[Samba/AD] Authentification refusée

**tck-lt** · 07/02/2012, 10h35

Bonjour,

je dispose d'un serveur Samba en RHEL 4.6. C'est un serveur qui doit être accessible à un groupe de mon domaine Active Directory. Cela fonctionne pour les 2 personnes de l'AD qui avaient testé la connexion et dont leur user avait été directement intégré dans la conf Samba. On a remplacé ces 2 users par un groupe de l'AD dont ils font aussi partie. Pour eux, il n' y a pas de souci, ça fonctionne encore. En revanche, pour les autres du groupe, impossible de se connecter. Depuis mon poste XP, j'ai l'invite login/password mais elle continue de se réafficher sans message d'erreur. J'ai donc suivi tutorial pour tenter de refaire entièrement et correctement la config. Il m'a fait progresser énormément puisqu'auparavant la commande wbinfo ne remontait rien. Aujourd'hui, je vois bien tous les groupes et users de l'AD depuis mon serveur Samba. En revanche, je n'arrive toujours pas à m'authentifier, j'ai toujours le même symptôme.

Je me tourne vers vous pour me venir en aide, car là je suis à cours d'idée surtout que Kerberos n'est pas trop ma tasse de thé.

Merci d'avance.

Edit : Je viens de voir que mon fichier nsswitch.conf n'était pas correct. Je viens de modifier :

passwd: files
shadow: files
group: files

par

passwd: compat winbind
shadow: compat
group: compat winbind

Edit 2 : J'ai redémarré le bouzin et toujours pas mieux, je me dirige maintenant vers le répertoire /etc/pam.d, je pense qu'il me manque des choses au particulier du côté du fichier samba qui ne contient "que" ça :

auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth

Edit 3 : J'ai le message suivant dans mes logs :

Username XXXXINTRA\LOGIN is invalid on this system

Si je comprends bien, cela veut dire que Redhat ne trouve pas de compte correspondant dans /etc/passwd (ce qui est normal) ou que Redhat ne lui crée pas automatiquement de compte avec un uid/gid assocé. J'ai pourtant les lignes suivantes dans mon ficheir smb.conf :

idmap uid = 100000-200000
idmap gid = 100000-200000

J'ai créé un user (adduser) avec mon login. Je me suis connecté sans problème au répertoire partagé. Je l'ai supprimé, j'ai de nouveau le problème. Il y a donc bien un problème de mappage au niveau des mes utilisateurs de l'AD. Cependant, je ne comprends pas ce qui pourrait bloquer ce mappage.

Mon fichier smb.conf (il y a plusieurs paramètres que je ne maitrise pas) :

[global]
workgroup = XXXXXXINTRA
realm = XXXXXX.INTRA
server string = serveur %h (Samba %v, Ubuntu)
security = ADS
password server = xxxxxxxxxx-dc-01.xxxxxxxx.intra xxxxxxxxx-dc-02.xxxxxxxxx.intra
passdb backend = tdbsam
log file = /var/log/samba/%m.log
max log size = 50
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%U
winbind separator = /
winbind cache time = 10
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[xxxxxxxxxxxxx]
path = /xxxxxxxxxxxxxxx
valid users = @XXXXXXXXXXXXXXINTRA\GG_xxxxxxxxxxxx
hide files = /lost+found/
browseable = No

[xxxxxxxxxxxx]
path = /xxxxxxxxxxxxxxxxxxxx
valid users = @XXXXXXXXXXXXINTRA\GG_xxxxxxxxxxxxxx
force group = tomcat6
read only = No
create mask = 0660
hide files = /lost+found/
browseable = No

Edit 4 : Je viens de modifier le paramètre security. Je suis passé de la valeur ads à domain. Les commandes getent fonctionnent maintenant. Je vois que seulement 6 utilisateurs peuvent potentiellement utiliser Samba mais je ne comprends pas pourquoi ce n'est pas l'ensemble (je ne parle pas pour le moment d'accès aux répertoires partagés, je parle juste des utilisateurs qui sont mappés par winbind).

Edit 5 : la machine commence à avoir raison de moi et ça ne me plait pas. J'ai repassé la variable security à la valeur ads, autrement j'avais une erreur dans le join. Le fait d'avoir modifié mon nsswitch.conf m'a permis de faire fonctionner les commandes getent. Cependant, j'ai toujours un gros souci. En effet, les commandes wbinfo -u et -g me retournent 6080 et 1965 enregistrements. Quand j'effectue les commandes getent passwd et getent group, je n'ai que 45 et (dont 6 du domaine) et 402 enregistrements. Je n'arrive pas à expliquer cette différence.

Edit 6 : Ce matin, ça fonctionne pour 3 des 4 valid users présents dans le smb.conf (nous avons mis de côté le groupe GG_XXXXX). Je suis le 4ème :-)). Quand je tente de me connecter voici les logs (level 3) :

Code :

Sélectionner tout - Visualiser dans une fenêtre à part

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
[2012/02/08 10:24:57, 3] smbd/oplock.c:init_oplocks(863)
  init_oplocks: initializing messages.
[2012/02/08 10:24:57, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(276)
  Linux kernel oplocks enabled
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 0 of length 137
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBnegprot (pid 2337) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN1.0]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [Windows for Workgroups 3.1a]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LM1.2X002]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN2.1]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [NT LM 0.12]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_nt1(364)
  using SPNEGO
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(606)
  Selected protocol NT LM 0.12
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 1 of length 1448
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2337) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:57, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1217
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [Poste-16XXX$@XXXX.INTRA]
[2012/02/08 10:24:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXXINTRA\Poste-16XXX$ is invalid on this system
[2012/02/08 10:24:57, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 2 of length 1936
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2337) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:57, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1705
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [NLEXXXXXX@XXXX.INTRA]
[2012/02/08 10:24:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXINTRA\NLEXXXXXX is invalid on this system
[2012/02/08 10:24:57, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:57, 3] smbd/oplock.c:init_oplocks(863)
  init_oplocks: initializing messages.
[2012/02/08 10:24:57, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(276)
  Linux kernel oplocks enabled
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 0 of length 137
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBnegprot (pid 2338) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN1.0]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [Windows for Workgroups 3.1a]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LM1.2X002]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN2.1]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [NT LM 0.12]
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_nt1(364)
  using SPNEGO
[2012/02/08 10:24:57, 3] smbd/negprot.c:reply_negprot(606)
  Selected protocol NT LM 0.12
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 1 of length 1448
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2338) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:57, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1217
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [Poste-16XXX$@XXXX.INTRA]
[2012/02/08 10:24:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXXINTRA\Poste-16XXX$ is invalid on this system
[2012/02/08 10:24:57, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:57, 3] smbd/process.c:process_smb(1068)
  Transaction 2 of length 1936
[2012/02/08 10:24:57, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2338) conn 0x0
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
  wct=12 flg2=0xc807
[2012/02/08 10:24:57, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1705
[2012/02/08 10:24:57, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [NLEXXXXXX@XXXX.INTRA]
[2012/02/08 10:24:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXXINTRA\NLEXXXXXX is invalid on this system
[2012/02/08 10:24:57, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:57, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2012/02/08 10:24:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:57, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2012/02/08 10:24:57, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)
[2012/02/08 10:24:58, 3] smbd/oplock.c:init_oplocks(863)
  init_oplocks: initializing messages.
[2012/02/08 10:24:58, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(276)
  Linux kernel oplocks enabled
[2012/02/08 10:24:58, 3] smbd/process.c:process_smb(1068)
  Transaction 0 of length 137
[2012/02/08 10:24:58, 3] smbd/process.c:switch_message(926)
  switch message SMBnegprot (pid 2339) conn 0x0
[2012/02/08 10:24:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN1.0]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [Windows for Workgroups 3.1a]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LM1.2X002]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [LANMAN2.1]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(505)
  Requested protocol [NT LM 0.12]
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_nt1(364)
  using SPNEGO
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(606)
  Selected protocol NT LM 0.12
[2012/02/08 10:24:58, 3] smbd/process.c:process_smb(1068)
  Transaction 1 of length 1448
[2012/02/08 10:24:58, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2339) conn 0x0
[2012/02/08 10:24:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:58, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_nt1(364)
  using SPNEGO
[2012/02/08 10:24:58, 3] smbd/negprot.c:reply_negprot(606)
  Selected protocol NT LM 0.12
[2012/02/08 10:24:58, 3] smbd/process.c:process_smb(1068)
  Transaction 1 of length 1448
[2012/02/08 10:24:58, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2339) conn 0x0
[2012/02/08 10:24:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:58, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1217
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [Poste-16XXX$@XXXX.INTRA]
[2012/02/08 10:24:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXXINTRA\Poste-16XXX$ is invalid on this system
[2012/02/08 10:24:58, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:58, 3] smbd/process.c:process_smb(1068)
  Transaction 2 of length 1936
[2012/02/08 10:24:58, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 2339) conn 0x0
[2012/02/08 10:24:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2012/02/08 10:24:58, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1705
[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [NLEXXXXXXX@XXXX.INTRA]
[2012/02/08 10:24:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username XXXXINTRA\NLEXXXXXX is invalid on this system
[2012/02/08 10:24:58, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/02/08 10:24:58, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2012/02/08 10:24:58, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:24:58, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2012/02/08 10:24:58, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)
[2012/02/08 10:25:00, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2012/02/08 10:25:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/02/08 10:25:00, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2012/02/08 10:25:00, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)

J'ai donc en particulier l'erreur suivante :

[2012/02/08 10:24:58, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [NLEXXXXXX@XXXX.INTRA]
[2012/02/08 10:24:58, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username XXXXINTRA\NLEXXXXXX is invalid on this system

Le log m'indique donc que mon samba ne peut pas m'autoriser (NLEXXXXXX) à me connecter car il ne me connait pas. Est-ce Winbind qui ne fait pas correctement son boulot en ne m'attribuant pas d'uid/gid sur le serveur Samba ? Dans ce cas, pourquoi le ferait-il pour certains utilisateurs et pas pour d'autres ?

Merci.

Edit 7 : J'ai réussi à corriger le point indiqué en Edit 5. Je n'avais pas supprimé tous les fichiers de cache d'où mon erreur. Liste des fichiers :

/etc/samba/passdb.tdb
/etc/samba/secrets.tdb
/var/cache/samba/winbindd_cache.tdb
/var/cache/samba/winbindd_idmap.tdb

**tck-lt** · 08/02/2012, 15h34

Le point 7 a résolu la partie mappage de mon problème.

Le dernier point qui me manquait était que je voulais à tout prix utiliser \ comme séparateur winbind (winbind separator). J'ai modifié en choisissant le +, modifié mes valid users en conséquence et miracle, ça fonctionne.

Il est à ntoer qu'entretemps j'ai également modifié mon fichier /etc/pam.d/samba de la sorte :

auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_winbind.so
account required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_mkhomedir.so skel=/etc/samba/skel umask=0022

J'espère que mon expérience servira à quelqu'un d'autre car j'en ai ch... mais c'est le moment où l'on réussit qui est le plus jouissif !

[Samba/AD] Authentification refusée

Administration système

Vue hybride

Discussions similaires

Partager

Partager