Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] why does add_local_groups come up in only one system's logs?
870 views
Skip to first unread message
francis picabia
Aug 8, 2016, 9:50:03 AM8/8/16
to
I have a couple of Debian 8.5 systems set up in similar manner. Samba is
version 4.2.10-Debian
Here is the essential config...
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
valid users = %U@mydom
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems. The first one allows a connection
to the homes. Here is a tail on the log file:
[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN1] with the new password interface
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1]
[2016/08/08 09:42:49.961548, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'
The second server fails with the add_local_groups and getpwuid:
[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN2] with the new password interface
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2]
[2016/08/08 09:53:55.150852, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
I am so far unable to find why the getpwuid for add_local_groups matters,
or why only one system even mentions it in the logfile trace. The default
group ID is listed in /etc/group for the user and the home directory with
ls -ld looks fine with 700 chmod
for the home directory in both servers.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
version 4.2.10-Debian
Here is the essential config...
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
valid users = %U@mydom
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems. The first one allows a connection
to the homes. Here is a tail on the log file:
[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN1] with the new password interface
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1]
[2016/08/08 09:42:49.961548, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'
The second server fails with the add_local_groups and getpwuid:
[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN2] with the new password interface
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2]
[2016/08/08 09:53:55.150852, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
I am so far unable to find why the getpwuid for add_local_groups matters,
or why only one system even mentions it in the logfile trace. The default
group ID is listed in /etc/group for the user and the home directory with
ls -ld looks fine with 700 chmod
for the home directory in both servers.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Aug 8, 2016, 10:00:03 AM8/8/16
to
If not, where are you storing the users & groups ?
Rowland
francis picabia
Aug 8, 2016, 11:00:02 AM8/8/16
to
this work
as it has before with Samba 3.x and security=ads with Active Directory on
MS Windows.
We have /etc/passwd and /etc/group on each system. They are not identical.
If I run: 'net ads group -U username | sort' on each system and compare,
they
show identical groups coming back from AD.
The Group ID on Linux is in the 500 range on the system which works OK, and
in the 1000 range on the system which does not work. Same AD user is
tested with both systems.
We also use winbind on ssh authentication and this works fine on both
systems.
Rowland Penny
Aug 8, 2016, 11:50:03 AM8/8/16
to
On Mon, 8 Aug 2016 11:48:42 -0300
The way you have Samba setup, ALL your AD users & groups are getting
mixed up i.e. normal users & groups and the well known SIDs
The '*' domain is usually only used for the well known SIDs, I would
normally expect to see another few lines, similar to these:
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-999999
This is where your users should be mapped to Unix ids, I also wouldn't
have started the '*' range at 1000, this means you cannot have any
normal local Unix users. By using '1000', you will only be able to log
into the Samba machine as the 'root' user if you have network problems
and the AD domain isn't contactable.
Can I suggest you go and read this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Rowland
mixed up i.e. normal users & groups and the well known SIDs
The '*' domain is usually only used for the well known SIDs, I would
normally expect to see another few lines, similar to these:
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-999999
This is where your users should be mapped to Unix ids, I also wouldn't
have started the '*' range at 1000, this means you cannot have any
normal local Unix users. By using '1000', you will only be able to log
into the Samba machine as the 'root' user if you have network problems
and the AD domain isn't contactable.
Can I suggest you go and read this wiki page:
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Rowland
francis picabia
Aug 8, 2016, 3:00:03 PM8/8/16
to
>
OK, that was my bad for copy/pasting some config lines I found with
a report of "this works!" on a bug report (only the second login connects
bug).
I've included the domain and fixed the range so it won't overlap with Unix
IDs.
# grep idmap /etc/samba/smb.conf
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 70000-99999999
I eliminated the "valid users =" line from the homes section.
On Debian, there are a couple of difference services. I read that with
4.2, it can
run its own winbind service. So I wondered if that can make a difference.
If I stop winbind, and restart samba...
# /etc/init.d/samba restart
[ ok ] Restarting nmbd (via systemctl): nmbd.service.
[ ok ] Restarting smbd (via systemctl): smbd.service.
[ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
# ps auxww | grep winbind
root 19867 0.0 0.0 12764 948 pts/0 S+ 14:13 0:00 grep
winbind
Then I can connect with smbclient to the system where I never could before.
That would be fine except that ssh requires winbind.
If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
services on their own, then ssh login with AD credentials works,
but I cannot connect with smbclient.
The other system running with winbind allows both smbclient
and ssh connections.
On the problem system:
Winbind on, and smbclient fails.
Winbind off, and smbclient connects.
It doesn't matter if winbind is in /etc/nsswitch.conf
The good working system does not have winbind in the nsswitch.conf
Both systems have the same packages containing winbind in the name.
The error from smbclient is only: session setup failed:
NT_STATUS_UNSUCCESSFUL
tail on the logfile for this client:
[2016/08/08 14:47:46.385401, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [theusername]
succeeded
[2016/08/08 14:47:46.385452, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [theusername] ->
[theusername] -> [theusername] succeeded
[2016/08/08 14:47:46.385511, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 14:47:46.385530, 3]
NTLMSSP Sign/Seal - Initialising with flags:
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 14:47:46.385577, 3]
Got NTLMSSP neg_flags=0x62088215
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 14:47:46.385587, 3]
NTLMSSP Sign/Seal - Initialising with flags:
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 14:47:46.385860, 1]
Got NTLMSSP neg_flags=0x62088215
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 14:47:46.385893, 3]
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
Both systems can do wbinfo -u or -g (as long as winbind service is running)
Failed to finalize nt token
I'm not finding anything useful which will trace what is going wrong.
Rowland Penny
Aug 8, 2016, 3:30:05 PM8/8/16
to
On Mon, 8 Aug 2016 15:27:44 -0300
francis picabia <fpic...@gmail.com> wrote:
> OK, that was my bad for copy/pasting some config lines I found with
> a report of "this works!" on a bug report (only the second login
> connects bug).
>
> I've included the domain and fixed the range so it won't overlap with
> Unix IDs.
>
> # grep idmap /etc/samba/smb.conf
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 70000-99999999
>
> I eliminated the "valid users =" line from the homes section.
>
> On Debian, there are a couple of difference services. I read that
> with 4.2, it can
> run its own winbind service. So I wondered if that can make a
> difference.
I think you could be getting confused here. If you run Samba as a DC,
francis picabia <fpic...@gmail.com> wrote:
> OK, that was my bad for copy/pasting some config lines I found with
> a report of "this works!" on a bug report (only the second login
> connects bug).
>
> I've included the domain and fixed the range so it won't overlap with
> Unix IDs.
>
> # grep idmap /etc/samba/smb.conf
> idmap config MYDOM : backend = rid
> idmap config MYDOM : range = 70000-99999999
>
> I eliminated the "valid users =" line from the homes section.
>
> On Debian, there are a couple of difference services. I read that
> with 4.2, it can
> run its own winbind service. So I wondered if that can make a
> difference.
then yes, from 4.2.0, the separate winbindd binary is used instead of
the 'winbind' built into the samba binary.
On a domain member that is joined to AD, you will need to run
the winbindd binary as well.
>
> If I stop winbind, and restart samba...
>
> # /etc/init.d/samba restart
> [ ok ] Restarting nmbd (via systemctl): nmbd.service.
> [ ok ] Restarting smbd (via systemctl): smbd.service.
> [ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
> # ps auxww | grep winbind
> root 19867 0.0 0.0 12764 948 pts/0 S+ 14:13 0:00 grep
> winbind
>
a domain member:
rowland@devstation:~$ ps ax | grep winbind
2334 ? Ss 0:11 /usr/local/samba/sbin/winbindd
2532 ? S 0:00 /usr/local/samba/sbin/winbindd
2535 ? S 0:00 /usr/local/samba/sbin/winbindd
2536 ? S 0:01 /usr/local/samba/sbin/winbindd
4731 ? S 0:00 /usr/local/samba/sbin/winbindd
17044 pts/7 S+ 0:00 grep winbind
> Then I can connect with smbclient to the system where I never could
> before. That would be fine except that ssh requires winbind.
> If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
> services on their own, then ssh login with AD credentials works,
> but I cannot connect with smbclient.
root@dc1:~# smbclient -L //devstation -UAdministrator
Enter Administrator's password:
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Sharename Type Comment
--------- ---- -------
homes Disk
data2 Disk
IPC$ IPC IPC Service (Samba 4 Client devstation)
root Disk Home directory of root
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Server Comment
--------- -------
DESKTOP-GVRV8IE
DEVSTATION Samba 4 Client devstation
Workgroup Master
--------- -------
SAMDOM DESKTOP-GVRV8IE
> The other system running with winbind allows both smbclient
> and ssh connections.
>
> On the problem system:
>
> Winbind on, and smbclient fails.
> Winbind off, and smbclient connects.
>
> It doesn't matter if winbind is in /etc/nsswitch.conf
> The good working system does not have winbind in the nsswitch.conf
>
> Both systems have the same packages containing winbind in the name.
>
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member
Rowland
francis picabia
Aug 9, 2016, 9:50:02 AM8/9/16
to
https://bugzilla.samba.org/show_bug.cgi?id=10604
On the first server which was "working properly", it actually fails once
with the getpwuid(4294967295) failed type of error, and on the second
auth attempt, it works.
On the second server which never works while winbind is running,
I'm always seeing the getpwuid failed error.
Just like the bug report, I find the second server works if winbind stops.
My symptoms and error match this bug report very well.
There were some users chiming in who said their drive mapping
always failed rather than only in the first auth attempt.
This samba bug report was where I got the previous range values starting at
1000
as a supposed fix.
In fact, the Debian bug report says this magic set of idmap values is a
workaround:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
I don't believe in magic.
Maybe I'll need to take this up on a Debian group
unless there is a better suggestion on a solution.
L.P.H. van Belle
Aug 9, 2016, 10:10:02 AM8/9/16
to
Hai,
If you want to try to avoid that bug.
Go here http://downloads.van-belle.nl/samba4/
Get the 4.4.5 packages for jessie there.
Read the readme.txt and install them.
And see if you problem is still there.
The are compiled with the lated ldb from debian stretch.
Which should fix your problem.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens francis picabia
> Verzonden: dinsdag 9 augustus 2016 15:43
> Aan: Rowland Penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> system's logs?
If you want to try to avoid that bug.
Go here http://downloads.van-belle.nl/samba4/
Get the 4.4.5 packages for jessie there.
Read the readme.txt and install them.
And see if you problem is still there.
The are compiled with the lated ldb from debian stretch.
Which should fix your problem.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens francis picabia
> Verzonden: dinsdag 9 augustus 2016 15:43
> Aan: Rowland Penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] why does add_local_groups come up in only one
> system's logs?
L.P.H. van Belle
Aug 9, 2016, 10:20:03 AM8/9/16
to
In addition.
UID 4294967295 = nobody
So in my options the bug "report" is not a bug.
Its a mis configuration.
You can test this ..
Set in smb.conf
Guest account = nobody
And check again, what happens now?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 9 augustus 2016 15:58
> Aan: sa...@lists.samba.org
UID 4294967295 = nobody
So in my options the bug "report" is not a bug.
Its a mis configuration.
You can test this ..
Set in smb.conf
Guest account = nobody
And check again, what happens now?
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 9 augustus 2016 15:58
> Aan: sa...@lists.samba.org
francis picabia
Aug 9, 2016, 10:50:03 AM8/9/16
to
On Tue, Aug 9, 2016 at 11:15 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
> In addition.
>
> UID 4294967295 = nobody
> So in my options the bug "report" is not a bug.
> Its a mis configuration.
>
> You can test this ..
>
> Set in smb.conf
> Guest account = nobody
>
> And check again, what happens now?
>
>
> Greetz,
>
> Louis
>
>
The problem does not change with that addition and restart of services.
> In addition.
>
> UID 4294967295 = nobody
> So in my options the bug "report" is not a bug.
> Its a mis configuration.
>
> You can test this ..
>
> Set in smb.conf
> Guest account = nobody
>
> And check again, what happens now?
>
>
> Greetz,
>
> Louis
>
>
Log still ends with:
[2016/08/09 11:31:54.615106, 1] ../source3/auth/token_util.c:
430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/09 11:31:54.615166, 3] ../source3/auth/token_util.c:
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
316(create_local_nt_token_from_info3)
Failed to finalize nt token
The user nobody is not set up in AD.
Failed to finalize nt token
I can do something like:
smbclient -L //servername -U nobody
But this doesn't involve authentication.
francis picabia via samba
Aug 10, 2016, 3:10:03 PM8/10/16
to
In case this helps anyone else (searching for the error might bring you
here)
who runs Samba in an unsupported way with users in /etc/passwd and
on Active Directory, my solution with Debian's 4.2.10 Samba was
to use Kerberos with ssh (suggested by Rowland in another thread),
and turn off winbind daemon.
No adjustment to nsswitch.conf is necessary when users are in /etc/passwd
and krb is used in pam.d files. ssh authentication works against AD
and file shares work reliably with AD authentication.
I suspect this may be a solution only while we are on version 4.2 as our
configuration
seems to be unsupported.
here)
who runs Samba in an unsupported way with users in /etc/passwd and
on Active Directory, my solution with Debian's 4.2.10 Samba was
to use Kerberos with ssh (suggested by Rowland in another thread),
and turn off winbind daemon.
No adjustment to nsswitch.conf is necessary when users are in /etc/passwd
and krb is used in pam.d files. ssh authentication works against AD
and file shares work reliably with AD authentication.
I suspect this may be a solution only while we are on version 4.2 as our
configuration
seems to be unsupported.
0 new messages