Created attachment 10143 [details]
samba.log, global smb.conf, smbusermap script
User tries to connect from Windows client, get's a couple failed and eventually some time (1-5 minutes) later succeeds in getting the connection.
Happens with users that do often switch the drives in windows (switching drive x: to different samba shares or windows shares for and back randomly. Sorry, did not invent it. but seems to be "works as designed")
Users are Windows ADS user and gets authenticated (usually successful) through kerberos.
We have them also defined as *nix users, but without a password at all, since they only need the samba shares.
1) How come auth/token_util.c wants to resolve the user as a user defined in samba trying to get the pw uid?
2) Is it not obvious in the first place, that this is a kerberos authenticated user?
3) Why does samba try in the first place - though defined as ads, samba password evaluation? Or do I missinterpret something?
see attached zip file containing log extract generated with auth:10 passdb:10 winbind:10 and follwo user with id = pev where he gets the connection at around "2014/07/22 10:43:50.112735".
also in this zip global-config-section of smb.conf as well as for your information smbusermap.
any other information needed? Please let me know.
PS: Oh, and by the way: great job you guys are doing here!!!!
Created attachment 10144 [details]
Samba.log with log level = 10
samba.log with loglevel 10 showing the unsuccessfull connect..
My guess is your user map script is causing the problem.
Are you running winbindd ?
Yes. We're running winbindd in order to authenticate the connecting user against Windows AD.
This error we just started to encounter recently (meaning since a couple of months, increasing now becoming an annoyance to the users), where as we are using samba since a couple of years so far without any problems.
Could it be that it started to show up either through our samba upgrade from 3.5.8 to 3.6.16 or through a Windows AD - Upgrade? One never knows... :-)
(In reply to comment #3)
> Yes. We're running winbindd in order to authenticate the connecting user
> against Windows AD.
> This error we just started to encounter recently (meaning since a couple of
> months, increasing now becoming an annoyance to the users), where as we are
> using samba since a couple of years so far without any problems.
> Could it be that it started to show up either through our samba upgrade from
> 3.5.8 to 3.6.16 or through a Windows AD - Upgrade? One never knows... :-)
the mapping script:
We have this ever since ... because as I remember correctly, we had to do it because not only human users are connecting, but also technical accounts like mfp printer-scanners sending the scaned document to a samba-share for further processing.
Would that be not needed anymore?
(In reply to comment #2)
> My guess is your user map script is causing the problem.
> Are you running winbindd ?
To your guess of the mapping script:
Since it's production environment not easy to test... still
did it without the usermap script just to see... for ... say half a minute ...
and ... definitely the script is needed...
Oh boy: luckily samba allows the reload ... :-)
without it, i get lots of the following messages immediately in the samba.log file
"create_connection_session_info failed: NT_STATUS_ACCESS_DENIED"
Great job you guys are all doing
no more feedback and most likely not a generic bug. In any case if you see any issues with 4.9 or 4.10, please open a new bug for that. Thank you!