Web lists-archives.com

Re: [Samba] Samba 4.4.8 AD member ads / nss fails to find group id




On Fri, 29 Mar 2019 09:30:13 -0400
"Thomas, David via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> I have a Centos 7.6 server with samba 4.8.3  configured as a member
> of an AD domain using "ads' security and the "nss" idmap backend.
> 
> Clients are unable to access the shares on the server - they
> repeatedly get asked for their credentials.
> 
> The smbd log shows the user authenticating and a mapping from the
> user's SID to their unix uid is found. However, it seems that access
> is denied after samba attempts and faile to find a mapping from the
> Domain Users group SID to a gid.
> 
> This all works on another server running samba 4.4.4.
> 
> smb.conf:
> 
> [global]
>      workgroup = TESTDOM
>      netbios name = member
>      realm = TESTDOM.COM
>      security = ads
>      username map = /etc/samba/users.map
>      idmap config TESTDOM: backend = nss
>      idmap config TESTDOM: range = 1000-99999
>      idmap config * : backend = tdb
>      idmap config * : range = 100000-200000
>      winbind use default domain = Yes
>      hosts allow = ALL
> 
>      log level = 99
> 
> [projects]
>      comment = Projects
>      path = /projects
>      read only = no
>      create mask = 0775
>      directory mask = 0775
>      force group = defgrp
> 
> 
> Log:
> 
> sid S-1-5-21-11111111-222222222-333333333-1262 -> uid 1093
> [2019/03/28 10:24:24.088770, 10, pid=31159, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:301(gencache_set_data_blob)
>    Adding cache entry with 
> key=[IDMAP/SID2XID/S-1-5-21-11111111-222222222-333333333-513] and 
> timeout=[Wed Dec 31 19:00:00 1969 EST] (-1553783064 seconds in the
> past) [2019/03/28 10:24:24.098383, 10, pid=31159, effective(0, 0),
> real(0, 0)] ../source3/passdb/lookup_sid.c:1550(sid_to_gid)
>    winbind failed to find a gid for sid 
> S-1-5-21-11111111-222222222-333333333-513
> [2019/03/28 10:24:24.098420,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098443,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/uid.c:491(push_conn_ctx)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098465,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2019/03/28 10:24:24.098487,  5, pid=31159, effective(0, 0), real(0,
> 0)] ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2019/03/28 10:24:24.098508,  5, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:810(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2019/03/28 10:24:24.098549,  4, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2019/03/28 10:24:24.098576, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/passdb/lookup_sid.c:1209(legacy_sid_to_unixid)
>    LEGACY: mapping failed for sid
> S-1-5-21-11111111-222222222-333333333-513 [2019/03/28
> 10:24:24.098600,  1, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/token_util.c:1024(create_token_from_sid)
> sid_to_gid(S-1-5-21-11111111-222222222-333333333-513) failed
> [2019/03/28 10:24:24.098625, 10, pid=31159, effective(0, 0), real(0,
> 0)] ../source3/auth/auth_ntlmssp.c:83(auth3_generate_session_info)
> create_local_token failed: NT_STATUS_NO_SUCH_USER*
> 
> *I have also tried the following settings in the global section
> (copied from the working server), but get the same result:*
> *
>      winbind enum users = yes
>      winbind enum groups = yes
>      use sendfile = Yes
>      guest ok = no
>      dos filetime resolution = yes
>      nt acl support = no
>      directory mask = 0775
>      follow symlinks = yes
>      wide links = yes
>      unix extensions = no
>      log level = 99
>      lanman auth = no
>      lm announce = no
>      min protocol = NT1
>      host msdfs = no
> 
> Am I missing something?
> **
> Thanks,
> David

Why are you using a winbind backend that maps Unix users to domain
users in an AD domain, when you should be making your AD users into
Unix users with a backend like the 'rid' or 'ad' ones.

As for your problem, is winbind running ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba