Samba 4.6.0 - Domain admin can't list nor access shares on file server

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4.6.0 - Domain admin can't list nor access shares on file server

Samba - General mailing list
Hello,

I have domain NAVIDOM.

There is also a fileserver that has joined the domain (both file server
and DC are samba 4.6.0).

If I try to connect as NAVIDOM\Administrator, I cannot access the file
server (from Linux and Windows):

[root@dc var]# smbclient -U Administrator -L fileserv
Enter NAVIDOM\Administrator's password:
session setup failed: NT_STATUS_ACCESS_DENIED

I can do it as a regular user:

[root@fileserv samba]# smbclient -U olaf -L fileserv
Enter NAVIDOM\olaf's password:

     Sharename       Type      Comment
     ---------       ----      -------

.......

Is this normal or do I have a problem with my setup?

I have found out also, that when I try to run the "DNS" Windows tool I
get "access was denied". It worked previously - the only thing I can
think of that could cause the change was that Administrator's password
has expired. I don't know if it is related to this problem or not.

Below is a log with debug=6 on the file server when logging as
administrator:

[2017/05/10 17:16:15.823142,  6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
   lp_file_list_changed()
   file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf  
last mod_time: Mon Apr 10 11:07:38 2017

[2017/05/10 17:16:15.823225,  3] ../source3/smbd/oplock.c:1322(init_oplocks)
   init_oplocks: initializing messages.
[2017/05/10 17:16:15.823247,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 774 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823267,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 778 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823284,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 770 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823299,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 787 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823315,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 779 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823331,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 15 - private_data=(nil)
[2017/05/10 17:16:15.823345,  5]
../source3/lib/messages.c:463(messaging_register)
   Overriding messaging pointer for type 15 - private_data=(nil)
[2017/05/10 17:16:15.823380,  5]
../source3/lib/messages.c:495(messaging_deregister)
   Deregistering messaging pointer for type 16 - private_data=(nil)
[2017/05/10 17:16:15.823400,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 16 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823415,  5]
../source3/lib/messages.c:495(messaging_deregister)
   Deregistering messaging pointer for type 33 - private_data=0x7f23f5eb6ff0
[2017/05/10 17:16:15.823431,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 33 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823446,  5]
../source3/lib/messages.c:495(messaging_deregister)
   Deregistering messaging pointer for type 790 - private_data=(nil)
[2017/05/10 17:16:15.823461,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 790 - private_data=0x7f23f5ec0060
[2017/05/10 17:16:15.823476,  5]
../source3/lib/messages.c:495(messaging_deregister)
   Deregistering messaging pointer for type 791 - private_data=(nil)
[2017/05/10 17:16:15.823491,  5]
../source3/lib/messages.c:495(messaging_deregister)
   Deregistering messaging pointer for type 1 - private_data=(nil)
[2017/05/10 17:16:15.823506,  5]
../source3/lib/messages.c:448(messaging_register)
   Registering messaging pointer for type 1 - private_data=(nil)
[2017/05/10 17:16:15.823658,  6] ../source3/smbd/process.c:1955(process_smb)
   got message type 0x0 of len 0xbe
[2017/05/10 17:16:15.823683,  3] ../source3/smbd/process.c:1957(process_smb)
   Transaction 0 of length 194 (0 toread)
[2017/05/10 17:16:15.823703,  5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:15.823716,  5] ../source3/lib/util.c:181(show_msg)
   size=190
   smb_com=0x72
   smb_rcls=0
   smb_reh=0
   smb_err=0
   smb_flg=24
   smb_flg2=51267
   smb_tid=0
   smb_pid=65534
   smb_uid=0
   smb_mid=0
   smt_wct=0
   smb_bcc=155
[2017/05/10 17:16:15.823771,  3]
../source3/smbd/process.c:1538(switch_message)
   switch message SMBnegprot (pid 14108) conn 0x0
[2017/05/10 17:16:15.823809,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:15.823833,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:15.823852,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:15.823890,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:15.824818,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/05/10 17:16:15.824852,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [MICROSOFT NETWORKS 1.03]
[2017/05/10 17:16:15.824872,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [MICROSOFT NETWORKS 3.0]
[2017/05/10 17:16:15.824890,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [LANMAN1.0]
[2017/05/10 17:16:15.824907,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [LM1.2X002]
[2017/05/10 17:16:15.824924,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [DOS LANMAN2.1]
[2017/05/10 17:16:15.824940,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [LANMAN2.1]
[2017/05/10 17:16:15.824956,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [Samba]
[2017/05/10 17:16:15.824972,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [NT LANMAN 1.0]
[2017/05/10 17:16:15.824989,  3]
../source3/smbd/negprot.c:603(reply_negprot)
   Requested protocol [NT LM 0.12]
[2017/05/10 17:16:15.825071,  6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
   lp_file_list_changed()
   file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf  
last mod_time: Mon Apr 10 11:07:38 2017

[2017/05/10 17:16:15.825121,  5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
   check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2017/05/10 17:16:15.825151,  5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
   release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
[2017/05/10 17:16:15.825199,  6]
../source3/param/loadparm.c:2301(lp_file_list_changed)
   lp_file_list_changed()
   file /usr/local/samba/etc/smb.conf -> /usr/local/samba/etc/smb.conf  
last mod_time: Mon Apr 10 11:07:38 2017

[2017/05/10 17:16:15.825300,  5]
../source3/auth/auth.c:477(make_auth_context_subsystem)
   Making default auth method list for server role = 'domain member'
[2017/05/10 17:16:15.825331,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend trustdomain
[2017/05/10 17:16:15.825356,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'trustdomain'
[2017/05/10 17:16:15.825385,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend ntdomain
[2017/05/10 17:16:15.825402,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'ntdomain'
[2017/05/10 17:16:15.825418,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend guest
[2017/05/10 17:16:15.825436,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'guest'
[2017/05/10 17:16:15.825449,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend sam
[2017/05/10 17:16:15.825462,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'sam'
[2017/05/10 17:16:15.825475,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend sam_ignoredomain
[2017/05/10 17:16:15.825496,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'sam_ignoredomain'
[2017/05/10 17:16:15.825514,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend winbind
[2017/05/10 17:16:15.825530,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'winbind'
[2017/05/10 17:16:15.825552,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend unix
[2017/05/10 17:16:15.825570,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'unix'
[2017/05/10 17:16:15.825584,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend wbc
[2017/05/10 17:16:15.825597,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'wbc'
[2017/05/10 17:16:15.825614,  5]
../source3/auth/auth.c:48(smb_register_auth)
   Attempting to register auth backend samba4
[2017/05/10 17:16:15.825631,  5]
../source3/auth/auth.c:60(smb_register_auth)
   Successfully added auth method 'samba4'
[2017/05/10 17:16:15.825645,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match guest
[2017/05/10 17:16:15.825661,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method guest has a valid init
[2017/05/10 17:16:15.825676,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match sam
[2017/05/10 17:16:15.825692,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method sam has a valid init
[2017/05/10 17:16:15.825707,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match
winbind:ntdomain
[2017/05/10 17:16:15.825722,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match ntdomain
[2017/05/10 17:16:15.825738,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method ntdomain has a valid init
[2017/05/10 17:16:15.825753,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method winbind has a valid init
[2017/05/10 17:16:15.826055,  5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2017/05/10 17:16:15.826133,  5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
   Starting GENSEC submechanism gse_krb5
[2017/05/10 17:16:16.352824,  3] ../source3/smbd/negprot.c:394(reply_nt1)
   using SPNEGO
[2017/05/10 17:16:16.352862,  3]
../source3/smbd/negprot.c:730(reply_negprot)
   Selected protocol NT LANMAN 1.0
[2017/05/10 17:16:16.352871,  5]
../source3/smbd/negprot.c:737(reply_negprot)
   negprot index=8
[2017/05/10 17:16:16.352881,  5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:16.352886,  5] ../source3/lib/util.c:181(show_msg)
   size=181
   smb_com=0x72
   smb_rcls=0
   smb_reh=0
   smb_err=0
   smb_flg=136
   smb_flg2=51267
   smb_tid=0
   smb_pid=65534
   smb_uid=0
   smb_mid=0
   smt_wct=17
   smb_vwv[ 0]=    8 (0x8)
   smb_vwv[ 1]=12803 (0x3203)
   smb_vwv[ 2]=  256 (0x100)
   smb_vwv[ 3]= 1024 (0x400)
   smb_vwv[ 4]=   65 (0x41)
   smb_vwv[ 5]=    0 (0x0)
   smb_vwv[ 6]=  256 (0x100)
   smb_vwv[ 7]= 7168 (0x1C00)
   smb_vwv[ 8]=   55 (0x37)
   smb_vwv[ 9]=64768 (0xFD00)
   smb_vwv[10]=33011 (0x80F3)
   smb_vwv[11]=62336 (0xF380)
   smb_vwv[12]= 8118 (0x1FB6)
   smb_vwv[13]=41054 (0xA05E)
   smb_vwv[14]=53961 (0xD2C9)
   smb_vwv[15]=34817 (0x8801)
   smb_vwv[16]=  255 (0xFF)
   smb_bcc=112
[2017/05/10 17:16:21.261826,  6] ../source3/smbd/process.c:1955(process_smb)
   got message type 0x0 of len 0x64e
[2017/05/10 17:16:21.261912,  3] ../source3/smbd/process.c:1957(process_smb)
   Transaction 1 of length 1618 (0 toread)
[2017/05/10 17:16:21.261937,  5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:21.261953,  5] ../source3/lib/util.c:181(show_msg)
   size=1614
   smb_com=0x73
   smb_rcls=0
   smb_reh=0
   smb_err=0
   smb_flg=24
   smb_flg2=51267
   smb_tid=0
   smb_pid=2614
   smb_uid=0
   smb_mid=1
   smt_wct=12
   smb_vwv[ 0]=  255 (0xFF)
   smb_vwv[ 1]=    0 (0x0)
   smb_vwv[ 2]=65535 (0xFFFF)
   smb_vwv[ 3]=    2 (0x2)
   smb_vwv[ 4]=    1 (0x1)
   smb_vwv[ 5]=    0 (0x0)
   smb_vwv[ 6]=    0 (0x0)
   smb_vwv[ 7]= 1533 (0x5FD)
   smb_vwv[ 8]=    0 (0x0)
   smb_vwv[ 9]=    0 (0x0)
   smb_vwv[10]=49236 (0xC054)
   smb_vwv[11]=32768 (0x8000)
   smb_bcc=1555
[2017/05/10 17:16:21.262116,  3]
../source3/smbd/process.c:1538(switch_message)
   switch message SMBsesssetupX (pid 14108) conn 0x0
[2017/05/10 17:16:21.262150,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:21.262173,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:21.262194,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:21.262234,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:21.262270,  3]
../source3/smbd/sesssetup.c:623(reply_sesssetup_and_X)
   wct=12 flg2=0xc843
[2017/05/10 17:16:21.262301,  3]
../source3/smbd/sesssetup.c:140(reply_sesssetup_and_X_spnego)
   Doing spnego session setup
[2017/05/10 17:16:21.262332,  3]
../source3/smbd/sesssetup.c:181(reply_sesssetup_and_X_spnego)
   NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2017/05/10 17:16:21.262427,  5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
   check lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:21.262680,  5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
   release lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:21.262726,  5]
../source3/auth/auth.c:477(make_auth_context_subsystem)
   Making default auth method list for server role = 'domain member'
[2017/05/10 17:16:21.262762,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match guest
[2017/05/10 17:16:21.262789,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method guest has a valid init
[2017/05/10 17:16:21.262810,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match sam
[2017/05/10 17:16:21.262831,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method sam has a valid init
[2017/05/10 17:16:21.262851,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match
winbind:ntdomain
[2017/05/10 17:16:21.262872,  5]
../source3/auth/auth.c:378(load_auth_module)
   load_auth_module: Attempting to find an auth method to match ntdomain
[2017/05/10 17:16:21.262894,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method ntdomain has a valid init
[2017/05/10 17:16:21.262913,  5]
../source3/auth/auth.c:403(load_auth_module)
   load_auth_module: auth method winbind has a valid init
[2017/05/10 17:16:21.263011,  5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
   Starting GENSEC mechanism spnego
[2017/05/10 17:16:21.263095,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.263122,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/05/10 17:16:21.263142,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.263162,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:21.263180,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:21.263290,  5]
../auth/gensec/gensec_start.c:681(gensec_start_mech)
   Starting GENSEC submechanism gse_krb5
[2017/05/10 17:16:21.792985,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:21.793124,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.793144,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/05/10 17:16:21.793153,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/05/10 17:16:21.793172,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:21.793184,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.402313,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.402525,  3]
../auth/kerberos/kerberos_pac.c:409(kerberos_decode_pac)
   Found account name from PAC: Administrator []
[2017/05/10 17:16:22.402590,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
   Kerberos ticket principal name is [[hidden email]]
[2017/05/10 17:16:22.402621,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user NAVIDOM\Administrator
[2017/05/10 17:16:22.402632,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is navidom\administrator
[2017/05/10 17:16:22.405491,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is NAVIDOM\Administrator
[2017/05/10 17:16:22.405757,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as uppercase is NAVIDOM\ADMINISTRATOR
[2017/05/10 17:16:22.406002,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in navidom\administrator
[2017/05/10 17:16:22.406057,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [NAVIDOM\Administrator]!
[2017/05/10 17:16:22.406076,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
   Finding user Administrator
[2017/05/10 17:16:22.406090,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as lowercase is administrator
[2017/05/10 17:16:22.406315,  5]
../source3/lib/username.c:128(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as given is Administrator
[2017/05/10 17:16:22.406566,  5]
../source3/lib/username.c:141(Get_Pwnam_internals)
   Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
[2017/05/10 17:16:22.406802,  5]
../source3/lib/username.c:153(Get_Pwnam_internals)
   Checking combinations of 0 uppercase letters in administrator
[2017/05/10 17:16:22.406827,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
   Get_Pwnam_internals didn't find user [Administrator]!
[2017/05/10 17:16:22.406929,  3]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
   get_user_from_kerberos_info: Username NAVIDOM\Administrator is
invalid on this system
[2017/05/10 17:16:22.406952,  3]
../source3/auth/auth_generic.c:145(auth3_generate_session_info_pac)
   auth3_generate_session_info_pac: Failed to map kerberos principal to
system user (NT_STATUS_LOGON_FAILURE)
[2017/05/10 17:16:22.406988,  1]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
   Failed to generate session_info (user and group token) for session
setup: NT_STATUS_ACCESS_DENIED
[2017/05/10 17:16:22.407010,  5]
../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order)
   check lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:22.407070,  5]
../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor)
   release lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2017/05/10 17:16:22.407193,  3]
../source3/smbd/error.c:82(error_packet_set)
   NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115
(SMBsesssetupX) NT_STATUS_ACCESS_DENIED
[2017/05/10 17:16:22.407222,  5] ../source3/lib/util.c:171(show_msg)
[2017/05/10 17:16:22.407232,  5] ../source3/lib/util.c:181(show_msg)
   size=35
   smb_com=0x73
   smb_rcls=34
   smb_reh=0
   smb_err=49152
   smb_flg=136
   smb_flg2=51203
   smb_tid=0
   smb_pid=2614
   smb_uid=0
   smb_mid=1
   smt_wct=0
   smb_bcc=0
[2017/05/10 17:16:22.407889,  5]
../source3/lib/util_sock.c:134(read_fd_with_timeout)
   read_fd_with_timeout: blocking read. EOF from client.
[2017/05/10 17:16:22.407918,  5]
../source3/smbd/process.c:554(receive_smb_talloc)
   receive_smb_raw_talloc failed for client ipv4:192.168.1.2:36348 read
error = NT_STATUS_END_OF_FILE.
[2017/05/10 17:16:22.407959,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.407974,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:22.407985,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408005,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408037,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408051,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:22.408061,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408079,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408092,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408108,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:22.408119,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408136,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408151,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/05/10 17:16:22.408162,  5]
../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2017/05/10 17:16:22.408172,  5]
../source3/auth/token_util.c:640(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2017/05/10 17:16:22.408188,  5]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2017/05/10 17:16:22.408396,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
   Server exit (failed to receive smb request)

Best regards,

Olaf


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.0 - Domain admin can't list nor access shares on file server

Samba - General mailing list
On Wed, 10 May 2017 17:47:37 +0200
Olaf Frączyk via samba <[hidden email]> wrote:

> Hello,
>
> I have domain NAVIDOM.
>
> There is also a fileserver that has joined the domain (both file
> server and DC are samba 4.6.0).
>
> If I try to connect as NAVIDOM\Administrator, I cannot access the
> file server (from Linux and Windows):
>
> [root@dc var]# smbclient -U Administrator -L fileserv
> Enter NAVIDOM\Administrator's password:
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> I can do it as a regular user:
>
> [root@fileserv samba]# smbclient -U olaf -L fileserv
> Enter NAVIDOM\olaf's password:
>
>      Sharename       Type      Comment
>      ---------       ----      -------
>
> .......
>
> Is this normal or do I have a problem with my setup?
>

Possibly normal, but it depends on your smb.conf on the Unix domain
member, so can you post the smb.conf from the Unix domain member (the
thing you call a fileserver)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.0 - Domain admin can't list nor access shares on file server

Samba - General mailing list


On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:

> On Wed, 10 May 2017 17:47:37 +0200
> Olaf Frączyk via samba <[hidden email]> wrote:
>
>> Hello,
>>
>> I have domain NAVIDOM.
>>
>> There is also a fileserver that has joined the domain (both file
>> server and DC are samba 4.6.0).
>>
>> If I try to connect as NAVIDOM\Administrator, I cannot access the
>> file server (from Linux and Windows):
>>
>> [root@dc var]# smbclient -U Administrator -L fileserv
>> Enter NAVIDOM\Administrator's password:
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>> I can do it as a regular user:
>>
>> [root@fileserv samba]# smbclient -U olaf -L fileserv
>> Enter NAVIDOM\olaf's password:
>>
>>       Sharename       Type      Comment
>>       ---------       ----      -------
>>
>> .......
>>
>> Is this normal or do I have a problem with my setup?
>>
> Possibly normal, but it depends on your smb.conf on the Unix domain
> member, so can you post the smb.conf from the Unix domain member (the
> thing you call a fileserver)
>
> Rowland
>
>
[global]
     security = ADS
     workgroup = NAVIDOM
     realm = NAVIDOM.OFFICE.NAVI.PL
     log file = /var/log/samba/%m.log
     log level = 1
     idmap config * : backend = tdb
     idmap config * : range = 20000-20999
     idmap config NAVIDOM:backend = ad
     idmap config NAVIDOM:schema_mode = rfc2307
     idmap config NAVIDOM:range = 1000-9999
     idmap config NAVIDOM:unix_nss_info = yes
     idmap config NAVIDOM:unix_primary_group = yes
     winbind use default domain = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes
     template shell = /bin/bash
     template homedir = /home/%U
     create mask = 0666
     directory mask= 0777
     store dos attributes = yes

Is this because of NAVIDOM:range = 1000-9999, so it doesn't include uid 0?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.6.0 - Domain admin can't list nor access shares on file server

Samba - General mailing list
On Wed, 10 May 2017 18:44:33 +0200
Olaf Frączyk via samba <[hidden email]> wrote:

>
>
> On 5/10/2017 6:06 PM, Rowland Penny via samba wrote:
> > On Wed, 10 May 2017 17:47:37 +0200
> > Olaf Frączyk via samba <[hidden email]> wrote:
> >
> >> Hello,
> >>
> >> I have domain NAVIDOM.
> >>
> >> There is also a fileserver that has joined the domain (both file
> >> server and DC are samba 4.6.0).
> >>
> >> If I try to connect as NAVIDOM\Administrator, I cannot access the
> >> file server (from Linux and Windows):
> >>
> >> [root@dc var]# smbclient -U Administrator -L fileserv
> >> Enter NAVIDOM\Administrator's password:
> >> session setup failed: NT_STATUS_ACCESS_DENIED
> >>
> >> I can do it as a regular user:
> >>
> >> [root@fileserv samba]# smbclient -U olaf -L fileserv
> >> Enter NAVIDOM\olaf's password:
> >>
> >>       Sharename       Type      Comment
> >>       ---------       ----      -------
> >>
> >> .......
> >>
> >> Is this normal or do I have a problem with my setup?
> >>
> > Possibly normal, but it depends on your smb.conf on the Unix domain
> > member, so can you post the smb.conf from the Unix domain member
> > (the thing you call a fileserver)
> >
> > Rowland
> >
> >
> [global]
>      security = ADS
>      workgroup = NAVIDOM
>      realm = NAVIDOM.OFFICE.NAVI.PL
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 20000-20999
>      idmap config NAVIDOM:backend = ad
>      idmap config NAVIDOM:schema_mode = rfc2307
>      idmap config NAVIDOM:range = 1000-9999
>      idmap config NAVIDOM:unix_nss_info = yes
>      idmap config NAVIDOM:unix_primary_group = yes
>      winbind use default domain = yes
>      winbind nss info = rfc2307
>      winbind refresh tickets = yes
>      template shell = /bin/bash
>      template homedir = /home/%U
>      create mask = 0666
>      directory mask= 0777
>      store dos attributes = yes
>
> Is this because of NAVIDOM:range = 1000-9999, so it doesn't include
> uid 0?
>
>

No, it is because your Unix OS has no idea who the Windows user
'Administrator' is ;-)

You need to map it to the 'root' user by adding this line to smb.conf:

username map = /etc/samba/user.map

and then create the user.map containing this:

!root = NAVIDOM\Administrator NAVIDOM\administrator Administrator
administrator

Restart Samba, you will then be able connect from a windows machine to
your Unix machine and do maintenance.

You will still find that the OS still doesn't know who 'Administrator'
is, but this doesn't really matter.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba