Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba domain member and rfc2307 user IDs
247 views
Skip to first unread message
Kevin Davidson
Jul 25, 2016, 11:30:03 AM7/25/16
to
Having problems with rfc2307 user ids. This was working briefly and now it’s not.
samba and winbind v 2.4.2.10+dfs
wbinfo -u lists all the domain users
wbinfo -g lists all the domain groups
getent group lists all the local groups and the AD domain groups that have a UNIX gid set
getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.
The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.
This is from smb.conf on the domain server:
[global]
netbios name = TERRA
workgroup = DOMAIN
security = ADS
realm = OFFICE.DOMAIN.COM
encrypt passwords = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-60000
idmap config DOMAIN:default = yes
idmap config *:backend = tdb
idmap config *:range = 60001-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
What have I done wrong?
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
samba and winbind v 2.4.2.10+dfs
wbinfo -u lists all the domain users
wbinfo -g lists all the domain groups
getent group lists all the local groups and the AD domain groups that have a UNIX gid set
getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.
The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.
This is from smb.conf on the domain server:
[global]
netbios name = TERRA
workgroup = DOMAIN
security = ADS
realm = OFFICE.DOMAIN.COM
encrypt passwords = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-60000
idmap config DOMAIN:default = yes
idmap config *:backend = tdb
idmap config *:range = 60001-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
What have I done wrong?
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Jul 25, 2016, 11:50:02 AM7/25/16
to
The version you are using was released after the badlock patches were
released, your version includes a regression patch and should really be
4.2.11. There have been a few releases since then, these include patches
for regressions caused by the badlock patches, so is there anyway you
can upgrade Samba ?
Rowland
Kevin Davidson
Jul 25, 2016, 2:40:03 PM7/25/16
to
> On 25 Jul 2016, at 16:39, Rowland penny <rpe...@samba.org> wrote:
>
> On 25/07/16 16:02, Kevin Davidson wrote:
>> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>>
>> samba and winbind v 2.4.2.10+dfs
>>
>> What have I done wrong?
>>
>
> You haven't done anything wrong.
>
> The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
>
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
Rowland penny
Jul 25, 2016, 3:00:03 PM7/25/16
to
On 25/07/16 19:32, Kevin Davidson wrote:
>> On 25 Jul 2016, at 16:39, Rowland penny <rpe...@samba.org> wrote:
>>
>> On 25/07/16 16:02, Kevin Davidson wrote:
>>> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>>>
>>> samba and winbind v 2.4.2.10+dfs
>>>
>>> […]
>>> What have I done wrong?
>>>
>> You haven't done anything wrong.
>>
>> The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
>>
>
> It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice?
>
>
>
>
I personally think it would be best practise for debian to release a
>> On 25 Jul 2016, at 16:39, Rowland penny <rpe...@samba.org> wrote:
>>
>> On 25/07/16 16:02, Kevin Davidson wrote:
>>> Having problems with rfc2307 user ids. This was working briefly and now it’s not.
>>>
>>> samba and winbind v 2.4.2.10+dfs
>>>
>>> […]
>>> What have I done wrong?
>>>
>> You haven't done anything wrong.
>>
>> The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
>>
>
> It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice?
>
>
>
>
later version that has the regression patches. As for what you do, your
choices are a bit limited. You could use the free Sernet packages or if
you can afford it, the paid for Sernet packages. You could compile Samba
yourself, this way you could get the latest 4.4.x version or you could
contact Louis van Belle (he posts on here frequently), he has a way of
creating debian Samba debs using later Samba versions, or you could just
wait until debian releases a new version, hopefully this will be sooner
rather than later, as the 4.2.x series will go EOL when 4.5.0 comes out
in about 6 weeks.
Rowland
Blindauer Emmanuel
Jul 25, 2016, 6:00:02 PM7/25/16
to
(wbinfo -g works).
wbinfo -i user returned the correct value for some days, and stopped
working.
same packages from jessie, but I have also tested the sernet packages
for 4.2.14 without more success.
I have also some errors showing up with a high level of debug for winbind:
[2016/07/25 23:15:24.221239, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2016/07/25 23:15:24.263941, 5]
../source3/librpc/crypto/gse.c:265(gse_init_client)
gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
supplied, or the credentials were unavailable or inaccessible.: unknown
mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a
kinit.
[2016/07/25 23:15:24.264068, 4]
../auth/gensec/gensec_start.c:679(gensec_start_mech)
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
My config file:
[global]
workgroup = AD
realm=AD.UNISTRA.FR
log file = /var/log/samba/log.%m
max log size = 100000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
map to guest = bad user
kerberos method = secrets and keytab
idmap config * : backend = tdb2
idmap config * : range = 3000-4000
idmap config AD : backend = ad
idmap config AD : default = yes
idmap config AD : range = 10000-1000000
idmap config AD : schema_mode = rfc2307
idmap config PSI : schema_mode = rfc2307
idmap config PSI : range = 5000-9998
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind enum users = yes
winbind enum groups = yes
Emmanuel Blindauer
Jul 26, 2016, 4:10:03 AM7/26/16
to
I need tout correct, i had a typo, with sernet packages, winbind works ,
and faster. Still doesnt get wbinfo -u to return users, but i think wbinfo
timeout before getting all 140k users,WB logs still sho retrieving users
Emmanuel
and faster. Still doesnt get wbinfo -u to return users, but i think wbinfo
timeout before getting all 140k users,WB logs still sho retrieving users
Emmanuel
Kevin Davidson
Jul 28, 2016, 7:20:03 PM7/28/16
to
root@terra:~# apt-cache policy samba
samba:
Installed: 2:4.4.5+dfsg-2~bpo8+1
Candidate: 2:4.4.5+dfsg-2~bpo8+1
Version table:
*** 2:4.4.5+dfsg-2~bpo8+1 0
500 file:/var/www/html/debian/ jessie/ Packages
100 /var/lib/dpkg/status
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
root@terra:~# apt-cache policy winbind
winbind:
Installed: (none)
Candidate: 2:4.2.10+dfsg-0+deb8u3
Version table:
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.
Which logs should I be looking in to see what’s going wrong?
I can see this in /var/log/samba/log.winbindd-idmap
[2016/07/28 23:48:52.614025, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.623870, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.632863, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.641460, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.650196, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
And that coincides with the attempts at getent passwd. The SIDs listed do not have any RFC2307 data (they’re the Administrator account, the Samba created dns account, Domain Users group etc).
And log.smbd has this for an attempted SMB connection
[2016/07/29 00:02:16.338378, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/29 00:02:16.338563, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/29 00:02:16.338671, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/29 00:02:16.338736, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 1029) conn 0x0
[2016/07/29 00:02:16.340138, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/29 00:02:16.340202, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/29 00:02:16.340230, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/29 00:02:16.340435, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/29 00:02:16.432338, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/29 00:02:16.471838, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/29 00:02:16.624918, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.711303, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.711450, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.711567, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.711741, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.712184, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.712273, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.712409, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.713201, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.713251, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.725937, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.726003, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726057, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726136, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:16.772344, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.814492, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.814595, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.814676, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.814868, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.815357, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.815460, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.815617, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.815893, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.815940, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.827000, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.827064, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827139, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827205, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:28.359747, 2] ../source3/smbd/server.c:576(remove_child_pid)
Could not find child 1032 -- ignoring
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
Rowland penny
Jul 29, 2016, 4:20:04 AM7/29/16
to
done this ?
To get the winbind 'ad' backend to work on a domain member, you need to
give each AD user a unique uidNumber attribute, you must also give
Domain Users a gidNumber attribute.
if you want 'getent passwd' & 'getent group' to work, you need to add:
winbind enum users = yes
winbind enum groups = yes
Rowland
L.P.H. van Belle
Jul 29, 2016, 4:40:03 AM7/29/16
to
Hai,
I’ve added some extra info on the upgrade problem.
The full info can be found here.:
https://downloads.van-belle.nl/samba4/upgrade-problems.txt
i’ve added the outputs of one of my server upgrades so people can exact see what happens.
And im missing one mail on the list so a summary of the depend thing.
( same is in the upgrade-problems.txt )
The error is due to :
trying to overwrite '/usr/share/man/man8/vfs_glusterfs.8.gz'
You have 2 options.
1) remove samba and reinstall the 4.4.5 ( but without data lose or config losses )
apt-get remove samba winbind
for x in `dpkg -l | grep samba` ; do apt-get remove $x ; done.
apt-get install samba winbind
or
2) Just upgrade, and do this simple fix.
apt-get upgrade
Now it fails at :
Errors were encountered while processing:
/var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Fix :
dpkg –i –force-all /var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb
apt-get –f install ( or again apt-get upgrade )
done,
You now have a good working samba 4.4.5 on debian.
Greetz,
Louis
I’ve added some extra info on the upgrade problem.
The full info can be found here.:
https://downloads.van-belle.nl/samba4/upgrade-problems.txt
i’ve added the outputs of one of my server upgrades so people can exact see what happens.
And im missing one mail on the list so a summary of the depend thing.
( same is in the upgrade-problems.txt )
The error is due to :
trying to overwrite '/usr/share/man/man8/vfs_glusterfs.8.gz'
You have 2 options.
1) remove samba and reinstall the 4.4.5 ( but without data lose or config losses )
apt-get remove samba winbind
for x in `dpkg -l | grep samba` ; do apt-get remove $x ; done.
apt-get install samba winbind
or
2) Just upgrade, and do this simple fix.
apt-get upgrade
Now it fails at :
Errors were encountered while processing:
/var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
Fix :
dpkg –i –force-all /var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb
apt-get –f install ( or again apt-get upgrade )
done,
You now have a good working samba 4.4.5 on debian.
Greetz,
Louis
Kevin Davidson
Jul 31, 2016, 7:10:03 PM7/31/16
to
>
> To get the winbind 'ad' backend to work on a domain member, you need to give each AD user a unique uidNumber attribute, you must also give Domain Users a gidNumber attribute.
But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER
[2016/07/31 23:53:55.102317, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.102509, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.102839, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2016/07/31 23:53:55.107288, 3] ../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2016/07/31 23:53:55.152956, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.153156, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.153255, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/31 23:53:55.153298, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 934) conn 0x0
[2016/07/31 23:53:55.154569, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/31 23:53:55.154636, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/31 23:53:55.154658, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/31 23:53:55.154824, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/31 23:53:55.246565, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/31 23:53:55.285751, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/31 23:54:06.780444, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.823840, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.823991, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.824171, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.824400, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.824854, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.824948, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.825113, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.825943, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.825990, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.860006, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.860082, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860136, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860214, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/31 23:54:06.906727, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.952704, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.952816, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.952907, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.953062, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.953547, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.953637, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.953771, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.954021, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.954101, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.965389, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.965457, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965485, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965553, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
Rowland penny
Aug 1, 2016, 4:00:03 AM8/1/16
to
On 31/07/16 23:58, Kevin Davidson wrote:
>
>>
>>
>> But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER
>>
>>
>>
>>
>
>>
>>
>> But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER
>>
>>
>>
>>
>> check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
>> [2016/07/31 23:54:06.825990, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
>> check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
>> [2016/07/31 23:54:06.860006, 3] ../source3/auth/auth_util.c:1229(check_account)
>> Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
You are trying with the Administrator account and this doesn't exist, so
>> [2016/07/31 23:54:06.825990, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
>> check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
>> [2016/07/31 23:54:06.860006, 3] ../source3/auth/auth_util.c:1229(check_account)
>> Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
you need to map this to the 'root' user. Add this to smb.conf:
username map = /etc/samba/user.map
and then create /etc/samba/user.map with this content:
!root = DOMAIN\Administrator DOMAIN\administrator Administrator
administrator
Restart Samba and try again.
Rowland
0 new messages