Web lists-archives.com

Re: [Samba] getpwuid failed for single user on single file share





On 02/14/2018 07:46 PM, Rowland Penny via samba wrote:
> On Wed, 14 Feb 2018 19:05:34 +0100
> Arne Zachlod via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
>> Hello,
>>
>> I have a problem with my samba installation I can not get my head
>> around, maybe some of you have a good idea about what is going on.
>>
>> I have a file share called "adfs02" and an AD DC called "addc02" in
>> the same site. The error occurs only with this one user, and it
>> worked til the last password change of that user two days ago.
>>
>> Here are the outputs of my test case (both on done on adfs02):
>>
>> root@adfs02:~# smbclient -L localhost -U brokenuser@int.domain
>> Enter brokenuser@int.domain's password:
>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>
>> root@magneto:~# smbclient -L localhost -U arne@int.domain
>> Enter arne@int.domain's password:
>> Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
>> ...
>>
>> root@magneto:~# smbclient -L addc02.int.becit.de -U
>> brokenuser@int.domain Enter brokenuser@int.domain's password:
>> Domain=[BECIT] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
>> ...
>>
>> So, as we can see, the broken user is only broken on the domain
>> member, but not on the AD DC, how can that be? I tried deleting
>> /var/lib/samba/wimbindd_cache.tdb, but it didn't change anything.
>> I also checked all the DCs with "samba-tool checkdb", but no errors
>> where detected.
>>
> 
> I take it that the DCs real name is 'magneto' (HINT: if you are going
> to sanitize things, please be consistent)

yes, did overlook that, damn.

> If you run 'smbclient -L adfs02.int.becit.de -U brokenuser@int.domain'
> on 'adfs02', does this work

no, same error:
root@adfs02:~# smbclient -L adfs02.int.domain -U brokenuser@int.domain
Enter brokenuser@int.domain's password:
session setup failed: NT_STATUS_UNSUCCESSFUL

but I forgot the most important part, in /var/log/samba/__1.log on
adfs02 it says:

[2018/02/14 18:51:29.614082,  1]
../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-456140246-2344957557-3140247660-1174 -> getpwuid(10026)
failed
[2018/02/14 18:51:29.614128,  1]
../source3/smbd/sesssetup.c:282(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session
setup: NT_STATUS_UNSUCCESSFUL

> Does 'getent passwd brokenuser' produce any output when run on 'adfs02'
> ?

root@adfs02:~# getent passwd brokenuser
brokenuser:*:10026:10000::/home/brokenuser:/bin/sh

> Have you tried changing the password again ?

I don't know exactly what the user did, but I changed the password
afterwards (as in after the bug report) and it works on our other
fileshares, just not on adfs02.

Arne

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba