after an upgrade form 3.5.13 to 3.6.4 of an AD Memeber Server (security=ADS) username map does not work any more. We use idmap config * : backend = tdb idmap config * : range = 1000001-1999999 idmap config DLR : backend = nss idmap config DLR : readonly = yes idmap config DLR : range = 1000-100000 because the AD Users ara available to the linux system using vintela authentification services (VAS) With 3.5.13 root = DLR\maurerh allows DLR\maurerh to modify printer setting or create files as root With 3.6.4 samba still logs [2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username) Mapped user DLR\maurerh to root but the printer settings are greyed out and files are created as maurerh instead as root. One more difference is, that with 3.5.13 ist was possible to use root = DLR\maurerh-ad where maurerh-ad is a windows only administrative account without unix attributes An sccess to the samba server was mapped to root With 3.6.4 Samba logs Kerberos ticket principal name is [username-adm@INTRA.DLR.DE] [2012/04/12 13:33:35.920072, 3] auth/user_util.c:402(map_username) Mapped user DLR\maurerh-ad to root Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying access. [2012/04/18 11:29:23.205474, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: maurerh [Maurer, Hansjörg] [2012/04/18 11:29:23.205766, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [maurerh@INTRA.DLR.DE] [2012/04/18 11:29:23.206003, 3] auth/user_util.c:402(map_username) Mapped user DLR\maurerh to root [2012/04/18 11:29:23.310976, 3] passdb/lookup_sid.c:1737(get_primary_group_sid) Forcing Primary Group to 'Domain Users' for maurerh ==> log.winbindd <== [2012/04/18 11:29:23.311849, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 6364]: request interface version [2012/04/18 11:29:23.312147, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 6364]: request location of privileged pipe [2012/04/18 11:29:23.312796, 3] winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send) lookupname Unix User\maurerh ==> log.wb-RM-SAMBA01-TEST <== [2012/04/18 11:29:23.313137, 3] winbindd/winbindd_samr.c:622(sam_name_to_sid) sam_name_to_sid [2012/04/18 11:29:23.313435, 3] winbindd/winbindd_rpc.c:303(rpc_name_to_sid) name_to_sid: UNIX USER\MAURERH for domain UNIX USER [2012/04/18 11:29:23.319738, 3] rpc_server/rpc_handles.c:281(close_policy_hnd) Closed policy ==> log.129.247.189.133 <== [2012/04/18 11:29:23.371065, 3] smbd/password.c:297(register_existing_vuid) register_existing_vuid: User name: maurerh Real name: Maurer, Hansjörg [2012/04/18 11:29:23.371289, 3] smbd/password.c:307(register_existing_vuid) register_existing_vuid: UNIX uid 7740 is UNIX user maurerh, and will be vuid 101 [2012/04/18 11:29:23.371704, 1] smbd/session.c:86(session_claim)
Created attachment 7513 [details] level 10 debug user maurerh connects to server, mapped to root but directory test5 created aus maurerh
I am not sure if I am experiencing the same bug but it related to the mapping. Maybe you can try if yours is the same bug. When I have a unix user "foo" and a domain user called "DOMAIN+foo" the login (via IP and DNS name) works and no mapping is required. If I have a unix user "foobar" and a domain user "DOMAIN+bar" with a mapping file containing "foobar = DOMAIN+bar" it doesn't work via DNS name and I get a password prompt. If I use the IP address of the server to access the share the mapping *does* work. I am running samba 3.6.5
I can confirm your description for both of my problems. If I connect to the Server using \\IP-Number instead of \\HOSTNAME the usermapping itself works and users not available to the Unix Systems are mapped too Thank you very much
I've hit this bug in 3.6.5 and in 3.6.6. I'm experiencing it in our production AD environment on both Solaris and Linux platforms. Some additional information I haven't seen discussed yet: smbclient from 3.5.x/3.6.x to 3.6.x using the usermap aliased login works with no issues. Win7 to 3.6.x requires using the ipaddr as previously discussed. Is there anything I can do to help resolve this issue?
3.6.7 same issue. Anybody working on this? I'm happy to test code changes.
(In reply to comment #3) > If I connect to the Server using \\IP-Number instead of \\HOSTNAME > the usermapping itself works and users not available to the Unix Systems are > mapped too ...it also works for me: Create DNS alias for Samba server. i.e. by command: DnsCmd /RecordAdd smbsetup.czech.sun.com ldom10 CNAME t4-ldom10.smbsetup.czech.sun.com. ...on DC. Where t4-ldom10 is DNS A-record Then on win client you can use: E:\Documents and Settings\jura.SMBSETUP>net view \\ldom10 Shared resources at \\ldom10 Samba 3. tdb Share name Type Used as Comment ------------------------------------------------------------------------------- homes Disk jura Disk Home directory of SMBSETUP\jura public Disk Public data directory The command completed successfully. E:\Documents and Settings\jura.SMBSETUP>net use p: \\ldom10\public The command completed successfully.
I have the same issue on Solaris 10 (Solaris 11 seems to works fine). I my case the cause is in wrong timestamps in Kerberos keytab. "workaround" over the IP or DNS alias [CNAME record] is available because the client authentication is failing-back to LMHOST auth. (instead of Kerberos auth.) in such case. Problem can be observed cleanly when: - keytab is created -> set smb.conf option: kerberos method = system keytab ...then "net ads join" domain. Keytab is created on standard system location. Looking on this keytab: -bash-3.2# ktutil ktutil: rkt /etc/krb5/krb5.keytab ktutil: l -t slot KVNO Timestamp Principal ---- ---- ----------------- --------------------------------------------------- 1 2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM 2 2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM 3 2 01/01/70 01:00:00 host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM 4 2 01/01/70 01:00:00 host/t4-ldom10@SMBSETUP.CZECH.SUN.COM 5 2 01/01/70 01:00:00 host/t4-ldom10@SMBSETUP.CZECH.SUN.COM 6 2 01/01/70 01:00:00 host/t4-ldom10@SMBSETUP.CZECH.SUN.COM 7 2 01/01/70 01:00:00 T4-LDOM10$@SMBSETUP.CZECH.SUN.COM 8 2 01/01/70 01:00:00 T4-LDOM10$@SMBSETUP.CZECH.SUN.COM 9 2 01/01/70 01:00:00 T4-LDOM10$@SMBSETUP.CZECH.SUN.COM ktutil: ...can be seen the time-stamps are "zeroed". So each attempt on SMB-session auth. you can see in (session) log[.%h] [2012/08/21 01:28:13.789620, 10] libads/kerberos_verify.c:248(ads_keytab_verify_ticket) libads/kerberos_verify.c:245: krb5_rd_req_return_keyblock_from_keytab(host/t4-ldom10.smbsetup.czech.sun.com@SMBSETUP.CZECH.SUN.COM) failed: Wrong principal in request ...for each slot in keytab.
Created attachment 7815 [details] debug 10 with comments
Hi some parts of the debug 10 with comments DLR\maurerh-ad ist mapped to root 2012/08/23 12:30:23.047563, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: maurerh-ad [maurerh-ad] [2012/08/23 12:30:23.073169, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [maurerh-ad@INTRA.DLR.DE] [2012/08/23 12:30:23.073200, 10] auth/user_krb5.c:82(get_user_from_kerberos_info) Domain is [DLR] (using PAC) [2012/08/23 12:30:23.073230, 4] auth/user_util.c:361(map_username) Scanning username map /etc/samba/smbusers [2012/08/23 12:30:23.073347, 3] auth/user_util.c:402(map_username) Mapped user DLR\maurerh-ad to root [2012/08/23 12:30:23.073475, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is root [2012/08/23 12:30:23.073497, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals did find user [root]! [2012/08/23 12:30:23.089734, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user DLR\maurerh-ad [2012/08/23 12:30:23.089755, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is dlr\maurerh-ad [2012/08/23 12:30:23.090404, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is DLR\maurerh-ad [2012/08/23 12:30:23.090471, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is DLR\MAURERH-AD [2012/08/23 12:30:23.090520, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in dlr\maurerh-ad [2012/08/23 12:30:23.090542, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [DLR\maurerh-ad]! [2012/08/23 12:30:23.090563, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user maurerh-ad [2012/08/23 12:30:23.090583, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is maurerh-ad [2012/08/23 12:30:23.099227, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is MAURERH-AD [2012/08/23 12:30:23.099830, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in maurerh-ad [2012/08/23 12:30:23.099863, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [maurerh-ad]! [2012/08/23 12:30:23.100074, 3] auth/auth_util.c:1121(check_account) Failed to find authenticated user DLR\maurerh-ad via getpwnam(), denying access. [2012/08/23 12:30:23.100125, 1] auth/user_krb5.c:211(make_server_info_krb5) make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! [2012/08/23 12:30:23.100161, 1] smbd/sesssetup.c:379(reply_spnego_kerberos) make_server_info_krb5 failed! [2012/08/23 12:30:23.100204, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(383) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/08/23 12:30:23.100232, 5] lib/util.c:332(show_msg) [2012/08/23 12:30:23.100245, 5] lib/util.c:342(show_msg) Why is this last sequenze called, which seems to be the reason for the failure? maurerh-ad is mapped to root and not available on the Linux System? In 3.5.* this works.
Hi All I can verify this is a bug. I have two instances of samba on same machine using their config files. Both the instances have joined different domain. My server name is tst-uat and tst-dev. tst-uat joins uat domain and tst-dev joins dev domain. When I use workstation on Dev domain and I try to access tst-dev samba server by name it does not work, but when I access samba share on tst-uat which is in UAT domain, it prompts me for password and it works fine. Likewise, when I use workstation on UAT domain and try to access tst-uat samba share by name it does not work, but when I access samba share on tst-dev samba server, it prompts me for password and works fine. If I use IP addresses it works all the time no matter what environment I am working it. Another important thing is that it works for all the users who have same Unix and Windows user name. If unix id and windows id do not match, this bug triggers. These are the error messages that I get: - Found account name from PAC: xyz [2012/10/16 10:16:29.686138, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [xyz@XXX.COM] [2012/10/16 10:16:29.686203, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user XXX\xyz [2012/10/16 10:16:29.686236, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is xxx\xyz [2012/10/16 10:16:29.687019, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is XXX\xyz [2012/10/16 10:16:29.687655, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is XXX\XYZ [2012/10/16 10:16:29.688269, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in xxx\xyz [2012/10/16 10:16:29.688305, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [XXX\xyz]! [2012/10/16 10:16:29.688335, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user xyz [2012/10/16 10:16:29.688363, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is xyz [2012/10/16 10:16:29.689009, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is XYZ [2012/10/16 10:16:29.689633, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in xyz [2012/10/16 10:16:29.689668, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [xyz]! [2012/10/16 10:16:29.689723, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user xyz [2012/10/16 10:16:29.689753, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is xyz [2012/10/16 10:16:29.690381, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is XYZ [2012/10/16 10:16:29.691004, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in xyz [2012/10/16 10:16:29.691039, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [xyz]! [2012/10/16 10:16:29.691068, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username XXX\xyz is invalid on this system [2012/10/16 10:16:29.691130, 3] smbd/error.c:81(error_packet_set) I am using Kerberos 5-1.10.3, Openldap-2.4.32 and Samba-3.6.7 with AD Security.
Forgot to mention, using CNAME record also dosnt help.
I am still having this problem in version 3.6.9. Is there any further information needed to fix/debug this problem? Using the IP to connect to the server really isn't an optimal solution.
*** This bug has been marked as a duplicate of bug 9139 ***