Hello, We are upgrading samba package from 3.5.16 to 3.6.13 version. security=ADS fails with the below error "Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying access." AD join is working on the command prompt but when we try to acces samba share we are getting authentication error and hence not able to access the file share. We are not using winbind but we are getting winbind authentication error. Please find the log snippet below, [2013/05/04 17:20:32.638829, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user SAMBA\ldapuser1 [2013/05/04 17:20:32.639043, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is SAMBA\ldapuser1 [2013/05/04 17:20:32.639459, 5] lib/username.c:124(Get_Pwnam_internals) Trying _Get_Pwnam(), username as given is SAMBA\ldapuser1 [2013/05/04 17:20:32.639862, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is SAMBA\LDAPUSER1 [2013/05/04 17:20:32.640140, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in SAMBA\ldapuser1 [2013/05/04 17:20:32.640325, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [SAMBA\ldapuser1]! [2013/05/04 17:20:32.640494, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user ldapuser1 [2013/05/04 17:20:32.640639, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is ldapuser1 [2013/05/04 17:20:32.640962, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is LDAPUSER1 [2013/05/04 17:20:32.641253, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in ldapuser1 [2013/05/04 17:20:32.641443, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [ldapuser1]! [2013/05/04 17:20:32.641649, 5] lib/username.c:171(Get_Pwnam_alloc) Finding user ldapuser1 [2013/05/04 17:20:32.641819, 5] lib/username.c:116(Get_Pwnam_internals) Trying _Get_Pwnam(), username as lowercase is ldapuser1 [2013/05/04 17:20:32.642101, 5] lib/username.c:134(Get_Pwnam_internals) Trying _Get_Pwnam(), username as uppercase is LDAPUSER1 [2013/05/04 17:20:32.642392, 5] lib/username.c:143(Get_Pwnam_internals) Checking combinations of 0 uppercase letters in ldapuser1 [2013/05/04 17:20:32.642577, 5] lib/username.c:149(Get_Pwnam_internals) Get_Pwnam_internals didn't find user [ldapuser1]! [2013/05/04 17:20:32.642741, 3] auth/auth_util.c:1126(check_account) Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying access. [2013/05/04 17:20:32.642996, 11] lib/events.c:445(s3_event_debug) s3_event: Added timed event \"\tevent_req_timedout\"\: 212e69d8 [2013/05/04 17:20:32.643188, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu) smb_signing_sign_pdu: sent SMB signature of [2013/05/04 17:20:32.643339, 10] ../lib/util/util.c:415(dump_data) [0000] 00 00 00 00 00 00 00 00 ........ [2013/05/04 17:20:32.643783, 11] lib/events.c:445(s3_event_debug) s3_event: Schedule immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8 [2013/05/04 17:20:32.644005, 11] lib/events.c:445(s3_event_debug) s3_event: Run immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8 [2013/05/04 17:20:32.644690, 11] lib/events.c:445(s3_event_debug) s3_event: Destroying timer event 212e69d8 \"\tevent_req_timedout\"\ [2013/05/04 17:20:32.644987, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu) smb_signing_sign_pdu: sent SMB signature of [2013/05/04 17:20:32.645157, 10] ../lib/util/util.c:415(dump_data) [0000] 00 00 00 00 00 00 00 00 ........ [2013/05/04 17:20:32.646021, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: winbind authentication for user [ldapuser1] FAILED with error NT_STATUS_NO_SUCH_USER [2013/05/04 17:20:32.646418, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [ldapuser1] -> [ldapuser1] FAILED with error NT_STATUS_NO_SUCH_USER [2013/05/04 17:20:32.646711, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2013/05/04 17:20:32.646964, 5] lib/util.c:336(show_msg) [2013/05/04 17:20:32.647083, 5] lib/util.c:346(show_msg) The below conf file is being used for the same. Could you please let me know if any other conf options should be set for 3.6.x versions. [global] workgroup=SAMBA server string=SMB Server netbios name=SMB07464240 realm=SAMBA.LOCAL log level=255 log file=pran.log.0.txt max log size=10000 max smbd processes=100 security=ADS password server=SAMBA.LOCAL wins support=no default devmode=no client NTLMv2 auth=No multicast dns register=yes username map cache time=0 dns proxy=no wins server=0.0.0.0, 0.0.0.0 name resolve order=lmhosts host wins bcast purev6 DeviceAuthTimeout=60 map to guest=bad uid guest account=root load printers=yes printcap name=/etc/printcap encrypt passwords=yes deadtime=60 server signing=auto client signing=auto dos charset=CP932 SRAM Logging=no hostAnnouncementSSL=1 In the older version of samba 3.5.16 we call passdb functions during authentication for domain access but for 3.6.13 version it is trying to do winbind auth. Could you please let me know if i am missing some conf option in the smb.conf file.
Hello, We are now able to migrate from 3.5.16 to 3.6.15 version successfully. In order to fix "Security=ADS" Fileshare access issue we had made the following changes, 1.Modified "samba-3.6.15/source3/libads/kerberos.c" with "allow_weak_crypto = true". 2. Modified "samba-3.6.15/source3/auth/auth_util.c" with the below code to validate "map to guest = bad uid" option in make_server_info_info3()function. ///////////////////////////////////////////////////////////////////////// nt_status = check_account(mem_ctx, nt_domain, sent_nt_username, &found_username, &pwd, &username_was_mapped); if (!NT_STATUS_IS_OK(nt_status)) { //Start : Added to fix ADS issue if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) { make_server_info_guest(NULL, server_info); return NT_STATUS_OK; } //End: return nt_status; } /////////////////////////////////////////////////////////////////////// 3. Added "max protocol=SMB2" in the smb.conf file. The second fix was taken from the samba 3.5.16 version which we are using now currently. Could you please let us know why this part of code to validate "map to guest=bad uid" was not present in 3.6.15 version and does it have any impact if we use the same? Also please confirm if the fixes w.r.t "allow_weak_crypto" and "SMB2" protocol usage are OK? Please provide us your opinion on the same at the earliest. (In reply to comment #0) > Hello, > We are upgrading samba package from 3.5.16 to 3.6.13 version. > security=ADS fails with the below error > "Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying > access." > AD join is working on the command prompt but when we try to acces samba share > we are getting authentication error and hence not able to access the file > share. > We are not using winbind but we are getting winbind authentication error. > Please find the log snippet below, > [2013/05/04 17:20:32.638829, 5] lib/username.c:171(Get_Pwnam_alloc) > Finding user SAMBA\ldapuser1 > [2013/05/04 17:20:32.639043, 5] lib/username.c:116(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is SAMBA\ldapuser1 > [2013/05/04 17:20:32.639459, 5] lib/username.c:124(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as given is SAMBA\ldapuser1 > [2013/05/04 17:20:32.639862, 5] lib/username.c:134(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as uppercase is SAMBA\LDAPUSER1 > [2013/05/04 17:20:32.640140, 5] lib/username.c:143(Get_Pwnam_internals) > Checking combinations of 0 uppercase letters in SAMBA\ldapuser1 > [2013/05/04 17:20:32.640325, 5] lib/username.c:149(Get_Pwnam_internals) > Get_Pwnam_internals didn't find user [SAMBA\ldapuser1]! > [2013/05/04 17:20:32.640494, 5] lib/username.c:171(Get_Pwnam_alloc) > Finding user ldapuser1 > [2013/05/04 17:20:32.640639, 5] lib/username.c:116(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is ldapuser1 > [2013/05/04 17:20:32.640962, 5] lib/username.c:134(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as uppercase is LDAPUSER1 > [2013/05/04 17:20:32.641253, 5] lib/username.c:143(Get_Pwnam_internals) > Checking combinations of 0 uppercase letters in ldapuser1 > [2013/05/04 17:20:32.641443, 5] lib/username.c:149(Get_Pwnam_internals) > Get_Pwnam_internals didn't find user [ldapuser1]! > [2013/05/04 17:20:32.641649, 5] lib/username.c:171(Get_Pwnam_alloc) > Finding user ldapuser1 > [2013/05/04 17:20:32.641819, 5] lib/username.c:116(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as lowercase is ldapuser1 > [2013/05/04 17:20:32.642101, 5] lib/username.c:134(Get_Pwnam_internals) > Trying _Get_Pwnam(), username as uppercase is LDAPUSER1 > [2013/05/04 17:20:32.642392, 5] lib/username.c:143(Get_Pwnam_internals) > Checking combinations of 0 uppercase letters in ldapuser1 > [2013/05/04 17:20:32.642577, 5] lib/username.c:149(Get_Pwnam_internals) > Get_Pwnam_internals didn't find user [ldapuser1]! > [2013/05/04 17:20:32.642741, 3] auth/auth_util.c:1126(check_account) > Failed to find authenticated user SAMBA\ldapuser1 via getpwnam(), denying > access. > [2013/05/04 17:20:32.642996, 11] lib/events.c:445(s3_event_debug) > s3_event: Added timed event \"\tevent_req_timedout\"\: 212e69d8 > [2013/05/04 17:20:32.643188, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu) > smb_signing_sign_pdu: sent SMB signature of > [2013/05/04 17:20:32.643339, 10] ../lib/util/util.c:415(dump_data) > [0000] 00 00 00 00 00 00 00 00 ........ > [2013/05/04 17:20:32.643783, 11] lib/events.c:445(s3_event_debug) > s3_event: Schedule immediate event \"\tevent_queue_immediate_trigger\"\: > 212e57c8 > [2013/05/04 17:20:32.644005, 11] lib/events.c:445(s3_event_debug) > s3_event: Run immediate event \"\tevent_queue_immediate_trigger\"\: 212e57c8 > [2013/05/04 17:20:32.644690, 11] lib/events.c:445(s3_event_debug) > s3_event: Destroying timer event 212e69d8 \"\tevent_req_timedout\"\ > [2013/05/04 17:20:32.644987, 10] libsmb/smb_signing.c:278(smb_signing_sign_pdu) > smb_signing_sign_pdu: sent SMB signature of > [2013/05/04 17:20:32.645157, 10] ../lib/util/util.c:415(dump_data) > [0000] 00 00 00 00 00 00 00 00 ........ > [2013/05/04 17:20:32.646021, 5] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: winbind authentication for user [ldapuser1] FAILED with > error NT_STATUS_NO_SUCH_USER > [2013/05/04 17:20:32.646418, 2] auth/auth.c:319(check_ntlm_password) > check_ntlm_password: Authentication for user [ldapuser1] -> [ldapuser1] > FAILED with error NT_STATUS_NO_SUCH_USER > [2013/05/04 17:20:32.646711, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > [2013/05/04 17:20:32.646964, 5] lib/util.c:336(show_msg) > [2013/05/04 17:20:32.647083, 5] lib/util.c:346(show_msg) > The below conf file is being used for the same. Could you please let me know if > any other conf options should be set for 3.6.x versions. > [global] > workgroup=SAMBA > server string=SMB Server > netbios name=SMB07464240 > realm=SAMBA.LOCAL > log level=255 > log file=pran.log.0.txt > max log size=10000 > max smbd processes=100 > security=ADS > password server=SAMBA.LOCAL > wins support=no > default devmode=no > client NTLMv2 auth=No > multicast dns register=yes > username map cache time=0 > dns proxy=no > wins server=0.0.0.0, 0.0.0.0 > name resolve order=lmhosts host wins bcast purev6 > DeviceAuthTimeout=60 > map to guest=bad uid > guest account=root > load printers=yes > printcap name=/etc/printcap > encrypt passwords=yes > deadtime=60 > server signing=auto > client signing=auto > dos charset=CP932 > SRAM Logging=no > hostAnnouncementSSL=1 > In the older version of samba 3.5.16 we call passdb functions during > authentication for domain access but for 3.6.13 version it is trying to do > winbind auth. Could you please let me know if i am missing some conf option in > the smb.conf file.
Running into an issue where map to guest = Bad Uid doesn't work as expected w/ SECURITY = (DOMAIN|ADS). Logs show it complaining about a failed getpwnam() call, which seems to me to be exactly what should trigger the map to guest logic. This is Samba 3.6.23 on RHEL5. Wondering if similar to your issue.
Created attachment 11356 [details] patch for 4.3
Created attachment 11357 [details] patch for 4.2
Created attachment 11358 [details] patch for 4.1
Created attachment 11360 [details] patch for 4.2
Created attachment 11361 [details] patch for 4.1
Pushed to autobuild-v4-{1,2,3}-test
The v4-1-test backport failed 3 times reliable with: [238/1661 in 14m55s] samba3.blackbox.smbclient_machine_auth.plain (member:local) UNEXPECTED(failure): samba3.blackbox.smbclient_machine_auth.plain (member:local).smbclient //LOCALMEMBER3/tmp(member:local) REASON: _StringException: _StringException: session setup failed: NT_STATUS_CONNECTION_DISCONNECTED FAILED (1 failures, 0 errors and 0 unexpected successes in 0 testsuites)
Pushed to v4-{2,3}-test
Fixed in Samba 4.2 with 281bd2fb84fed3965d1201050d7b6cc7338c5fdb from 34965d4d98d172e848e2b96fad8a9e0b99288ba7 in master