Web lists-archives.com

Re: [Samba] sometimes users fails to login




First few i noticed. 

> map to guest = bad user
> idmap config * : range = 30000-40000
> idmap config BITINTRA : range = 10000-3001000

* and BITINTRA my not overlap with its ranges. 

Map to guest = bad user in a server setup? 
Remove that. 

> realm = bitintra.de
Should be  realm = BITINTRA.DE

> winbind enum groups = yes
> winbind enum users = yes
Set to no, these only slowdown you server. 
And then use : getent passwd username 

I suggest start with these and you might want to read: 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Andrea Cucciarre' via samba
> Verzonden: dinsdag 12 maart 2019 12:01
> Aan: Rowland Penny
> CC: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] sometimes users fails to login
> 
> The OS is OmniOS, the DC is Windows Server (not sure about 
> the release), 
> and below the smb.conf.
> I have also noted that they have more trusted domains, but since they 
> configured ad idmap only for one domain, then all the other 
> domains use 
> tdb idmap
> 
> [global]
> client ldap sasl wrapping = plain
> dedicated keytab file = /etc/krb5.keytab
> disable spoolss = yes
> host msdfs = no
> idmap config * : backend = tdb
> idmap config * : range = 30000-40000
> idmap config * : schema_mode = rfc2307
> idmap config BITINTRA : backend = ad
> idmap config BITINTRA : range = 10000-3001000
> idmap config BITINTRA : schema_mode = rfc2307
> kerberos method = secrets and keytab
> load printers = no
> local master = no
> log file = /opt/samba/log/%m.log
> log level = 10
> map acl inherit = Yes
> map to guest = bad user
> os level = 3
> preferred master = no
> realm = bitintra.de
> security = ads
> server string = Data %h
> store dos attributes = Yes
> vfs objects = zfsacl
> winbind enum groups = yes
> winbind enum users = yes
> winbind expand groups = 4
> winbind normalize names = Yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind use default domain = no
> workgroup = BITINTRA
> 
> Thanks
> Andrea
> 
> 
> 
> 
> Il 3/12/2019 11:48 AM, Rowland Penny via samba ha scritto:
> > On Tue, 12 Mar 2019 11:32:46 +0100
> > Andrea Cucciarre' via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hello,
> >>
> >> I have Samba 4.6 as AD domain member and sometime the 
> users fails to
> >> login, the issue disappear after some minutes.
> >> I have enabled log leve 10 and I can see the following errors:
> >>
> >> 2019/03/12 09:20:32.280799,  5, pid=15466, effective(0, 0), real(0,
> >> 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc)
> >>     Finding user BITINTRA\U002489
> >> [2019/03/12 09:20:32.281111,  5, pid=15466, effective(0, 
> 0), real(0,
> >> 0)] ../source3/lib/username.c:128(Get_Pwnam_internals)
> >>     Trying _Get_Pwnam(), username as given is BITINTRA\U002489
> >> [2019/03/12 09:20:32.281222,  5, pid=15466, effective(0, 
> 0), real(0,
> >> 0)] ../source3/lib/username.c:153(Get_Pwnam_internals)
> >>     Get_Pwnam_internals didn't find user [BITINTRA\U002489]!
> >> [2019/03/12 09:20:32.282015,  3, pid=15466, effective(0, 
> 0), real(0,
> >> 0),
> >> class=auth] 
> ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
> >> get_user_from_kerberos_info: Username BITINTRA\U002489 is 
> invalid on
> >> this system [2019/03/12 09:20:32.282043,  3, pid=15466, 
> effective(0,
> >> 0), real(0,
> >> 0)] 
> ../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
> >> auth3_generate_session_info_pac: Failed to map kerberos 
> principal to
> >> system user (NT_STATUS_LOGON_FAILURE) [2019/03/12 09:20:32.282196,
> >> 3, pid=15466, effective(0, 0), real(0,
> >> 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_ACCESS_DENIED] ||
> >> at ../source3/smbd/smb2_sesssetup.c:134
> >>
> >> my understanding of the code is that getpwnam fails, which is
> >> supposed to query winbindd.
> >> In the log file log.wb-BITINTRA I can see the following error:
> >>
> >> [2019/03/12 09:20:24.540456, 10, pid=15439, effective(0, 
> 0), real(0,
> >> 0),
> >> class=winbind] 
> ../source3/winbindd/winbindd_cm.c:1014(cm_prepare_connection)
> >> cm_prepare_connection: connecting to DC WG101SC0002.BITIntra.de for
> >> domain BITINTRA [2019/03/12 09:21:04.540067,  5, pid=15439,
> >> effective(0, 0), real(0,
> >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
> >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_brlock failed (fd=22) at
> >> offset 592 rw_type=2 flags=1 len=1 [2019/03/12 09:21:04.540189,  1,
> >> pid=15439, effective(0, 0), real(0,
> >> 0)] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log)
> >> tdb(/opt/samba/var/lock/mutex.tdb): tdb_lock failed on list 106
> >> ltype=2 (Interrupted system call) [2019/03/12 09:21:04.540219,  0,
> >> pid=15439, effective(0, 0), real(0,
> >> 0)] 
> ../source3/lib/util_tdb.c:497(tdb_chainlock_with_timeout_internal)
> >> tdb_chainlock_with_timeout_internal: alarm (40) timed out for key
> >> WG101SC0002.BITIntra.de in tdb /opt/samba/var/lock/mutex.tdb
> >> [2019/03/12 09:21:04.540384,  1, pid=15439, effective(0, 
> 0), real(0,
> >> 0)] ../source3/lib/server_mutex.c:97(grab_named_mutex) 
> Could not get
> >> the lock for WG101SC0002.BITIntra.de [2019/03/12 
> 09:21:04.540508,  0,
> >> pid=15439, effective(0, 0), real(0, 0),
> >> class=winbind] 
> ../source3/winbindd/winbindd_cm.c:1023(cm_prepare_connection)
> >> cm_prepare_connection: mutex grab failed for 
> WG101SC0002.BITIntra.de
> >> [2019/03/12 09:21:04.540667,  1, pid=15439, effective(0, 
> 0), real(0,
> >> 0),
> >> class=winbind] 
> ../source3/winbindd/winbindd_cm.c:1320(cm_prepare_connection)
> >> Failed to prepare SMB connection to WG101SC0002.BITIntra.de:
> >> NT_STATUS_POSSIBLE_DEADLOCK
> >>
> >> my understanding is that it was hanging locking an offset 
> in the file
> >> /opt/samba/var/lock/mutex.tdb, so when the timeout elapsed the
> >> process was interrupted (I guess the offset was that of 
> the mutex for
> >> WG101SC0002.BITIntra.de)
> >> Could it be a corrupted mutex.tdb file? A slow responding DC?
> >> Any other suggestion?
> > Can you please post your smb.conf.
> > What OS ?
> > What is your AD DC ?
> >
> > Rowland
> >
> >
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba