail!")
>
> Repeating the tests with freshly generated setup turned out successfully.
> At least, in this specific case.
>
>
those words)
Rowland
Andrey Repin
Apr 3, 2015, 10:10:02 AM4/3/15
to
Greetings, Rowland Penny!
>>> I'm trying final steps of my long upgrade process, but I've got hit by the
>>> unexpected.
>>> When everything seemingly run fine in the end, I'm unable to browse the local
>>> shares of the DC.
>>> # smbclient -L localhost -U%
>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>> Sharename Type Comment
>>> --------- ---- -------
>>> Error returning browse list: NT_STATUS_ACCESS_DENIED
>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>> Server Comment
>>> --------- -------
>>> Workgroup Master
>>> --------- -------
>> Turned out, the /tmp directory was not accessible to the user "nobody" for
>> some mysterious reason. (So that
>>
>> sudo -u '#65534' ls -l /tmp || echo 'Fail!'
>>
>> resulted in "Fail!")
>>
>> Repeating the tests with freshly generated setup turned out successfully.
>> At least, in this specific case.
>>
>>
> I said that you probably had a problem with /tmp 3 days ago (but not in
> those words)
It wasn't an apparent problem. Access mask was fine, no other apps were
harmed. If not for my desperation, I may have just dropped it altogether and
turned to look for different solutions.
But when I tried to recreate the entire setup from scratch, it miraculously
worked as expected.
I still have the original image backup, so if anyone want to investigate, send
me your DSA fingerprint in private, and I'll arrange access to the instance.
--
With best regards,
Andrey Repin
Friday, April 3, 2015 17:00:37
Sorry for my terrible english...
>>> I'm trying final steps of my long upgrade process, but I've got hit by the
>>> unexpected.
>>> When everything seemingly run fine in the end, I'm unable to browse the local
>>> shares of the DC.
>>> # smbclient -L localhost -U%
>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>> Sharename Type Comment
>>> --------- ---- -------
>>> Error returning browse list: NT_STATUS_ACCESS_DENIED
>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>> Server Comment
>>> --------- -------
>>> Workgroup Master
>>> --------- -------
>> Turned out, the /tmp directory was not accessible to the user "nobody" for
>> some mysterious reason. (So that
>>
>> sudo -u '#65534' ls -l /tmp || echo 'Fail!'
>>
>> resulted in "Fail!")
>>
>> Repeating the tests with freshly generated setup turned out successfully.
>> At least, in this specific case.
>>
>>
> I said that you probably had a problem with /tmp 3 days ago (but not in
> those words)
harmed. If not for my desperation, I may have just dropped it altogether and
turned to look for different solutions.
But when I tried to recreate the entire setup from scratch, it miraculously
worked as expected.
I still have the original image backup, so if anyone want to investigate, send
me your DSA fingerprint in private, and I'll arrange access to the instance.
--
With best regards,
Andrey Repin
Sorry for my terrible english...
0 new messages