Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
864 views
Skip to first unread message
Patrick G. Stoesser
Apr 16, 2016, 2:30:03 PM4/16/16
to
Hello everybody,
I've bin running Samba as a AD member server for ages (Debian stable).
After the last update to 4.2, I just can't get it to work.
Symptoms: unable to map AD user / groups.
After two days of successlessly fiddling (and moving all data to another
server with still Samba 3.6, which I will definitely NOT update at the
moment), I decided to purge my Installation and start over again like
described in
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
So now my setup is (all names and IPs are masked, but are correct here):
********************************************************************
smb.conf
********************************************************************
[global]
netbios name = test-fileserver3
security = ADS
workgroup = AD
realm = AD.test.loc
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-95000
winbind nss info = template
# template shell = /sbin/nologin
# template homedir = /home/%U
********************************************************************
********************************************************************
nsswitch.conf
********************************************************************
passwd: files winbind
group: files winbind
hosts: files dns.
shadow: files winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
********************************************************************
My krb5.keytab has been generated correctly. I also have a krb5.conf:
********************************************************************
krb5.conf
********************************************************************
[libdefaults]
default_realm = AD.TEST.LOC
clockskew = 900
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
TEST.TEST.LOC = {
kdc = dc.ad.test.loc
kdc = dc1.ad.test.loc
kdc = dc2.ad.test.loc
kdc = dc3.ad.test.loc
admin_server = dc.test.loc
}
[domain_realm]
.test.loc = AD.TEST.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
********************************************************************
libpam.winbind and libnss.winbind are installed.
Name resolution works (as before...):
host -t A dc.ad.test.loc
dc.ad.test.loc has address 123.456.789.208
getent hosts
127.0.0.1 localhost
123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
Time is synchronized (as before...)
net join ads -U "Domainadmin" worked.
smbd, nmbd, winbind start sucessfully.
wbinfo -t and -p are successful.
But still no resolution. wbinfo -g and -u give no result. Also, getent
passwd delivers only local accounts.
Log says (as expected) "Username AD\ps-15-16 is invalid on this system
[2016/04/16 18:52:45.713298, 3]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)"
I tried, as read in the list, to change idmap config AD:backend = ad to
rid. No change in results.
Anyone any idea? I'm momentarily at the end of mine.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I've bin running Samba as a AD member server for ages (Debian stable).
After the last update to 4.2, I just can't get it to work.
Symptoms: unable to map AD user / groups.
After two days of successlessly fiddling (and moving all data to another
server with still Samba 3.6, which I will definitely NOT update at the
moment), I decided to purge my Installation and start over again like
described in
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
So now my setup is (all names and IPs are masked, but are correct here):
********************************************************************
smb.conf
********************************************************************
[global]
netbios name = test-fileserver3
security = ADS
workgroup = AD
realm = AD.test.loc
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-95000
winbind nss info = template
# template shell = /sbin/nologin
# template homedir = /home/%U
********************************************************************
********************************************************************
nsswitch.conf
********************************************************************
passwd: files winbind
group: files winbind
hosts: files dns.
shadow: files winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
********************************************************************
My krb5.keytab has been generated correctly. I also have a krb5.conf:
********************************************************************
krb5.conf
********************************************************************
[libdefaults]
default_realm = AD.TEST.LOC
clockskew = 900
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
TEST.TEST.LOC = {
kdc = dc.ad.test.loc
kdc = dc1.ad.test.loc
kdc = dc2.ad.test.loc
kdc = dc3.ad.test.loc
admin_server = dc.test.loc
}
[domain_realm]
.test.loc = AD.TEST.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
********************************************************************
libpam.winbind and libnss.winbind are installed.
Name resolution works (as before...):
host -t A dc.ad.test.loc
dc.ad.test.loc has address 123.456.789.208
getent hosts
127.0.0.1 localhost
123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
Time is synchronized (as before...)
net join ads -U "Domainadmin" worked.
smbd, nmbd, winbind start sucessfully.
wbinfo -t and -p are successful.
But still no resolution. wbinfo -g and -u give no result. Also, getent
passwd delivers only local accounts.
Log says (as expected) "Username AD\ps-15-16 is invalid on this system
[2016/04/16 18:52:45.713298, 3]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)"
I tried, as read in the list, to change idmap config AD:backend = ad to
rid. No change in results.
Anyone any idea? I'm momentarily at the end of mine.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Apr 16, 2016, 2:40:03 PM4/16/16
to
another user a few days ago was using it and was having similar problems
to you, he removed windbind and reported back that everything was now
working ok.
attribute, this number must be inside the range you set in smb.conf.
Domain Users must also have a gidNumber.
'rid' is different, you do not have to add anything to AD
Rowland
L.P.H. van Belle
Apr 16, 2016, 4:20:03 PM4/16/16
to
> nsswitch.conf
> ********************************************************************
> passwd: files winbind
> group: files winbind
> hosts: files dns.
The dot after dns, do check if its in the config file please ;-)
> ********************************************************************
> passwd: files winbind
> group: files winbind
> hosts: files dns.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: zaterdag 16 april 2016 19:08
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
L.P.H. van Belle
Apr 16, 2016, 4:30:03 PM4/16/16
to
Try it with a simple krb5.conf, or you have errors there, or you change to much to anonimize..
Like :
[libdefaults]
default_realm = AD.TEST.LOC
dns_lookup_kdc = true
dns_lookup_realm = false
greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland penny
> Verzonden: zaterdag 16 april 2016 20:34
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
Like :
[libdefaults]
default_realm = AD.TEST.LOC
dns_lookup_kdc = true
dns_lookup_realm = false
greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland penny
> Verzonden: zaterdag 16 april 2016 20:34
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
Patrick G. Stoesser
Apr 16, 2016, 5:30:04 PM4/16/16
to
Hello again,
no change here. But in the menatime I looked through the logfiles.
Sorry, many of those lines are just cryptic to me. But maybe someone has
an idea.
Thank you.
Again anonymized (domain names and IPs). Samba machine specific log seel
below.
Connecting the passwd server and WINS seems to work.
Appearently errors:
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
ads reopen failed after error Time limit exceeded
enum_dom_groups ads_search: Time limit exceeded
Negative name query response, rcode 0x03: The name requested does not exist.
************************************************************************
log.wb-AD
************************************************************************
Reopening ads connection to realm 'AD.TEST.LOC' after error Time
limit exceeded
[2016/04/16 22:54:21.289277, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.290348, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:54:21.290447, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.290578, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.292312, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:54:21.292408, 3] ../source3/libads/ldap.c:584(ads_connect)
Connected to LDAP server dc5.ad.test.loc
[2016/04/16 22:54:21.294816, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2016/04/16 22:54:21.294856, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2016/04/16 22:54:21.294878, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2016/04/16 22:54:21.294898, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:54:21.513455, 3]
../source3/libads/ldap.c:904(ads_do_paged_search_args)
ads_do_paged_search_args:
ldap_search_with_timeout((&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))))
-> Time limit exceeded
[2016/04/16 22:54:21.513684, 1]
../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
ads reopen failed after error Time limit exceeded
[2016/04/16 22:54:21.513710, 1]
../source3/winbindd/winbindd_ads.c:479(enum_dom_groups)
enum_dom_groups ads_search: Time limit exceeded
[2016/04/16 22:54:51.549243, 3]
../source3/winbindd/winbindd_cm.c:1947(connection_ok)
connection_ok: Connection to dc5.ad.test.loc for domain AD is not
connected
[2016/04/16 22:54:51.549486, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 445
[2016/04/16 22:54:51.551095, 3]
../source3/libsmb/cliconnect.c:1817(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=108)
[2016/04/16 22:54:51.551188, 3]
../source3/libsmb/cliconnect.c:1844(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:54:51.551240, 3]
../source3/libsmb/cliconnect.c:1854(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2016/04/16 22:54:51.551269, 3]
../source3/libsmb/cliconnect.c:1721(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2016/04/16 22:54:51.551298, 3]
../source3/libsmb/cliconnect.c:1736(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server
principal=cifs/dc5.ad....@AD.test.loc
[2016/04/16 22:58:01.571796, 3]
../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
msrpc_name_to_sid: name=AD\ROOT
[2016/04/16 22:58:01.571853, 3]
../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
name_to_sid [rpc] AD\ROOT for domain AD
[2016/04/16 22:58:01.575599, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 135
[2016/04/16 22:58:01.577977, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 49155
[2016/04/16 22:58:01.580495, 3]
../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups)
[2016/04/16 22:58:01.580495, 3]
../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups)
ads: lookup_usergroups
[2016/04/16 22:58:01.580522, 3]
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
: lookup_usergroups_cached
[2016/04/16 22:58:01.580783, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:01.580844, 3]
../source3/libsmb/namequery.c:2296(resolve_lmhosts)
resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:01.580862, 3]
../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:01.580933, 3]
../source3/libsmb/namequery.c:2163(resolve_wins_send)
resolve_wins: using WINS server 123.456.789.208 and tag '*'
[2016/04/16 22:58:01.580976, 3]
../source3/libsmb/namequery.c:2163(resolve_wins_send)
resolve_wins: using WINS server 129.206.15.144 and tag '*'
[2016/04/16 22:58:01.581009, 3]
../lib/util/charset/convert_string.c:305(convert_string_handle)
E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 -
'DC5.AD.test.loc'
[2016/04/16 22:58:03.582397, 3]
../lib/util/charset/convert_string.c:305(convert_string_handle)
E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 -
'DC5.AD.test.loc'
[2016/04/16 22:58:03.583259, 3]
../source3/libsmb/namequery.c:1328(name_query_validator)
Negative name query response, rcode 0x03: The name requested does not
exist.
[2016/04/16 22:58:03.583338, 3]
../source3/libsmb/namequery.c:2353(resolve_hosts)
resolve_hosts: Attempting host lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:03.585184, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.585288, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.585394, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.586266, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.587052, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.587140, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.587240, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.588712, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.588814, 3] ../source3/libads/ldap.c:584(ads_connect)
Connected to LDAP server dc5.ad.test.loc
[2016/04/16 22:58:03.591107, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2016/04/16 22:58:03.591153, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2016/04/16 22:58:03.591176, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2016/04/16 22:58:03.591197, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:58:03.606696, 1]
../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
[2016/04/16 22:58:03.871767, 3]
../source3/winbindd/winbindd_ads.c:1132(lookup_usergroups)
ads lookup_usergroups (tokenGroups) succeeded for
sid=S-1-5-21-977923109-2952828257-175163757-50444
[2016/04/16 22:59:18.328783, 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
[ 3313]: list trusted domains
[2016/04/16 22:59:18.328860, 3]
../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
ads: trusted_domains
[2016/04/16 23:04:18.428994, 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
[ 3313]: list trusted domains
[2016/04/16 23:04:18.429092, 3]
../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
ads: trusted_domains
****************************************************************************************
And here is what happens, when a user tries to connect (Samba machine
specific log). Appearently fails to match the user to the AD.
****************************************************************************************
Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24 len2=402
[2016/04/16 17:59:20.159563, 3]
../source3/param/loadparm.c:3636(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/04/16 17:59:20.159609, 3]
../source3/param/loadparm.c:527(init_globals)
Initialising global parameters
[2016/04/16 17:59:20.159675, 3]
../source3/param/loadparm.c:2579(lp_do_section)
Processing section "[global]"
[2016/04/16 17:59:20.159848, 3]
../source3/param/loadparm.c:1476(lp_add_ipc)
adding IPC service
[2016/04/16 17:59:20.160041, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[AD]\[ur067]@[DWIRT-WISO-183] with the new password interface
[2016/04/16 17:59:20.160055, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183]
[2016/04/16 17:59:20.162558, 3]
../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user AD\ur067 via getpwnam(), denying
access.
[2016/04/16 17:59:20.162578, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ur067] -> [ur067]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.162597, 2]
../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.198682, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2016/04/16 17:59:20.199641, 3]
../auth/ntlmssp/ntlmssp_server.c:449(ntlmssp_server_preauth)
Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24
len2=402
[2016/04/16 17:59:20.199682, 3]
../source3/param/loadparm.c:3636(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/04/16 17:59:20.199727, 3]
../source3/param/loadparm.c:527(init_globals)
Initialising global parameters
[2016/04/16 17:59:20.199793, 3]
../source3/param/loadparm.c:2579(lp_do_section)
Processing section "[global]"
[2016/04/16 17:59:20.199965, 3]
../source3/param/loadparm.c:1476(lp_add_ipc)
adding IPC service
[2016/04/16 17:59:20.200158, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[AD]\[ur067]@[DWIRT-WISO-183] with the new password interface
[2016/04/16 17:59:20.200171, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183]
[2016/04/16 17:59:20.202567, 3]
../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user AD\ur067 via getpwnam(), denying
access.
[2016/04/16 17:59:20.202595, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ur067] -> [ur067]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.202614, 2]
../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
****************************************************************************************
no change here. But in the menatime I looked through the logfiles.
Sorry, many of those lines are just cryptic to me. But maybe someone has
an idea.
Thank you.
Again anonymized (domain names and IPs). Samba machine specific log seel
below.
Connecting the passwd server and WINS seems to work.
Appearently errors:
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
ads reopen failed after error Time limit exceeded
enum_dom_groups ads_search: Time limit exceeded
Negative name query response, rcode 0x03: The name requested does not exist.
************************************************************************
log.wb-AD
************************************************************************
Reopening ads connection to realm 'AD.TEST.LOC' after error Time
limit exceeded
[2016/04/16 22:54:21.289277, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.290348, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:54:21.290447, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.290578, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:54:21.292312, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:54:21.292408, 3] ../source3/libads/ldap.c:584(ads_connect)
Connected to LDAP server dc5.ad.test.loc
[2016/04/16 22:54:21.294816, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2016/04/16 22:54:21.294856, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2016/04/16 22:54:21.294878, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2016/04/16 22:54:21.294898, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:54:21.513455, 3]
../source3/libads/ldap.c:904(ads_do_paged_search_args)
ads_do_paged_search_args:
ldap_search_with_timeout((&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))))
-> Time limit exceeded
[2016/04/16 22:54:21.513684, 1]
../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal)
ads reopen failed after error Time limit exceeded
[2016/04/16 22:54:21.513710, 1]
../source3/winbindd/winbindd_ads.c:479(enum_dom_groups)
enum_dom_groups ads_search: Time limit exceeded
[2016/04/16 22:54:51.549243, 3]
../source3/winbindd/winbindd_cm.c:1947(connection_ok)
connection_ok: Connection to dc5.ad.test.loc for domain AD is not
connected
[2016/04/16 22:54:51.549486, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 445
[2016/04/16 22:54:51.551095, 3]
../source3/libsmb/cliconnect.c:1817(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=108)
[2016/04/16 22:54:51.551188, 3]
../source3/libsmb/cliconnect.c:1844(cli_session_setup_spnego_send)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:54:51.551240, 3]
../source3/libsmb/cliconnect.c:1854(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2016/04/16 22:54:51.551269, 3]
../source3/libsmb/cliconnect.c:1721(cli_session_setup_get_principal)
cli_session_setup_spnego: using target hostname not SPNEGO principal
[2016/04/16 22:54:51.551298, 3]
../source3/libsmb/cliconnect.c:1736(cli_session_setup_get_principal)
cli_session_setup_spnego: guessed server
principal=cifs/dc5.ad....@AD.test.loc
[2016/04/16 22:58:01.571796, 3]
../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
msrpc_name_to_sid: name=AD\ROOT
[2016/04/16 22:58:01.571853, 3]
../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
name_to_sid [rpc] AD\ROOT for domain AD
[2016/04/16 22:58:01.575599, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 135
[2016/04/16 22:58:01.577977, 3]
../source3/lib/util_sock.c:636(open_socket_out_send)
Connecting to 129.206.15.144 at port 49155
[2016/04/16 22:58:01.580495, 3]
../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups)
[2016/04/16 22:58:01.580495, 3]
../source3/winbindd/winbindd_ads.c:1007(lookup_usergroups)
ads: lookup_usergroups
[2016/04/16 22:58:01.580522, 3]
../source3/winbindd/winbindd_util.c:1119(lookup_usergroups_cached)
: lookup_usergroups_cached
[2016/04/16 22:58:01.580783, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:01.580844, 3]
../source3/libsmb/namequery.c:2296(resolve_lmhosts)
resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:01.580862, 3]
../libcli/nbt/lmhosts.c:185(resolve_lmhosts_file_as_sockaddr)
resolve_lmhosts: Attempting lmhosts lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:01.580933, 3]
../source3/libsmb/namequery.c:2163(resolve_wins_send)
resolve_wins: using WINS server 123.456.789.208 and tag '*'
[2016/04/16 22:58:01.580976, 3]
../source3/libsmb/namequery.c:2163(resolve_wins_send)
resolve_wins: using WINS server 129.206.15.144 and tag '*'
[2016/04/16 22:58:01.581009, 3]
../lib/util/charset/convert_string.c:305(convert_string_handle)
E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 -
'DC5.AD.test.loc'
[2016/04/16 22:58:03.582397, 3]
../lib/util/charset/convert_string.c:305(convert_string_handle)
E2BIG: convert_string(UTF-8,CP850): srclen=25 destlen=16 -
'DC5.AD.test.loc'
[2016/04/16 22:58:03.583259, 3]
../source3/libsmb/namequery.c:1328(name_query_validator)
Negative name query response, rcode 0x03: The name requested does not
exist.
[2016/04/16 22:58:03.583338, 3]
../source3/libsmb/namequery.c:2353(resolve_hosts)
resolve_hosts: Attempting host lookup for name dc5.ad.test.loc<0x20>
[2016/04/16 22:58:03.585184, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.585288, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.585394, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.586266, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.587052, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.587140, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.587240, 3]
../source3/libsmb/namequery.c:3133(get_dc_list)
get_dc_list: preferred server list: "dc5.ad.test.loc, dc5.ad.test.loc"
[2016/04/16 22:58:03.588712, 3] ../source3/libads/ldap.c:541(ads_connect)
Successfully contacted LDAP server 129.206.15.144
[2016/04/16 22:58:03.588814, 3] ../source3/libads/ldap.c:584(ads_connect)
Connected to LDAP server dc5.ad.test.loc
[2016/04/16 22:58:03.591107, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2016/04/16 22:58:03.591153, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2016/04/16 22:58:03.591176, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2016/04/16 22:58:03.591197, 3]
../source3/libads/sasl.c:723(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2016/04/16 22:58:03.606696, 1]
../auth/gensec/spnego.c:664(gensec_spnego_create_negTokenInit)
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
[2016/04/16 22:58:03.871767, 3]
../source3/winbindd/winbindd_ads.c:1132(lookup_usergroups)
ads lookup_usergroups (tokenGroups) succeeded for
sid=S-1-5-21-977923109-2952828257-175163757-50444
[2016/04/16 22:59:18.328783, 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
[ 3313]: list trusted domains
[2016/04/16 22:59:18.328860, 3]
../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
ads: trusted_domains
[2016/04/16 23:04:18.428994, 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
[ 3313]: list trusted domains
[2016/04/16 23:04:18.429092, 3]
../source3/winbindd/winbindd_ads.c:1456(trusted_domains)
ads: trusted_domains
****************************************************************************************
And here is what happens, when a user tries to connect (Samba machine
specific log). Appearently fails to match the user to the AD.
****************************************************************************************
Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24 len2=402
[2016/04/16 17:59:20.159563, 3]
../source3/param/loadparm.c:3636(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/04/16 17:59:20.159609, 3]
../source3/param/loadparm.c:527(init_globals)
Initialising global parameters
[2016/04/16 17:59:20.159675, 3]
../source3/param/loadparm.c:2579(lp_do_section)
Processing section "[global]"
[2016/04/16 17:59:20.159848, 3]
../source3/param/loadparm.c:1476(lp_add_ipc)
adding IPC service
[2016/04/16 17:59:20.160041, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[AD]\[ur067]@[DWIRT-WISO-183] with the new password interface
[2016/04/16 17:59:20.160055, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183]
[2016/04/16 17:59:20.162558, 3]
../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user AD\ur067 via getpwnam(), denying
access.
[2016/04/16 17:59:20.162578, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ur067] -> [ur067]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.162597, 2]
../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.198682, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2016/04/16 17:59:20.199641, 3]
../auth/ntlmssp/ntlmssp_server.c:449(ntlmssp_server_preauth)
Got user=[ur067] domain=[AD] workstation=[DWIRT-WISO-183] len1=24
len2=402
[2016/04/16 17:59:20.199682, 3]
../source3/param/loadparm.c:3636(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/04/16 17:59:20.199727, 3]
../source3/param/loadparm.c:527(init_globals)
Initialising global parameters
[2016/04/16 17:59:20.199793, 3]
../source3/param/loadparm.c:2579(lp_do_section)
Processing section "[global]"
[2016/04/16 17:59:20.199965, 3]
../source3/param/loadparm.c:1476(lp_add_ipc)
adding IPC service
[2016/04/16 17:59:20.200158, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[AD]\[ur067]@[DWIRT-WISO-183] with the new password interface
[2016/04/16 17:59:20.200171, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [AD]\[ur067]@[DWIRT-WISO-183]
[2016/04/16 17:59:20.202567, 3]
../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user AD\ur067 via getpwnam(), denying
access.
[2016/04/16 17:59:20.202595, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ur067] -> [ur067]
FAILED with error NT_STATUS_NO_SUCH_USER
[2016/04/16 17:59:20.202614, 2]
../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
****************************************************************************************
Patrick G. Stoesser
Apr 19, 2016, 6:30:04 AM4/19/16
to
Hello,
a reply in debianforum.de led me to:
client ldap sasl wrapping = plain
and with that setting at least wbinfo works.
But still my problems are not completely gone: On the filesystem level,
AD users and groups are still not resolved. "Invalid user". But kinit
"USER" works. Still have to try...
Regards, pgs
a reply in debianforum.de led me to:
client ldap sasl wrapping = plain
and with that setting at least wbinfo works.
But still my problems are not completely gone: On the filesystem level,
AD users and groups are still not resolved. "Invalid user". But kinit
"USER" works. Still have to try...
Regards, pgs
L.P.H. van Belle
Apr 19, 2016, 6:50:03 AM4/19/16
to
@Patrick Thanks, that helped.
@Mathias, only 10.000 objects.
>> client ldap sasl wrapping = plain <<
I've tested that on my members.
4.2.10
4.3.8
4.4.1
4.4.2
wbinfo -u now work.
Ok tested all 3 options of that settings.
Tested als in the order, plain seal sign
Samba 4.2.10 (debian stable)
client ldap sasl wrapping = plain wbinfo -u works.
client ldap sasl wrapping = seal wbinfo -u fails
client ldap sasl wrapping = sign wbinfo -u fails
only plain works, en keeps working.
Other server.
Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )
Default it fails, now the funny part.
( default samba setting is sign )
We start with a NOT working wbinfo -u.
Test with following changes.
Try1) client ldap sasl wrapping = plain wbinfo -u works.
Try2) client ldap sasl wrapping = seal wbinfo -u also works now.
Try3) client ldap sasl wrapping = sign wbinfo -u also works now.
Only the 4.4.2 now keeps working independed of the setting.
Lunch first, i'll test the 4.3.8 also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: dinsdag 19 april 2016 12:21
@Mathias, only 10.000 objects.
>> client ldap sasl wrapping = plain <<
4.2.10
4.3.8
4.4.1
4.4.2
wbinfo -u now work.
Ok tested all 3 options of that settings.
Tested als in the order, plain seal sign
Samba 4.2.10 (debian stable)
client ldap sasl wrapping = plain wbinfo -u works.
client ldap sasl wrapping = seal wbinfo -u fails
client ldap sasl wrapping = sign wbinfo -u fails
only plain works, en keeps working.
Other server.
Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )
Default it fails, now the funny part.
( default samba setting is sign )
We start with a NOT working wbinfo -u.
Test with following changes.
Try1) client ldap sasl wrapping = plain wbinfo -u works.
Try2) client ldap sasl wrapping = seal wbinfo -u also works now.
Try3) client ldap sasl wrapping = sign wbinfo -u also works now.
Only the 4.4.2 now keeps working independed of the setting.
Lunch first, i'll test the 4.3.8 also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: dinsdag 19 april 2016 12:21
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
L.P.H. van Belle
Apr 19, 2016, 9:20:03 AM4/19/16
to
Ok.
New test, debian samba 4.2.10 ( all stock debian packages )
So others with 4.2.10 stock debian packages, please test also if below works.
The file server on which (wbinfo -u) worked saterday, and not on Sunday until now.
None of these three settings below are in the config and wbinfo -u fails.
Now adding these settings !! one at the time !!
And i reloaded samba and restarted winbind every time.
client ldap sasl wrapping = plain
I started with plain, wbinfo -u works, but first time a long delay before i see the output, ( long is +4-5 sec)
Changed it to seal, wbinfo -u works
And back to the samba default "sign" which now also works.
So seems fixed now. Strange..
Removed the client ldap sasl wrapping from the config.
All still works.
I'll check this server tomorrow again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 19 april 2016 12:48
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not
> (update7)
New test, debian samba 4.2.10 ( all stock debian packages )
So others with 4.2.10 stock debian packages, please test also if below works.
The file server on which (wbinfo -u) worked saterday, and not on Sunday until now.
None of these three settings below are in the config and wbinfo -u fails.
Now adding these settings !! one at the time !!
And i reloaded samba and restarted winbind every time.
client ldap sasl wrapping = plain
client ldap sasl wrapping = seal
client ldap sasl wrapping = sign
Result in the end.
I started with plain, wbinfo -u works, but first time a long delay before i see the output, ( long is +4-5 sec)
Changed it to seal, wbinfo -u works
And back to the samba default "sign" which now also works.
So seems fixed now. Strange..
Removed the client ldap sasl wrapping from the config.
All still works.
I'll check this server tomorrow again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 19 april 2016 12:48
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not
> (update7)
0 new messages