Web lists-archives.com

Re: [Samba] Samba login failure: getpwuid failed




On Sun, 7 May 2017 09:04:25 -0500
Michael Schwager via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> I cannot access a remote drive using Windows or smbclient; my
> authentication appears successful according to the samba log file, but
> `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
> 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3.  The logfile
> shows:
> 
>     [2017/05/06 22:57:48.729284,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>       check_ntlm_password:  authentication for user [developer_prod]
> -> [developer_prod] -> [developer_prod] succeeded
>     [2017/05/06 22:57:48.731091,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>       SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
> getpwuid(16777216) failed
>     [2017/05/06 22:57:48.731164,  1]
> ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
>       Failed to generate session_info (user and group token) for
> session setup: NT_STATUS_UNSUCCESSFUL
> 
> Strangely, the SID corresponds to a local user:
> 
>     # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
>     NY4010\developer_prod 1
> 
> (ny4010 is my samba server machine) Even though on the client I am
> logging in using a domain user:
> 
>     $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release
> 'password' session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> Here is my smb.conf file:
> 
>     [global]
>        workgroup = MYDOMAIN
>        password server = my_domain_server.mydomain.local
>        realm = MYDOMAIN.LOCAL
>        security = ads
>        idmap config * : range = 16777216-33554431
>        template homedir = /home/%U
>        template shell = /bin/bash
>        kerberos method = secrets only
>        winbind use default domain = true
>        winbind offline logon = false
>        log level = 2
>        encrypt passwords = yes
>            unix extensions = no
>             server string = Samba Server Version %v
>             log file = /var/log/samba/log.%m
>             max log size = 50
>             security = ads
>             passdb backend = tdbsam
>             realm = MYDOMAIN.LOCAL
>             password server = my_domain_server.mydomain.local
>             local master = no
>     [homes]
>             comment = Home Directories
>             browseable = no
>             writable = yes
>     [release]
>            comment = Shared directory: /prod
>            path = /prod
>            browseable = yes
>            read only = no
>            valid users = developer_prod
>            guest ok = yes
>            public = yes
>            follow symlinks = yes
>            wide links = yes
>            force user = developer_prod
>     [log]
>            comment = Shared directory: /prod/log
>            path = /prod/log
>            browseable = yes
>            read only = yes
>            guest ok = yes
>            public = yes
> 
> my nsswitch.conf file looks like:
>     passwd:     files winbind
> 
> I think the smoking gun here is that a local user's SID is showing up
> in that "getpwuid() failed" line...
> 
> Thanks.

Are you using sssd, if so then remove 'winbind' from the 'passwd' line
in /etc/nsswitch.conf , put back 'sss' that you must have removed.
Remove winbind and then go and ask on the sssd-users mailing, you
cannot use sssd and winbind.

If however, you are not using sssd, then add winbind to the group line
in /etc/nsswitch.conf then make [global] in smb.conf look like this:

[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.LOCAL
    server string = Samba Server Version %v
    security = ads
    template homedir = /home/%U
    template shell = /bin/bash
    winbind use default domain = true
    log level = 2
    unix extensions = no
    log file = /var/log/samba/log.%m
    max log size = 50
    local master = no

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-999999

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba