Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Bug with winbindd
75 views
Skip to first unread message
Joffrey AUDIN
Apr 3, 2014, 4:40:02 AM4/3/14
to
Hi,
I have a Windows 2012R2 Domain controller and a FreeBSD 10.0 domain member.
I can join the domain.
All this command are ok and have no error :
Wbinfo -u
Wbinfo -g
Wbinfo -t
Wbinfo -S
Wbinfo -n
Wbinfo -Y
But one fails :
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
I try to connect with ssh to the server with an domain account but it fails too.
I set the log level to 10 and I see that :
[2014/04/03 10:20:44.502210, 10, pid=1223, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
SID 0: S-1-5-21-504852097-2741213702-4166728410-500
[2014/04/03 10:20:44.502290, 10, pid=1223, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-504852097-2741213702-4166728410-500]: value=[70003:U]
[2014/04/03 10:20:44.502335, 10, pid=1223, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-504852097-2741213702-4166728410-500]: id=[70003], endptr=[:U]
[2014/04/03 10:20:44.502388, 10, pid=1223, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-0-0)
Why the SID change from S-1-5-21-504852097-2741213702-4166728410-500 to S-0-0 ???
The lookup_domain_from_sid fails with a NT_STATUS_INVALID_PARAMETER
Can I have some help ?
Thanks you
--
Joffrey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have a Windows 2012R2 Domain controller and a FreeBSD 10.0 domain member.
I can join the domain.
All this command are ok and have no error :
Wbinfo -u
Wbinfo -g
Wbinfo -t
Wbinfo -S
Wbinfo -n
Wbinfo -Y
But one fails :
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
I try to connect with ssh to the server with an domain account but it fails too.
I set the log level to 10 and I see that :
[2014/04/03 10:20:44.502210, 10, pid=1223, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send)
SID 0: S-1-5-21-504852097-2741213702-4166728410-500
[2014/04/03 10:20:44.502290, 10, pid=1223, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-504852097-2741213702-4166728410-500]: value=[70003:U]
[2014/04/03 10:20:44.502335, 10, pid=1223, effective(0, 0), real(0, 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key [IDMAP/SID2XID/S-1-5-21-504852097-2741213702-4166728410-500]: id=[70003], endptr=[:U]
[2014/04/03 10:20:44.502388, 10, pid=1223, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-0-0)
Why the SID change from S-1-5-21-504852097-2741213702-4166728410-500 to S-0-0 ???
The lookup_domain_from_sid fails with a NT_STATUS_INVALID_PARAMETER
Can I have some help ?
Thanks you
--
Joffrey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
Apr 3, 2014, 5:00:02 AM4/3/14
to
Since i was already testing with winbind also.
I experiance the same on the MEMBER server.
wbinfo -D DOMAIN gives nice all info.
wbinfo -i Administrator
or
wbinfo -i DOMAIN\Administrator
i get :
wbinfo -i Administrator
INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/false
( the GID 100 is correct here i did modify that in my AD )
Greetz,
louis
>-----Oorspronkelijk bericht-----
>Van: jau...@adista.fr [mailto:samba-...@lists.samba.org]
>Namens Joffrey AUDIN
>Verzonden: donderdag 3 april 2014 10:24
>Aan: 'sa...@lists.samba.org'
>Onderwerp: [Samba] Bug with winbindd
I experiance the same on the MEMBER server.
wbinfo -D DOMAIN gives nice all info.
wbinfo -i Administrator
or
wbinfo -i DOMAIN\Administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Did not work, BUT on my DC. ...
i get :
wbinfo -i Administrator
INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/false
( the GID 100 is correct here i did modify that in my AD )
Greetz,
louis
>-----Oorspronkelijk bericht-----
>Van: jau...@adista.fr [mailto:samba-...@lists.samba.org]
>Namens Joffrey AUDIN
>Verzonden: donderdag 3 april 2014 10:24
>Aan: 'sa...@lists.samba.org'
>Onderwerp: [Samba] Bug with winbindd
Rowland Penny
Apr 3, 2014, 5:30:03 AM4/3/14
to
On 03/04/14 09:52, L.P.H. van Belle wrote:
> Since i was already testing with winbind also.
>
> I experiance the same on the MEMBER server.
>
> wbinfo -D DOMAIN gives nice all info.
> wbinfo -i Administrator
> or
> wbinfo -i DOMAIN\Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>
> Did not work, BUT on my DC. ...
>
> i get :
> wbinfo -i Administrator
> INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/false
>
> ( the GID 100 is correct here i did modify that in my AD )
>
>
> Greetz,
>
> louis
>
>
I will third that, I get exactly the same results
> Since i was already testing with winbind also.
>
> I experiance the same on the MEMBER server.
>
> wbinfo -D DOMAIN gives nice all info.
> wbinfo -i Administrator
> or
> wbinfo -i DOMAIN\Administrator
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>
> Did not work, BUT on my DC. ...
>
> i get :
> wbinfo -i Administrator
> INTERNAL\Administrator:*:0:100::/home/INTERNAL/Administrator:/bin/false
>
> ( the GID 100 is correct here i did modify that in my AD )
>
>
> Greetz,
>
> louis
>
>
Rowland
Joffrey AUDIN
Apr 3, 2014, 5:40:01 AM4/3/14
to
I don't understand
Your AD is a Samba server ? In my case, it's a Windows 2012 R2 server. I don't have the 'wbinfo' command.
The problem is with all accounts, not only the administrator.
'Joffrey
Your AD is a Samba server ? In my case, it's a Windows 2012 R2 server. I don't have the 'wbinfo' command.
The problem is with all accounts, not only the administrator.
'Joffrey
Rowland Penny
Apr 3, 2014, 5:40:03 AM4/3/14
to
You posted:
[quote]
But one fails :
wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
[unquote]
You have now posted:
[quote]
In my case, it's a Windows 2012 R2 server. I don't have the 'wbinfo' command.
First you have used wbinfo, then suddenly you do not have the wbinfo
command????
Which is it ????
Joffrey AUDIN
Apr 3, 2014, 6:00:02 AM4/3/14
to
sorry
I said one subcommand of wbinfo.
wbinfo si on my FreeBSD domain member.
The domain controller is the Windows 2012R2 (no wbinfo)
But, I rebooted the Windows Controller and wbinfo -I works on the Unix member.
I need to check why authentification with ssh doesn't work.
I said one subcommand of wbinfo.
wbinfo si on my FreeBSD domain member.
The domain controller is the Windows 2012R2 (no wbinfo)
But, I rebooted the Windows Controller and wbinfo -I works on the Unix member.
I need to check why authentification with ssh doesn't work.
Joffrey AUDIN
Apr 3, 2014, 6:00:03 AM4/3/14
to
Hmm..
I restart my samba service, no, wbinfo -I doesn't work :
(on my freebsd domain member)
wbinfo -i adm-me
I can see the NT_STATUS_INVALID_PARAMETER again in log.winbindd
I restart my samba service, no, wbinfo -I doesn't work :
(on my freebsd domain member)
wbinfo -i adm-me
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user adm-jaudin
I can see the NT_STATUS_INVALID_PARAMETER again in log.winbindd
L.P.H. van Belle
Apr 3, 2014, 6:20:01 AM4/3/14
to
Other question Joffery.
Since im having a lot of troubles setting up Privileges.
Can you test 1 thing for me.
does these work :
net rpc rights list accounts -Uadministrator
and
net rpc rights grant 'YOURDOMAINNAME\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
for the ssh login,
try this : ( debian/ubuntu systems )
cp /etc/pam.d/sshd /etc/pam.d/sshd.original
cat << EOF > /etc/pam.d/sshd
# copy from /etc/pam.d/common-auth - authentication settings common to all services
#
auth sufficient pam_winbind.so
auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
# copy from /etc/pam.d/common-account - authorization settings common to all services
#
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
# copy from /etc/pam.d/common-session - session-related modules common to all services
#
session required pam_mkhomedir.so
session required pam_winbind.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
EOF
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: jau...@adista.fr [mailto:samba-...@lists.samba.org]
>Namens Joffrey AUDIN
>Verzonden: donderdag 3 april 2014 11:48
>Aan: 'Rowland Penny'; sa...@lists.samba.org
>Onderwerp: Re: [Samba] Bug with winbindd
Since im having a lot of troubles setting up Privileges.
Can you test 1 thing for me.
does these work :
net rpc rights list accounts -Uadministrator
and
net rpc rights grant 'YOURDOMAINNAME\Domain Admins' SeDiskOperatorPrivilege -Uadministrator
for the ssh login,
try this : ( debian/ubuntu systems )
cp /etc/pam.d/sshd /etc/pam.d/sshd.original
cat << EOF > /etc/pam.d/sshd
# copy from /etc/pam.d/common-auth - authentication settings common to all services
#
auth sufficient pam_winbind.so
auth [success=1 default=ignore] pam_unix.so nullok_secure use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
# copy from /etc/pam.d/common-account - authorization settings common to all services
#
account sufficient pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
# copy from /etc/pam.d/common-session - session-related modules common to all services
#
session required pam_mkhomedir.so
session required pam_winbind.so
session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
EOF
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: jau...@adista.fr [mailto:samba-...@lists.samba.org]
>Namens Joffrey AUDIN
>Aan: 'Rowland Penny'; sa...@lists.samba.org
>Onderwerp: Re: [Samba] Bug with winbindd
Joffrey AUDIN
Apr 3, 2014, 6:30:02 AM4/3/14
to
### first command
net rpc rights list accounts -Uadm-me (I don't have the administrator password, adm-me is a administrator account)
Enter adm-me's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
##### Second command
net rpc rights grant 'EXPLOIT\Domain Admins' seDiskOperatorPrivilege -Uadm-jaudin
Enter adm-jaudin's password:
Successfully granted rights.
### PAM
It's not exactly like this in FreeBSD, but my Pam conf.d if set like yours. I think the problem is with winbindd
net rpc rights list accounts -Uadm-me (I don't have the administrator password, adm-me is a administrator account)
Enter adm-me's password:
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
SeSecurityPrivilege
SeSystemtimePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeSystemProfilePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeLoadDriverPrivilege
SeCreatePagefilePrivilege
SeIncreaseQuotaPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
SeImpersonatePrivilege
SeCreateGlobalPrivilege
SeEnableDelegationPrivilege
Everyone
No privileges assigned
##### Second command
net rpc rights grant 'EXPLOIT\Domain Admins' seDiskOperatorPrivilege -Uadm-jaudin
Enter adm-jaudin's password:
Successfully granted rights.
### PAM
It's not exactly like this in FreeBSD, but my Pam conf.d if set like yours. I think the problem is with winbindd
0 new messages