Hi Found something more which is interesing: -
nbtstat -A on ip TST-SMB-UAT works fine, but fails for TST-SMB-DEV. Is there any specific samba option which I am missing or something on wins servers which is giving me grief? thanks Nitin > From: nitintha...@hotmail.com > To: samba@lists.samba.org > Date: Thu, 11 Oct 2012 21:52:48 -0400 > Subject: Re: [Samba] users map with ADS not working > > > Hi All, > > I have an update. I did snoop the network and found, when I use IP to connect > to the share, samba server sends packets to Windows AD. If I try to connect > using hostname, samba server does not make any attempts to connect to Windows > AD. > > It looks more like problem on the smb.conf side. If somebody has experienced > this problem in past then please help. > > (PS: I am using MIT Kerberos + Open LDAP and Samba - all current versions.) > > Thanks > > Nitin > > > From: nitintha...@hotmail.com > > To: samba@lists.samba.org > > Date: Wed, 10 Oct 2012 23:14:47 -0400 > > Subject: [Samba] users map with ADS not working > > > > > > Hi All > > > > I am running two instances of samba on same box. One instance of samba has > > joined AD domain ABC and the other 123. My workstation is on ABC domain and > > when I try to connect to samba server on ABC domain, it asks me for user > > name and password and then fails. If I put IP address instead it works. At > > the same time, when I try to connect to 123 domain, it asks me for user > > name and password and authenticates me without any problem. I set the debug > > level to 9 on both the instances. I am not running winbind - please dont > > ask me why. The strange problem is when a user who has same unix and > > windows account in ABC domain, when he tries to log into the samba server > > which is on ABC domain, it works with hostname where as folks who has > > different accounts on windows and unix, it dosent work for them with > > hostname but with IP. > > > > The Global section of both the instances is similar, here is the global > > section of samba server which is binding to ABC domain: - > > > > #======================= Global Settings > > ===================================== > > [global] > > > > socket options = TCP_NODELAY IPTOS_LOWDELAY > > netbios name = TST-SMB-DEV > > workgroup = ABC > > server string = tst-smb-dev Server ver %v > > security = ADS > > log file = /opt/local/samba-3.6.7/dev/logs/log.%m > > max log size = 50 > > password server = AD1.ABC.com AD2.ABC.com > > encrypt passwords = yes > > realm = ABC.COM > > local master = no > > domain master = no > > domain logons = no > > dns proxy = no > > smb passwd file = /opt/local/samba-3.6.7/dev/private > > private dir = /opt/local/samba-3.6.7/dev/private > > username map = /opt/local/samba-3.6.7/dev/users.map > > pid directory = /opt/local/samba-3.6.7/dev > > bind interfaces only = yes > > wins support = no > > domain master = no > > locking = yes > > lock directory = /opt/local/samba-3.6.7/dev/var/locks > > preserve case = yes > > short preserve case = yes > > load printers = no > > printcap name = /dev/null > > deadtime = 15 > > preferred master = no > > guest account = nobody > > guest ok = no > > syslog = 0 > > interfaces = 10.20.20.3 > > socket address = 10.20.20.3 > > kerberos method = system keytab > > log level = 9 > > ---------------------------------------------------------------------------------------------------------------------------- > > > > Here are the logs when user whose mapping is defined in users.map tries to > > log into samba instance which is binding to ABC domain > > > > [2012/10/10 15:07:11.896408, 3] libads/authdata.c:332(decode_pac_data) > > Found account name from PAC: foo [Foo Bar] > > [2012/10/10 15:07:11.896530, 3] > > auth/user_krb5.c:50(get_user_from_kerberos_info) > > Kerberos ticket principal name is [f...@abc.com] > > [2012/10/10 15:07:11.896611, 4] auth/user_util.c:361(map_username) > > Scanning username map /opt/local/samba-3.6.7/dev/users.map > > [2012/10/10 15:07:11.896665, 3] auth/user_util.c:402(map_username) > > Mapped user ABC\foo to bar > > [2012/10/10 15:07:11.896725, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user bar > > [2012/10/10 15:07:11.896758, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is bar > > [2012/10/10 15:07:11.897025, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals did find user [bar]! > > [2012/10/10 15:07:11.897418, 6] param/loadparm.c:7490(lp_file_list_changed) > > lp_file_list_changed() > > file /opt/local/Samba/lib/smb.conf.dev -> > > /opt/local/Samba/lib/smb.conf.dev last mod_time: Wed Oct 10 15:06:58 2012 > > > > [2012/10/10 15:07:11.897530, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user ABC\foo > > [2012/10/10 15:07:11.897562, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is ABC\foo > > [2012/10/10 15:07:11.897648, 5] lib/username.c:124(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as given is ABC\foo > > [2012/10/10 15:07:11.897725, 5] lib/username.c:134(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as uppercase is ABC\foo > > [2012/10/10 15:07:11.897798, 5] lib/username.c:143(Get_Pwnam_internals) > > Checking combinations of 0 uppercase letters in ABC\foo > > [2012/10/10 15:07:11.897832, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals didn't find user [ABC\foo]! > > [2012/10/10 15:07:11.897861, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user foo > > [2012/10/10 15:07:11.897896, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is foo > > [2012/10/10 15:07:11.897973, 5] lib/username.c:134(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as uppercase is foo > > [2012/10/10 15:07:11.898045, 5] lib/username.c:143(Get_Pwnam_internals) > > Checking combinations of 0 uppercase letters in foo > > [2012/10/10 15:07:11.898077, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals didn't find user [foo]! > > [2012/10/10 15:07:11.898222, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user foo > > [2012/10/10 15:07:11.898256, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is foo > > [2012/10/10 15:07:11.898332, 5] lib/username.c:134(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as uppercase is foo > > [2012/10/10 15:07:11.898403, 5] lib/username.c:143(Get_Pwnam_internals) > > Checking combinations of 0 uppercase letters in foo > > [2012/10/10 15:07:11.898441, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals didn't find user [foo]! > > [2012/10/10 15:07:11.898471, 3] auth/auth_util.c:1121(check_account) > > Failed to find authenticated user ABC\foo via getpwnam(), denying access. > > [2012/10/10 15:07:11.898502, 1] auth/user_krb5.c:211(make_server_info_krb5) > > make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! > > > > -------------------------------------------------------------------------------------------------------------------------------------------- > > > > here is my users.map > > > > foo = ABC\bar > > > > > > on the other instance: - > > [global] > > > > socket options = TCP_NODELAY IPTOS_LOWDELAY > > netbios name = TST-SMB-UAT > > workgroup = 123 > > server string = tst-smb-uat Samba Server ver %v > > security = ADS > > #map untrusted to domain = Yes > > log file = /opt/local/samba-3.6.7/uat/logs/log.%m > > log level = 5 > > max log size = 50 > > password server = AD1.123.com > > encrypt passwords = yes > > realm = 123.COM > > local master = no > > domain master = no > > domain logons = no > > dns proxy = no > > smb passwd file = /opt/local/samba-3.6.7/uat/private > > private dir = /opt/local/samba-3.6.7/uat/private > > username map = /opt/local/samba-3.6.7/uat/users.map > > pid directory = /opt/local/samba-3.6.7/uat > > bind interfaces only = yes > > wins support = no > > domain master = no > > allow trusted domains = yes > > locking = yes > > lock directory = /opt/local/samba-3.6.7/uat/var/locks > > preserve case = yes > > short preserve case = yes > > name resolve order = host bcast > > load printers = no > > printcap name = /dev/null > > deadtime = 15 > > preferred master = no > > syslog = 0 > > interfaces = 10.20.20.4 > > ---------------------------------------------------------------------------------------- > > and logs are: - > > > > [2012/10/10 16:15:26.386651, 3] > > ../libcli/security/dom_sid.c:208(dom_sid_parse_endp) > > string_to_sid: SID foo is not in a valid format > > [2012/10/10 16:15:26.386693, 4] smbd/sec_ctx.c:214(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2012/10/10 16:15:26.386725, 4] smbd/uid.c:460(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2012/10/10 16:15:26.386753, 4] smbd/sec_ctx.c:314(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2012/10/10 16:15:26.386781, 5] > > ../libcli/security/security_token.c:53(security_token_debug) > > Security token: (NULL) > > [2012/10/10 16:15:26.386827, 5] > > auth/token_util.c:527(debug_unix_user_token) > > UNIX token of user 0 > > Primary group is 0 and contains 0 supplementary groups > > [2012/10/10 16:15:26.386900, 5] passdb/pdb_tdb.c:562(tdbsam_getsampwnam) > > pdb_getsampwnam (TDB): error fetching database. > > Key: USER_foo > > [2012/10/10 16:15:26.386952, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2012/10/10 16:15:26.386988, 4] smbd/sec_ctx.c:214(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2012/10/10 16:15:26.387019, 4] smbd/uid.c:460(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2012/10/10 16:15:26.387047, 4] smbd/sec_ctx.c:314(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2012/10/10 16:15:26.387074, 5] > > ../libcli/security/security_token.c:53(security_token_debug) > > Security token: (NULL) > > [2012/10/10 16:15:26.387101, 5] > > auth/token_util.c:527(debug_unix_user_token) > > UNIX token of user 0 > > Primary group is 0 and contains 0 supplementary groups > > [2012/10/10 16:15:26.387196, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2012/10/10 16:15:26.387256, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user foo > > [2012/10/10 16:15:26.387287, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is foo > > [2012/10/10 16:15:26.387318, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals did find user [foo]! > > [2012/10/10 16:15:26.387362, 5] lib/username.c:171(Get_Pwnam_alloc) > > Finding user foo > > [2012/10/10 16:15:26.387392, 5] lib/username.c:116(Get_Pwnam_internals) > > Trying _Get_Pwnam(), username as lowercase is foo > > [2012/10/10 16:15:26.387423, 5] lib/username.c:149(Get_Pwnam_internals) > > Get_Pwnam_internals did find user [foo]! > > [2012/10/10 16:15:26.387467, 3] smbd/service.c:872(make_connection_snum) > > ------------------------------------------------------------------------------------------------------------------------------------- > > and my users.map > > > > foo = bar 123\bar > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > any suggestions? > > > > thanks > > > > Nitin > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
