Quantcast

Samba login failure: getpwuid failed

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba login failure: getpwuid failed

Samba - General mailing list
Hello,
I cannot access a remote drive using Windows or smbclient; my
authentication appears successful according to the samba log file, but
`getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
4.2.3. The client is CentOS 7.2 and smbclient 4.2.3.  The logfile shows:

    [2017/05/06 22:57:48.729284,  2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
      check_ntlm_password:  authentication for user [developer_prod] ->
[developer_prod] -> [developer_prod] succeeded
    [2017/05/06 22:57:48.731091,  1]
../source3/auth/token_util.c:430(add_local_groups)
      SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
getpwuid(16777216) failed
    [2017/05/06 22:57:48.731164,  1]
../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
      Failed to generate session_info (user and group token) for session
setup: NT_STATUS_UNSUCCESSFUL

Strangely, the SID corresponds to a local user:

    # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
    NY4010\developer_prod 1

(ny4010 is my samba server machine) Even though on the client I am logging
in using a domain user:

    $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release 'password'
    session setup failed: NT_STATUS_UNSUCCESSFUL

Here is my smb.conf file:

    [global]
       workgroup = MYDOMAIN
       password server = my_domain_server.mydomain.local
       realm = MYDOMAIN.LOCAL
       security = ads
       idmap config * : range = 16777216-33554431
       template homedir = /home/%U
       template shell = /bin/bash
       kerberos method = secrets only
       winbind use default domain = true
       winbind offline logon = false
       log level = 2
       encrypt passwords = yes
           unix extensions = no
            server string = Samba Server Version %v
            log file = /var/log/samba/log.%m
            max log size = 50
            security = ads
            passdb backend = tdbsam
            realm = MYDOMAIN.LOCAL
            password server = my_domain_server.mydomain.local
            local master = no
    [homes]
            comment = Home Directories
            browseable = no
            writable = yes
    [release]
           comment = Shared directory: /prod
           path = /prod
           browseable = yes
           read only = no
           valid users = developer_prod
           guest ok = yes
           public = yes
           follow symlinks = yes
           wide links = yes
           force user = developer_prod
    [log]
           comment = Shared directory: /prod/log
           path = /prod/log
           browseable = yes
           read only = yes
           guest ok = yes
           public = yes

my nsswitch.conf file looks like:
    passwd:     files winbind

I think the smoking gun here is that a local user's SID is showing up in
that "getpwuid() failed" line...

Thanks.
--
-Mike Schwager
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba login failure: getpwuid failed

Samba - General mailing list
On Sun, 7 May 2017 09:04:25 -0500
Michael Schwager via samba <[hidden email]> wrote:

> Hello,
> I cannot access a remote drive using Windows or smbclient; my
> authentication appears successful according to the samba log file, but
> `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
> 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3.  The logfile
> shows:
>
>     [2017/05/06 22:57:48.729284,  2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>       check_ntlm_password:  authentication for user [developer_prod]
> -> [developer_prod] -> [developer_prod] succeeded
>     [2017/05/06 22:57:48.731091,  1]
> ../source3/auth/token_util.c:430(add_local_groups)
>       SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
> getpwuid(16777216) failed
>     [2017/05/06 22:57:48.731164,  1]
> ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
>       Failed to generate session_info (user and group token) for
> session setup: NT_STATUS_UNSUCCESSFUL
>
> Strangely, the SID corresponds to a local user:
>
>     # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
>     NY4010\developer_prod 1
>
> (ny4010 is my samba server machine) Even though on the client I am
> logging in using a domain user:
>
>     $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release
> 'password' session setup failed: NT_STATUS_UNSUCCESSFUL
>
> Here is my smb.conf file:
>
>     [global]
>        workgroup = MYDOMAIN
>        password server = my_domain_server.mydomain.local
>        realm = MYDOMAIN.LOCAL
>        security = ads
>        idmap config * : range = 16777216-33554431
>        template homedir = /home/%U
>        template shell = /bin/bash
>        kerberos method = secrets only
>        winbind use default domain = true
>        winbind offline logon = false
>        log level = 2
>        encrypt passwords = yes
>            unix extensions = no
>             server string = Samba Server Version %v
>             log file = /var/log/samba/log.%m
>             max log size = 50
>             security = ads
>             passdb backend = tdbsam
>             realm = MYDOMAIN.LOCAL
>             password server = my_domain_server.mydomain.local
>             local master = no
>     [homes]
>             comment = Home Directories
>             browseable = no
>             writable = yes
>     [release]
>            comment = Shared directory: /prod
>            path = /prod
>            browseable = yes
>            read only = no
>            valid users = developer_prod
>            guest ok = yes
>            public = yes
>            follow symlinks = yes
>            wide links = yes
>            force user = developer_prod
>     [log]
>            comment = Shared directory: /prod/log
>            path = /prod/log
>            browseable = yes
>            read only = yes
>            guest ok = yes
>            public = yes
>
> my nsswitch.conf file looks like:
>     passwd:     files winbind
>
> I think the smoking gun here is that a local user's SID is showing up
> in that "getpwuid() failed" line...
>
> Thanks.

Are you using sssd, if so then remove 'winbind' from the 'passwd' line
in /etc/nsswitch.conf , put back 'sss' that you must have removed.
Remove winbind and then go and ask on the sssd-users mailing, you
cannot use sssd and winbind.

If however, you are not using sssd, then add winbind to the group line
in /etc/nsswitch.conf then make [global] in smb.conf look like this:

[global]
    workgroup = MYDOMAIN
    realm = MYDOMAIN.LOCAL
    server string = Samba Server Version %v
    security = ads
    template homedir = /home/%U
    template shell = /bin/bash
    winbind use default domain = true
    log level = 2
    unix extensions = no
    log file = /var/log/samba/log.%m
    max log size = 50
    local master = no

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-999999

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba login failure: getpwuid failed

Samba - General mailing list
Hi Rowland,
Thanks for the reply. I did as you suggested and did not see any change in
my system behavior.

I put everything back the way it was. Then I noticed that I have an
identical system (so I think) right next to it, on the same rack, connected
to the same switch, with the same OS and hardware, and it is working 100%.

Fundamentally, I cannot su to my user "developer_prod" as the "id" utility
complains that it "cannot find user for ID 16777216". I believe something
is wrong with winbind, and I don't know what it is.

Does winbind use the smb.conf file?


On Sun, May 7, 2017 at 9:34 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Sun, 7 May 2017 09:04:25 -0500
> Michael Schwager via samba <[hidden email]> wrote:
>
> > Hello,
> > I cannot access a remote drive using Windows or smbclient; my
> > authentication appears successful according to the samba log file, but
> > `getpwuid` fails. The server (remote) is running CentOS 7.2 and Samba
> > 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3.  The logfile
> > shows:
> >
> >     [2017/05/06 22:57:48.729284,  2]
> > ../source3/auth/auth.c:305(auth_check_ntlm_password)
> >       check_ntlm_password:  authentication for user [developer_prod]
> > -> [developer_prod] -> [developer_prod] succeeded
> >     [2017/05/06 22:57:48.731091,  1]
> > ../source3/auth/token_util.c:430(add_local_groups)
> >       SID S-1-5-21-4007675785-2624567327-467545301-1000 ->
> > getpwuid(16777216) failed
> >     [2017/05/06 22:57:48.731164,  1]
> > ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
> >       Failed to generate session_info (user and group token) for
> > session setup: NT_STATUS_UNSUCCESSFUL
> >
> > Strangely, the SID corresponds to a local user:
> >
> >     # wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000
> >     NY4010\developer_prod 1
> >
> > (ny4010 is my samba server machine) Even though on the client I am
> > logging in using a domain user:
> >
> >     $ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release
> > 'password' session setup failed: NT_STATUS_UNSUCCESSFUL
> >
> > Here is my smb.conf file:
> >
> >     [global]
> >        workgroup = MYDOMAIN
> >        password server = my_domain_server.mydomain.local
> >        realm = MYDOMAIN.LOCAL
> >        security = ads
> >        idmap config * : range = 16777216-33554431
> >        template homedir = /home/%U
> >        template shell = /bin/bash
> >        kerberos method = secrets only
> >        winbind use default domain = true
> >        winbind offline logon = false
> >        log level = 2
> >        encrypt passwords = yes
> >            unix extensions = no
> >             server string = Samba Server Version %v
> >             log file = /var/log/samba/log.%m
> >             max log size = 50
> >             security = ads
> >             passdb backend = tdbsam
> >             realm = MYDOMAIN.LOCAL
> >             password server = my_domain_server.mydomain.local
> >             local master = no
> >     [homes]
> >             comment = Home Directories
> >             browseable = no
> >             writable = yes
> >     [release]
> >            comment = Shared directory: /prod
> >            path = /prod
> >            browseable = yes
> >            read only = no
> >            valid users = developer_prod
> >            guest ok = yes
> >            public = yes
> >            follow symlinks = yes
> >            wide links = yes
> >            force user = developer_prod
> >     [log]
> >            comment = Shared directory: /prod/log
> >            path = /prod/log
> >            browseable = yes
> >            read only = yes
> >            guest ok = yes
> >            public = yes
> >
> > my nsswitch.conf file looks like:
> >     passwd:     files winbind
> >
> > I think the smoking gun here is that a local user's SID is showing up
> > in that "getpwuid() failed" line...
> >
> > Thanks.
>
> Are you using sssd, if so then remove 'winbind' from the 'passwd' line
> in /etc/nsswitch.conf , put back 'sss' that you must have removed.
> Remove winbind and then go and ask on the sssd-users mailing, you
> cannot use sssd and winbind.
>
> If however, you are not using sssd, then add winbind to the group line
> in /etc/nsswitch.conf then make [global] in smb.conf look like this:
>
> [global]
>     workgroup = MYDOMAIN
>     realm = MYDOMAIN.LOCAL
>     server string = Samba Server Version %v
>     security = ads
>     template homedir = /home/%U
>     template shell = /bin/bash
>     winbind use default domain = true
>     log level = 2
>     unix extensions = no
>     log file = /var/log/samba/log.%m
>     max log size = 50
>     local master = no
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config MYDOMAIN : backend = rid
>     idmap config MYDOMAIN : range = 10000-999999
>
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
-Mike Schwager
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba login failure: getpwuid failed

Samba - General mailing list
On Sun, 7 May 2017 23:55:52 -0500
Michael Schwager <[hidden email]> wrote:

> Hi Rowland,
> Thanks for the reply. I did as you suggested and did not see any
> change in my system behavior.
>
> I put everything back the way it was. Then I noticed that I have an
> identical system (so I think) right next to it, on the same rack,
> connected to the same switch, with the same OS and hardware, and it
> is working 100%.
>
> Fundamentally, I cannot su to my user "developer_prod" as the "id"
> utility complains that it "cannot find user for ID 16777216". I
> believe something is wrong with winbind, and I don't know what it is.
>
> Does winbind use the smb.conf file?
>

You are doing this in production aren't you, did you not do any testing
before putting it into production ?

In answer to your question, winbind uses the smb.conf file, but yours
was not set up correctly for winbind.

Try reading this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

I repeat, you cannot use winbind with sssd installed, they both have a
version of a winbind lib, you need to choose one or the other.

If you must use the user '16777216' then change the '10000-999999'
range to reflect this.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...