Re: [Samba] User is invalid on this system

[Dale Schroeder]

With what I've read and what I've seen with the rebuilds, there's a good 
chance the rejoin could fix your problem.  That being said, there are no 
guarantees with winbind. It's the part of the Samba suite that has given 
me the most problems over the years, breaking existing configs almost 
every time its internal workings are changed.

I wish you good luck!
Dale


On 11/30/2012 12:57 PM, Kevin Elliott wrote:
Dale,

I was afraid of that. We we're forced to upgrade from 3.5.x because of a 
reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x 
introduces a idmap/rid issues. I guess we just traded one for another.

Do you think un-joining and then re-joining the existing system could fix this?

Thanks.


---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905




-----Original Message-----
From: Dale Schroeder [mailto:d...@briannassaladdressing.com]
Sent: Friday, November 30, 2012 9:38 AM
To: Kevin Elliott
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] User is invalid on this system

Kevin,

3.6.x has had several issues with idmap rid.  I was hit with this one:
https://bugzilla.samba.org/show_bug.cgi?id=8676 .  Searching for idmap rid 
issues with 3.6.x will reveal others as well.

Someone indicated that rejoining the domain would fix this issue. As it so 
happened, I had to rebuild one of the servers.  After joining the rebuilt 
system to the domain, it has worked flawlessly ever since.  So, it appears the 
problem with rid and some of the other idmap backends is somehow related to 
upgrading, as newly joined systems work as expected.

Dale


On 11/29/2012 6:51 PM, Kevin Elliott wrote:
Hello all.

We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 
3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map 
Samba shares from our Windows XP SP3 and Windows 7 clients:


Here's an example from my workstation (logging verbosity set at 10):

[2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
    switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
    wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all 
old resources.
[2012/11/29 15:23:58.120353,  3] 
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
    Doing spnego session setup
[2012/11/29 15:23:58.120409,  3] 
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
    NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
    reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
    Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309,  3] 
auth/user_krb5.c:50(get_user_from_kerberos_info)
    Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL]
[2012/11/29 15:23:58.124710,  1] 
auth/user_krb5.c:162(get_user_from_kerberos_info)
    Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
    error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
    receive_smb_raw_talloc failed for client 199.58.52.25 read error = 
NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
    Server exit (failed to receive smb request)



However, I can successfully return login information with winbind:

# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

'getent passwd' will only return the local users from /etc/passwd.


And the relevant section of smb.conf:

[global]
          workgroup = CBJ_NT
          realm = CBJ.LOCAL
          netbios aliases = CITY-LIZA-L90, CITY-LIZA
          server string = External FTP Server
          interfaces = 192.0.2.87/32, lo
          bind interfaces only = Yes
          security = ADS
          obey pam restrictions = Yes
          password server = 192.0.2.25, 192.0.2.50
          passwd program = /usr/bin/passwd %u
          passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
          client NTLMv2 auth = Yes
          log level = 3
          log file = /var/log/samba/log.%m
          max log size = 2500
          printcap name = cups
          os level = 5
          local master = No
          domain master = No
          wins server = 192.0.2.25
          ldap ssl = no
          panic action = /usr/share/samba/panic-action %d
          winbind separator = +
          winbind enum users = Yes
          winbind enum groups = Yes
          winbind use default domain = Yes
          idmap config LIBRARY:range = 65535-79999
          idmap config LIBRARY:base_rid = 0
          idmap config LIBRARY:backend = rid
          idmap config * : range = 10000-65533
          idmap config * : base_rid = 0
          idmap config * : backend = rid
          admin users = @CBJ_NT+admin
          veto files = /.*/

[ftp]
          comment = FTP directory
          path = /var/ftp/pub/
          valid users = "@CBJ_NT+domain users"
          read only = No
          create mask = 0775
          directory mask = 0775
          hide unreadable = Yes


Any ideas? Anyone else see this?

---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905



.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba