On Tue, Feb 14, 2017 at 10:48 AM, Michael Hirmke <mh@mike.franken.de> wrote:
Hi Roger,
# winbind use default domain = yes winbind uid = 50000-60000 winbind gid = 50000-60000 winbind separator = / winbind nested groups = yes winbind enum groups = yes winbind enum users = yes
But this is not the reason for you problems, just cosmetics.
I made the changes. Nice to have the messages gone. Odd that Yast on Tumbleweed puts some of those in the file.
sto-opq-src:~ # smbclient --user=roropq //localhost/roger WARNING: The "idmap gid" option is deprecated WARNING: The "idmap uid" option is deprecated Domain=[RAMBOLL] OS=[Windows 6.1] Server=[Samba 4.5.3-0-SUSE-oS13.3-x86_64] tree connect failed: NT_STATUS_ACCESS_DENIED sto-opq-src:~ #
What if you add the domain to the user name:
sto-opq-src:~ # smbclient --user=<domain>/roropq //localhost/roger or sto-opq-src:~ # smbclient --user=<domain>\\roropq //localhost/roger
[...]
So the share is known on localhost...
I am using localhost when testing on the Tumbleweed machine. But the FQDN has the same failure. Adding the doman to the user name made no difference. sto-opq-src:/etc/samba # smbclient --user=RAMBOLL/roropq //sto-opq-src.scc.se/roger Domain=[RAMBOLL] OS=[Windows 6.1] Server=[Samba 4.5.3-0-SUSE-oS13.3-x86_64] tree connect failed: NT_STATUS_ACCESS_DENIED
How does the according section in the smb.conf look like? Something like
# Active Directory security = ADS realm = DOMAIN1 password server = <ip server 1> <ip server 2> server max protocol = smb3
I only have these: realm = RAMBOLL.RAMBOLL-GROUP.GLOBAL.NETWORK security = ADS I added: password server = ramstodc02.ramboll.ramboll-group.global.network server max protocol = smb3 But it made no difference.
where realm and password server have to match the entries in krb5.conf.
Can you increase the log level for authentication in the samba config? log level = auth:10 If there is nothing more to see, increase all debug classes: log level = 10
This is interesting. I get the following: [2017/02/14 11:31:44.056943, 5, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:122(make_user_info_map) Mapping user [RAMBOLL]\[roropq] from workstation [STO-OPQ-SRC] [2017/02/14 11:31:44.057548, 5, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:62(make_user_info) attempting to make a user_info for roropq (roropq) [2017/02/14 11:31:44.057612, 5, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:70(make_user_info) making strings for roropq's user_info struct [2017/02/14 11:31:44.057623, 5, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:108(make_user_info) making blobs for roropq's user_info struct [2017/02/14 11:31:44.057638, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) made a user_info for roropq (roropq) [2017/02/14 11:31:44.057647, 3, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [RAMBOLL]\[roropq]@[STO-OPQ-SRC] with the new password interface [2017/02/14 11:31:44.057657, 3, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [RAMBOLL]\[roropq]@[STO-OPQ-SRC] [2017/02/14 11:31:44.057666, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2017/02/14 11:31:44.057675, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) challenge is: [2017/02/14 11:31:44.057684, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_builtin.c:41(check_guest_security) Check auth for: [roropq] [2017/02/14 11:31:44.057694, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: guest had nothing to say [2017/02/14 11:31:44.057703, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [roropq] [2017/02/14 11:31:44.057713, 6, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: RAMBOLL is not one of my local names (ROLE_DOMAIN_MEMBER) [2017/02/14 11:31:44.057722, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: sam had nothing to say [2017/02/14 11:31:44.057732, 10, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) Check auth for: [roropq] [2017/02/14 11:31:44.065621, 3, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:1233(check_account) Failed to find authenticated user RAMBOLL/roropq via getpwnam(), denying access. [2017/02/14 11:31:44.065684, 5, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [roropq] FAILED with error NT_STATUS_NO_SUCH_USER [2017/02/14 11:31:44.065719, 2, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roropq] -> [roropq] FAILED with error NT_STATUS_NO_SUCH_USER [2017/02/14 11:31:44.065730, 3, pid=15668, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:1611(do_map_to_guest_server_info) No such user roropq [RAMBOLL] - using guest account NT_STATUS_NO_SUCH_USER seems unexpected. The user does exist. It is the same one I use from the working Samba! I can't tell if that complaint is really coming from the Domain controller, or something samba has decided locally... -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org