Web lists-archives.com

[Samba] Samba 4.4.8 AD member ads / nss fails to find group id




I have a Centos 7.6 server with samba 4.8.3  configured as a member of an AD domain using "ads' security and the "nss" idmap backend.

Clients are unable to access the shares on the server - they repeatedly get asked for their credentials.

The smbd log shows the user authenticating and a mapping from the user's SID to their unix uid is found. However, it seems that access is denied after samba attempts and faile to find a mapping from the Domain Users group SID to a gid.

This all works on another server running samba 4.4.4.

smb.conf:

[global]
    workgroup = TESTDOM
    netbios name = member
    realm = TESTDOM.COM
    security = ads
    username map = /etc/samba/users.map
    idmap config TESTDOM: backend = nss
    idmap config TESTDOM: range = 1000-99999
    idmap config * : backend = tdb
    idmap config * : range = 100000-200000
    winbind use default domain = Yes
    hosts allow = ALL

    log level = 99

[projects]
    comment = Projects
    path = /projects
    read only = no
    create mask = 0775
    directory mask = 0775
    force group = defgrp


Log:

sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
[2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0, 0), class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)   Adding cache entry with key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the past) [2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1550(sid_to_gid)   winbind failed to find a gid for sid S-1-5-21-11111111-222222222-333333333-513 [2019/03/28 10:24:24.098420,  4, pid=31159, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098443,  4, pid=31159, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098465,  4, pid=31159, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/03/28 10:24:24.098487,  5, pid=31159, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2019/03/28 10:24:24.098508,  5, pid=31159, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:810(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2019/03/28 10:24:24.098549,  4, pid=31159, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
  LEGACY: mapping failed for sid S-1-5-21-11111111-222222222-333333333-513
[2019/03/28 10:24:24.098600,  1, pid=31159, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:1024(create_token_from_sid)
  sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
[2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
  create_local_token failed: NT_STATUS_NO_SUCH_USER*

*I have also tried the following settings in the global section (copied from the working server), but get the same result:*
*
    winbind enum users = yes
    winbind enum groups = yes
    use sendfile = Yes
    guest ok = no
    dos filetime resolution = yes
    nt acl support = no
    directory mask = 0775
    follow symlinks = yes
    wide links = yes
    unix extensions = no
    log level = 99
    lanman auth = no
    lm announce = no
    min protocol = NT1
    host msdfs = no

Am I missing something?
**
Thanks,
David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba