Bug 10733 - getpwuid(<uid>) for user <user> failed (auth/token_util.c:683)
getpwuid(<uid>) for user <user> failed (auth/token_util.c:683)
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts
3.6.16
PPC AIX
: P5 critical
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-22 09:38 UTC by suva-basis
Modified: 2014-07-28 07:24 UTC (History)
1 user (show)

See Also:


Attachments
samba.log, global smb.conf, smbusermap script (40.74 KB, application/octet-stream)
2014-07-22 09:38 UTC, suva-basis
no flags Details
Samba.log with log level = 10 (3.59 MB, application/octet-stream)
2014-07-22 13:51 UTC, suva-basis
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description suva-basis 2014-07-22 09:38:26 UTC
Created attachment 10143 [details]
samba.log, global smb.conf, smbusermap script

Hi

Symptoms:
User tries to connect from Windows client, get's a couple failed and eventually some time (1-5 minutes) later succeeds in getting the connection.

Happens with users that do often switch the drives in windows (switching drive x: to different samba shares or windows shares for and back randomly. Sorry, did not invent it. but seems to be "works as designed")

Background:
Users are Windows ADS user and gets authenticated (usually successful) through kerberos.
We have them also defined as *nix users, but without a password at all, since they only need the samba shares.

Questions:
1) How come auth/token_util.c wants to resolve the user as a user defined in samba trying to get the pw uid?
2) Is it not obvious in the first place, that this is a kerberos authenticated user?
3) Why does samba try in the first place - though defined as ads, samba password evaluation? Or do I  missinterpret something?

see attached zip file containing log extract generated with auth:10 passdb:10 winbind:10 and follwo user with id = pev where he gets the connection at around "2014/07/22 10:43:50.112735".

also in this zip global-config-section of smb.conf as well as for your information smbusermap.

any other information needed? Please let me know.

Thanks!
Regards,
Lukas

PS: Oh, and by the way: great job you guys are doing here!!!!
Comment 1 suva-basis 2014-07-22 13:51:11 UTC
Created attachment 10144 [details]
Samba.log with log level = 10

samba.log with loglevel 10 showing the unsuccessfull connect..
Comment 2 Jeremy Allison 2014-07-22 18:09:31 UTC
My guess is your user map script is causing the problem.

Are you running winbindd ?
Comment 3 suva-basis 2014-07-24 07:00:14 UTC
Yes. We're running winbindd in order to authenticate the connecting user against Windows AD.

FYI:
This error we just started to encounter recently (meaning since a couple of months, increasing now becoming an annoyance to the users), where as we are using samba since a couple of years so far without any problems.
Could it be that it started to show up either through our samba upgrade from 3.5.8 to 3.6.16 or through a Windows AD - Upgrade? One never knows... :-)

Thanks!
Comment 4 suva-basis 2014-07-24 07:11:16 UTC
(In reply to comment #3)
> Yes. We're running winbindd in order to authenticate the connecting user
> against Windows AD.
> 
> FYI:
> This error we just started to encounter recently (meaning since a couple of
> months, increasing now becoming an annoyance to the users), where as we are
> using samba since a couple of years so far without any problems.
> Could it be that it started to show up either through our samba upgrade from
> 3.5.8 to 3.6.16 or through a Windows AD - Upgrade? One never knows... :-)
> 
> Thanks!

Additional INFO:

the mapping script:
We have this ever since ... because as I remember correctly, we had to do it because not only human users are connecting, but also technical accounts like mfp printer-scanners sending the scaned document to a samba-share for further processing.

Would that be not needed anymore?
Comment 5 suva-basis 2014-07-28 07:24:34 UTC
(In reply to comment #2)
> My guess is your user map script is causing the problem.
> 
> Are you running winbindd ?

Hi Jeremy

To your guess of the mapping script:
Since it's production environment not easy to test... still 
did it without the usermap script just to see... for ... say half a minute ...
and ... definitely the script is needed...
Oh boy: luckily samba allows the reload ... :-)

without it, i get lots of the following messages immediately in the samba.log file

"create_connection_session_info failed: NT_STATUS_ACCESS_DENIED"

anyhow:
Great job you guys are all doing

Thanks
Lukas