[Samba] why does add_local_groups come up in only one system's logs?

Discussion:

francis picabia

2016-08-08 13:24:03 UTC

I have a couple of Debian 8.5 systems set up in similar manner. Samba is
version 4.2.10-Debian

Here is the essential config...

# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd

[homes]
comment = Home Directories
path = %H
valid users = %***@mydom
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes

/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems. The first one allows a connection
to the homes. Here is a tail on the log file:

[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN1] with the new password interface
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN1]
[2016/08/08 09:42:49.961548, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'

The second server fails with the add_local_groups and getpwuid:

[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[username]@[DEBIAN2] with the new password interface
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[username]@[DEBIAN2]
[2016/08/08 09:53:55.150852, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username] succeeded
[2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] -> [username] ->
[username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token

I am so far unable to find why the getpwuid for add_local_groups matters,
or why only one system even mentions it in the logfile trace. The default
group ID is listed in /etc/group for the user and the home directory with
ls -ld looks fine with 700 chmod
for the home directory in both servers.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

francis picabia

2016-08-08 14:48:42 UTC

Permalink

On Mon, 8 Aug 2016 10:24:03 -0300

Post by francis picabia
I have a couple of Debian 8.5 systems set up in similar manner.
Samba is version 4.2.10-Debian
Here is the essential config...
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the same
configuration on both systems. The first one allows a connection
[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
[2016/08/08 09:42:49.961548, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username]
succeeded [2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] ->
[username] -> [username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'
[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
[2016/08/08 09:53:55.150852, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username]
succeeded [2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] ->
[username] -> [username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 ->
getpwuid(16777216) failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
I am so far unable to find why the getpwuid for add_local_groups
matters, or why only one system even mentions it in the logfile
trace. The default group ID is listed in /etc/group for the user and
the home directory with ls -ld looks fine with 700 chmod
for the home directory in both servers.

Are you using sssd ?
If not, where are you storing the users & groups ?

I've never used sssd anywhere before nor here. We're just trying to make
this work
as it has before with Samba 3.x and security=ads with Active Directory on
MS Windows.

We have /etc/passwd and /etc/group on each system. They are not identical.

If I run: 'net ads group -U username | sort' on each system and compare,
they
show identical groups coming back from AD.

The Group ID on Linux is in the 500 range on the system which works OK, and
in the 1000 range on the system which does not work. Same AD user is
tested with both systems.

We also use winbind on ssh authentication and this works fine on both
systems.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

francis picabia

2016-08-08 18:27:44 UTC

Permalink

On Mon, 8 Aug 2016 11:48:42 -0300

Post by francis picabia

On Mon, 8 Aug 2016 10:24:03 -0300

Post by francis picabia
I have a couple of Debian 8.5 systems set up in similar manner.
Samba is version 4.2.10-Debian
Here is the essential config...
# testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = MYDOM
realm = AD.MYDOM.CA
server string = debian2 Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
unix extensions = No
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config * : range = 1000-1999999
idmap config * : backend = tdb
nt acl support = No
printing = bsd
[homes]
comment = Home Directories
path = %H
read only = No
create mask = 0700
directory mask = 0700
browseable = No
wide links = Yes
/etc/pam.d/samba, /etc/nsswitch.conf and /etc/krb5.conf are the
same configuration on both systems. The first one allows a
[2016/08/08 09:42:49.956619, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[2016/08/08 09:42:49.956656, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username]
succeeded [2016/08/08 09:42:49.961610, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] ->
[username] -> [username] succeeded
[2016/08/08 09:42:49.961671, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:42:49.961699, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:49.961748, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:42:49.961772, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:42:50.271337, 3]
../source3/param/loadparm.c:1427(lp_add_home)
adding home's share [username] for user 'username' at '%H'
[2016/08/08 09:53:55.146840, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[2016/08/08 09:53:55.146867, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [username]
succeeded [2016/08/08 09:53:55.150902, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [username] ->
[username] -> [username] succeeded
[2016/08/08 09:53:55.150960, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:53:55.150978, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151024, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
[2016/08/08 09:53:55.151036, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 09:53:55.151321, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 ->
getpwuid(16777216) failed
[2016/08/08 09:53:55.151348, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token
I am so far unable to find why the getpwuid for add_local_groups
matters, or why only one system even mentions it in the logfile
trace. The default group ID is listed in /etc/group for the user
and the home directory with ls -ld looks fine with 700 chmod
for the home directory in both servers.

Are you using sssd ?
If not, where are you storing the users & groups ?

I've never used sssd anywhere before nor here. We're just trying to
make this work
as it has before with Samba 3.x and security=ads with Active
Directory on MS Windows.
We have /etc/passwd and /etc/group on each system. They are not identical.
If I run: 'net ads group -U username | sort' on each system and
compare, they
show identical groups coming back from AD.
The Group ID on Linux is in the 500 range on the system which works
OK, and in the 1000 range on the system which does not work. Same AD
user is tested with both systems.
We also use winbind on ssh authentication and this works fine on both
systems.

The way you have Samba setup, ALL your AD users & groups are getting
mixed up i.e. normal users & groups and the well known SIDs
The '*' domain is usually only used for the well known SIDs, I would
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 10000-999999
This is where your users should be mapped to Unix ids, I also wouldn't
have started the '*' range at 1000, this means you cannot have any
normal local Unix users. By using '1000', you will only be able to log
into the Samba machine as the 'root' user if you have network problems
and the AD domain isn't contactable.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
<https://lists.samba.org/mailman/options/samba>

OK, that was my bad for copy/pasting some config lines I found with
a report of "this works!" on a bug report (only the second login connects
bug).

I've included the domain and fixed the range so it won't overlap with Unix
IDs.

# grep idmap /etc/samba/smb.conf
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 70000-99999999

I eliminated the "valid users =" line from the homes section.

On Debian, there are a couple of difference services. I read that with
4.2, it can
run its own winbind service. So I wondered if that can make a difference.

If I stop winbind, and restart samba...

# /etc/init.d/samba restart
[ ok ] Restarting nmbd (via systemctl): nmbd.service.
[ ok ] Restarting smbd (via systemctl): smbd.service.
[ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
# ps auxww | grep winbind
root 19867 0.0 0.0 12764 948 pts/0 S+ 14:13 0:00 grep
winbind

Then I can connect with smbclient to the system where I never could before.
That would be fine except that ssh requires winbind.
If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
services on their own, then ssh login with AD credentials works,
but I cannot connect with smbclient.

The other system running with winbind allows both smbclient
and ssh connections.

On the problem system:

Winbind on, and smbclient fails.
Winbind off, and smbclient connects.

It doesn't matter if winbind is in /etc/nsswitch.conf
The good working system does not have winbind in the nsswitch.conf

Both systems have the same packages containing winbind in the name.

The error from smbclient is only: session setup failed:
NT_STATUS_UNSUCCESSFUL

tail on the logfile for this client:

[2016/08/08 14:47:46.385401, 3]
../source3/auth/auth.c:249(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [theusername]
succeeded
[2016/08/08 14:47:46.385452, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [theusername] ->
[theusername] -> [theusername] succeeded
[2016/08/08 14:47:46.385511, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 14:47:46.385530, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 14:47:46.385577, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2016/08/08 14:47:46.385587, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2016/08/08 14:47:46.385860, 1]
../source3/auth/token_util.c:430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/08 14:47:46.385893, 3]
../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
Failed to finalize nt token

Both systems can do wbinfo -u or -g (as long as winbind service is running)

I'm not finding anything useful which will trace what is going wrong.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

francis picabia

2016-08-09 13:42:33 UTC

Permalink

On Mon, 8 Aug 2016 15:27:44 -0300

Post by francis picabia
OK, that was my bad for copy/pasting some config lines I found with
a report of "this works!" on a bug report (only the second login
connects bug).
I've included the domain and fixed the range so it won't overlap with
Unix IDs.
# grep idmap /etc/samba/smb.conf
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 70000-99999999
I eliminated the "valid users =" line from the homes section.
On Debian, there are a couple of difference services. I read that
with 4.2, it can
run its own winbind service. So I wondered if that can make a difference.

I think you could be getting confused here. If you run Samba as a DC,
then yes, from 4.2.0, the separate winbindd binary is used instead of
the 'winbind' built into the samba binary.
On a domain member that is joined to AD, you will need to run
the winbindd binary as well.

Post by francis picabia
If I stop winbind, and restart samba...
# /etc/init.d/samba restart
[ ok ] Restarting nmbd (via systemctl): nmbd.service.
[ ok ] Restarting smbd (via systemctl): smbd.service.
[ ok ] Restarting samba-ad-dc (via systemctl): samba-ad-dc.service.
# ps auxww | grep winbind
root 19867 0.0 0.0 12764 948 pts/0 S+ 14:13 0:00 grep
winbind

This shows that 'winbindd' isn't running, if I run a similar command on
2334 ? Ss 0:11 /usr/local/samba/sbin/winbindd
2532 ? S 0:00 /usr/local/samba/sbin/winbindd
2535 ? S 0:00 /usr/local/samba/sbin/winbindd
2536 ? S 0:01 /usr/local/samba/sbin/winbindd
4731 ? S 0:00 /usr/local/samba/sbin/winbindd
17044 pts/7 S+ 0:00 grep winbind

Post by francis picabia
Then I can connect with smbclient to the system where I never could
before. That would be fine except that ssh requires winbind.
If I stop /etc/init.d/samba and launch nmbd, smbd and winbind as
services on their own, then ssh login with AD credentials works,
but I cannot connect with smbclient.

Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Sharename Type Comment
--------- ---- -------
homes Disk
data2 Disk
IPC$ IPC IPC Service (Samba 4 Client devstation)
root Disk Home directory of root
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Server Comment
--------- -------
DESKTOP-GVRV8IE
DEVSTATION Samba 4 Client devstation
Workgroup Master
--------- -------
SAMDOM DESKTOP-GVRV8IE

Post by francis picabia
The other system running with winbind allows both smbclient
and ssh connections.
Winbind on, and smbclient fails.
Winbind off, and smbclient connects.
It doesn't matter if winbind is in /etc/nsswitch.conf
The good working system does not have winbind in the nsswitch.conf
Both systems have the same packages containing winbind in the name.

I would check everything, if they are running the same OS and Samba
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member

I'm fairly certain I'm encountering this bug:

https://bugzilla.samba.org/show_bug.cgi?id=10604

On the first server which was "working properly", it actually fails once
with the getpwuid(4294967295) failed type of error, and on the second
auth attempt, it works.

On the second server which never works while winbind is running,
I'm always seeing the getpwuid failed error.

Just like the bug report, I find the second server works if winbind stops.
My symptoms and error match this bug report very well.

There were some users chiming in who said their drive mapping
always failed rather than only in the first auth attempt.

This samba bug report was where I got the previous range values starting at
1000
as a supposed fix.

In fact, the Debian bug report says this magic set of idmap values is a
workaround:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001

I don't believe in magic.

Maybe I'll need to take this up on a Debian group
unless there is a better suggestion on a solution.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-08-09 14:15:53 UTC

Permalink

In addition.

UID 4294967295 = nobody
So in my options the bug "report" is not a bug.
Its a mis configuration.

You can test this ..

Set in smb.conf
Guest account = nobody

And check again, what happens now?

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 9 augustus 2016 15:58
Onderwerp: Re: [Samba] why does add_local_groups come up in only one
system's logs?
Hai,
If you want to try to avoid that bug.
Go here http://downloads.van-belle.nl/samba4/
Get the 4.4.5 packages for jessie there.
Read the readme.txt and install them.
And see if you problem is still there.
The are compiled with the lated ldb from debian stretch.
Which should fix your problem.
Greetz,
Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 9 augustus 2016 15:43
Aan: Rowland Penny
Onderwerp: Re: [Samba] why does add_local_groups come up in only one
system's logs?

On Mon, 8 Aug 2016 15:27:44 -0300

with

Post by francis picabia
Unix IDs.
# grep idmap /etc/samba/smb.conf
idmap config MYDOM : backend = rid
idmap config MYDOM : range = 70000-99999999
I eliminated the "valid users =" line from the homes section.
On Debian, there are a couple of difference services. I read that
with 4.2, it can
run its own winbind service. So I wondered if that can make a difference.

grep

Post by francis picabia
winbind

This shows that 'winbindd' isn't running, if I run a similar command

2334 ? Ss 0:11 /usr/local/samba/sbin/winbindd
2532 ? S 0:00 /usr/local/samba/sbin/winbindd
2535 ? S 0:00 /usr/local/samba/sbin/winbindd
2536 ? S 0:01 /usr/local/samba/sbin/winbindd
4731 ? S 0:00 /usr/local/samba/sbin/winbindd
17044 pts/7 S+ 0:00 grep winbind

Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Sharename Type Comment
--------- ---- -------
homes Disk
data2 Disk
IPC$ IPC IPC Service (Samba 4 Client

devstation)

root Disk Home directory of root
Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Server Comment
--------- -------
DESKTOP-GVRV8IE
DEVSTATION Samba 4 Client devstation
Workgroup Master
--------- -------
SAMDOM DESKTOP-GVRV8IE

I would check everything, if they are running the same OS and Samba
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member

stops.

My symptoms and error match this bug report very well.
There were some users chiming in who said their drive mapping
always failed rather than only in the first auth attempt.
This samba bug report was where I got the previous range values starting at
1000
as a supposed fix.
In fact, the Debian bug report says this magic set of idmap values is a
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
I don't believe in magic.
Maybe I'll need to take this up on a Debian group
unless there is a better suggestion on a solution.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

francis picabia

2016-08-09 14:41:51 UTC

Permalink

Post by L.P.H. van Belle
In addition.
UID 4294967295 = nobody
So in my options the bug "report" is not a bug.
Its a mis configuration.
You can test this ..
Set in smb.conf
Guest account = nobody
And check again, what happens now?
Greetz,
Louis

The problem does not change with that addition and restart of services.

Log still ends with:

[2016/08/09 11:31:54.615106, 1] ../source3/auth/token_util.c:
430(add_local_groups)
SID S-1-5-21-82194667-1315141139-1877560073-12331 -> getpwuid(16777216)
failed
[2016/08/09 11:31:54.615166, 3] ../source3/auth/token_util.c:
316(create_local_nt_token_from_info3)
Failed to finalize nt token

The user nobody is not set up in AD.

I can do something like:

smbclient -L //servername -U nobody

But this doesn't involve authentication.

Post by L.P.H. van Belle

-----Oorspronkelijk bericht-----

Belle

Verzonden: dinsdag 9 augustus 2016 15:58
Onderwerp: Re: [Samba] why does add_local_groups come up in only one
system's logs?
Hai,
If you want to try to avoid that bug.
Go here http://downloads.van-belle.nl/samba4/
Get the 4.4.5 packages for jessie there.
Read the readme.txt and install them.
And see if you problem is still there.
The are compiled with the lated ldb from debian stretch.
Which should fix your problem.
Greetz,
Louis

-----Oorspronkelijk bericht-----

picabia

Verzonden: dinsdag 9 augustus 2016 15:43
Aan: Rowland Penny
Onderwerp: Re: [Samba] why does add_local_groups come up in only one
system's logs?

On Mon, 8 Aug 2016 15:27:44 -0300

with

grep

Post by francis picabia
winbind

This shows that 'winbindd' isn't running, if I run a similar command

Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Sharename Type Comment
--------- ---- -------
homes Disk
data2 Disk
IPC$ IPC IPC Service (Samba 4 Client

devstation)

I would check everything, if they are running the same OS and Samba
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member

https://bugzilla.samba.org/show_bug.cgi?id=10604
On the first server which was "working properly", it actually fails

once

with the getpwuid(4294967295) failed type of error, and on the second
auth attempt, it works.
On the second server which never works while winbind is running,
I'm always seeing the getpwuid failed error.
Just like the bug report, I find the second server works if winbind

stops.

starting

at
1000
as a supposed fix.
In fact, the Debian bug report says this magic set of idmap values is a
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
I don't believe in magic.
Maybe I'll need to take this up on a Debian group
unless there is a better suggestion on a solution.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

L.P.H. van Belle

2016-08-09 13:58:05 UTC

Permalink

Hai,

If you want to try to avoid that bug.
Go here http://downloads.van-belle.nl/samba4/
Get the 4.4.5 packages for jessie there.
Read the readme.txt and install them.

And see if you problem is still there.

The are compiled with the lated ldb from debian stretch.
Which should fix your problem.

Greetz,

Louis

-----Oorspronkelijk bericht-----
Verzonden: dinsdag 9 augustus 2016 15:43
Aan: Rowland Penny
Onderwerp: Re: [Samba] why does add_local_groups come up in only one
system's logs?

On Mon, 8 Aug 2016 15:27:44 -0300

Domain=[SAMDOM] OS=[Windows 6.1] Server=[Samba 4.4.4]
Sharename Type Comment
--------- ---- -------
homes Disk
data2 Disk
IPC$ IPC IPC Service (Samba 4 Client

devstation)

I would check everything, if they are running the same OS and Samba
version etc, then you should get the same results etc, provided Samba
is running as the same thing i.e. a domain member

https://bugzilla.samba.org/show_bug.cgi?id=10604
On the first server which was "working properly", it actually fails once
with the getpwuid(4294967295) failed type of error, and on the second
auth attempt, it works.
On the second server which never works while winbind is running,
I'm always seeing the getpwuid failed error.
Just like the bug report, I find the second server works if winbind stops.
My symptoms and error match this bug report very well.
There were some users chiming in who said their drive mapping
always failed rather than only in the first auth attempt.
This samba bug report was where I got the previous range values starting
at
1000
as a supposed fix.
In fact, the Debian bug report says this magic set of idmap values is a
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=803001
I don't believe in magic.
Maybe I'll need to take this up on a Debian group
unless there is a better suggestion on a solution.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Continue reading on narkive:

Search results for '[Samba] why does add_local_groups come up in only one system's logs?' (Questions and Answers)

replies

Windows 7 - Can't logon in to local admin account?

started 2012-01-05 03:19:19 UTC

computer networking

replies

Why does everyone use this? Why not google search?

started 2006-05-14 04:04:41 UTC

society & culture

replies