Web lists-archives.com

Re: [Samba] Setup of Samba with Solaris 11.3 to provide Unix File Shares to Windows Users




Dear Rowland,

our windows admin assured me that they have set uidNumber and gidNumber in
the range. I have requested screenshots for confirmation.

Now we are one step further: "getent passwd | grep mdecker" now lists the
AD account.

mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

With "getent passwd mdecker" however, it shows "NT_STATUS_NO_SUCH_USER".

getent passwd mdecker

winbindd_getpwnam: My domain -- rejecting getpwnam() for MYDOM\mdecker.
Could not convert sid S-0-0: NT_STATUS_NO_SUCH_USER

Also not working:

getnet passwd mdecker
getent passwd "MYDOM\\mdecker"

What is working though is when i give REALM Suffix ".ADS"

getent passwd "MYDOM.ADS\\mdecker"
mdecker:*:13667:7142:Decker, Martin:/home/MYDOM/mdecker:/bin/false

For "getent group" currently, the issue is: "rejecting getgrsid()", altough
the Group "DOMAIN USERS" was sucessfully resolved from name to SID.

getent group "MYDOM\\DOMÄNEN-BENUTZER"

wcache_save_name_to_sid: MYDOM\DOMÄNEN-BENUTZER ->
S-1-5-21-1585417398-3384821309-2524188735-513
(NT_STATUS_OK)
winbindd_getgrsid: My domain -- rejecting getgrsid() for
S-1-5-21-1585417398-3384821309-2524188735-513
Could not convert sid S-1-5-21-1585417398-3384821309-2524188735-513:
NT_STATUS_NO_SUCH_GROUP

Is there anything else to set up on Windows side in order for getgrsid to
work?

With wbinfo, i can do these sucessfully:

wbinfo --sid-to-uid "S-1-5-21-1585417398-3384821309-2524188735-13667"
13667


root@solaris1:/# wbinfo --uid-info=13667
mdecker:*:13667:7142::/home/MYDOM/mdecker:/bin/false

... but "wbinfo -r" does not work:

root@solaris1:/# wbinfo -r mdecker
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user mdecker

Testing access to a Solaris SMB Share from Windows, reports this error when
trying to mount the share:


[2017/08/21 17:19:44.281527,  3]
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [mdecker@xxxxxxxxx]
[2017/08/21 17:19:44.281680, 10]
auth/user_krb5.c:82(get_user_from_kerberos_info)
  Domain is [MYDOM] (using PAC)
[2017/08/21 17:19:44.281747,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user MYDOM\mdecker
[2017/08/21 17:19:44.281805,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is MYDOM\mdecker
[2017/08/21 17:19:44.283946,  5] lib/username.c:123(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is MYDOM\mdecker
[2017/08/21 17:19:44.284685,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MYDOM\MDECKER
[2017/08/21 17:19:44.285073,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in MYDOM\mdecker
[2017/08/21 17:19:44.285150,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [MYDOM\mdecker]!
[2017/08/21 17:19:44.285222,  5] lib/username.c:171(Get_Pwnam_alloc)
  Finding user mdecker
[2017/08/21 17:19:44.285323,  5] lib/username.c:116(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is mdecker
[2017/08/21 17:19:44.285755,  5] lib/username.c:133(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is MDECKER
[2017/08/21 17:19:44.286128,  5] lib/username.c:142(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in mdecker
[2017/08/21 17:19:44.286197,  5] lib/username.c:148(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [mdecker]!
[2017/08/21 17:19:44.287762,  1]
auth/user_krb5.c:161(get_user_from_kerberos_info)
  Username MYDOM\mdecker is invalid on this system
[2017/08/21 17:19:44.287963,  3] smbd/error.c:77(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Any ideas?

Best regards,
Martin




2017-08-18 17:48 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>:

> On Fri, 18 Aug 2017 17:32:34 +0200
> Martin Decker via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Thank you for your feedback. I have changed the parameters, but still
> > no success.
> >
> > winbind use default domain = yes
> >          idmap config * : range = 1000000-1999999
> >          idmap config MYDOM : range = 100-999999
> >
>
> You are using the winbind 'ad' backend, so do your AD domain users
> have a uidNumber attribute containing a unique number inside the range
> '100-999999' AND does 'Domain Users' have a gidNumber attribute
> containing a number in the same range.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
--
Martin Decker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba