Web lists-archives.com

[Samba] getpwuid failed for single user on single file share


I have a problem with my samba installation I can not get my head
around, maybe some of you have a good idea about what is going on.

I have a file share called "adfs02" and an AD DC called "addc02" in the
same site. The error occurs only with this one user, and it worked til
the last password change of that user two days ago.

Here are the outputs of my test case (both on done on adfs02):

root@adfs02:~# smbclient -L localhost -U brokenuser@int.domain
Enter brokenuser@int.domain's password:
session setup failed: NT_STATUS_UNSUCCESSFUL

root@magneto:~# smbclient -L localhost -U arne@int.domain
Enter arne@int.domain's password:
Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

root@magneto:~# smbclient -L addc02.int.becit.de -U brokenuser@int.domain
Enter brokenuser@int.domain's password:
Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]

So, as we can see, the broken user is only broken on the domain member,
but not on the AD DC, how can that be? I tried deleting
/var/lib/samba/wimbindd_cache.tdb, but it didn't change anything.
I also checked all the DCs with "samba-tool checkdb", but no errors
where detected.

The configs of both, addc02 and adfs02 are attached to this mail.

I would greatly appreciate any help or ideas.
	netbios name = ADFS02
	security = ADS
	workgroup = DOMAIN
	realm = INT.DOMAIN

	logfile = /var/log/samba/%m.log
	log level = 1

	# Default idmap config used for BUILTIN and local windows accounts/groups
	idmap config *:backend = tdb
	idmap config *:range = 2000-9999

	# idmap config for domain DOMAIN
	idmap config DOMAIN:backend = ad
	idmap config DOMAIN:schema_mode = rfc2307
	idmap config DOMAIN:range = 10000-99999

	# Use settings from AD for login shell and home directory
	winbind nss info = rfc2307
	winbind enum users = yes
	winbind enum groups = yes
	winbind use default domain = yes
	winbind refresh tickets = yes

	# fileshare options
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes

# test share

	path = /srv/samba/test
	read only = no

# Global parameters
	workgroup = DOMAIN
	realm = int.domain
	netbios name = ADDC02
	server role = active directory domain controller
	server signing = Auto
	dns forwarder =
	idmap_ldb:use rfc2307 = yes

	path = /var/lib/samba/sysvol/int.domain/scripts
	read only = No

	path = /var/lib/samba/sysvol
	read only = No
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba