Web lists-archives.com

Re: [Samba] Samba login failure: getpwuid failed




Hi Rowland,
Thanks for the reply. I did as you suggested and did not see any change in
my system behavior.

I put everything back the way it was. Then I noticed that I have an
identical system (so I think) right next to it, on the same rack, connected
to the same switch, with the same OS and hardware, and it is working 100%.

Fundamentally, I cannot su to my user "developer_prod" as the "id" utility
complains that it "cannot find user for ID 16777216". I believe something
is wrong with winbind, and I don't know what it is.

Does winbind use the smb.conf file?


On Sun, May 7, 2017 at 9:34 AM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Sun, 7 May 2017 09:04:25 -0500
> Michael Schwager via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Hello,
> > I cannot access a remote drive using Windows or smbclient; my
> > authentication appears successful according to the samba log file, but
> > `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
> > 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3.  The logfile
> > shows:
> >
> >     [2017/05/06 22:57:48.729284,  2]
> > ../source3/auth/auth.c:305(auth_check_ntlm_password)
> >       check_ntlm_password:  authentication for user [developer_prod]
> > -> [developer_prod] -> [developer_prod] succeeded
> >     [2017/05/06 22:57:48.731091,  1]
> > ../source3/auth/token_util.c:430(add_local_groups)
> >       SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
> > getpwuid(16777216) failed
> >     [2017/05/06 22:57:48.731164,  1]
> > ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
> >       Failed to generate session_info (user and group token) for
> > session setup: NT_STATUS_UNSUCCESSFUL
> >
> > Strangely, the SID corresponds to a local user:
> >
> >     # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
> >     NY4010\developer_prod 1
> >
> > (ny4010 is my samba server machine) Even though on the client I am
> > logging in using a domain user:
> >
> >     $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release
> > 'password' session setup failed: NT_STATUS_UNSUCCESSFUL
> >
> > Here is my smb.conf file:
> >
> >     [global]
> >        workgroup = MYDOMAIN
> >        password server = my_domain_server.mydomain.local
> >        realm = MYDOMAIN.LOCAL
> >        security = ads
> >        idmap config * : range = 16777216-33554431
> >        template homedir = /home/%U
> >        template shell = /bin/bash
> >        kerberos method = secrets only
> >        winbind use default domain = true
> >        winbind offline logon = false
> >        log level = 2
> >        encrypt passwords = yes
> >            unix extensions = no
> >             server string = Samba Server Version %v
> >             log file = /var/log/samba/log.%m
> >             max log size = 50
> >             security = ads
> >             passdb backend = tdbsam
> >             realm = MYDOMAIN.LOCAL
> >             password server = my_domain_server.mydomain.local
> >             local master = no
> >     [homes]
> >             comment = Home Directories
> >             browseable = no
> >             writable = yes
> >     [release]
> >            comment = Shared directory: /prod
> >            path = /prod
> >            browseable = yes
> >            read only = no
> >            valid users = developer_prod
> >            guest ok = yes
> >            public = yes
> >            follow symlinks = yes
> >            wide links = yes
> >            force user = developer_prod
> >     [log]
> >            comment = Shared directory: /prod/log
> >            path = /prod/log
> >            browseable = yes
> >            read only = yes
> >            guest ok = yes
> >            public = yes
> >
> > my nsswitch.conf file looks like:
> >     passwd:     files winbind
> >
> > I think the smoking gun here is that a local user's SID is showing up
> > in that "getpwuid() failed" line...
> >
> > Thanks.
>
> Are you using sssd, if so then remove 'winbind' from the 'passwd' line
> in /etc/nsswitch.conf , put back 'sss' that you must have removed.
> Remove winbind and then go and ask on the sssd-users mailing, you
> cannot use sssd and winbind.
>
> If however, you are not using sssd, then add winbind to the group line
> in /etc/nsswitch.conf then make [global] in smb.conf look like this:
>
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.LOCAL
>     server string = Samba Server Version %v
>     security = ads
>     template homedir = /home/%U
>     template shell = /bin/bash
>     winbind use default domain = true
>     log level = 2
>     unix extensions = no
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     local master = no
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config MYDOMAIN : backend = rid
>     idmap config MYDOMAIN : range = 10000-999999
>
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
-Mike Schwager
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba