Problem:
Your shares are located on a UCS memberserver, your share access was fine and next day you cannot access them anymore.
Investigation:
The check on the commandline shows:
:~# kinit <username>
:~# smbclient -k //$(hostname -f)/<Sharename> -U <username>
Enter SCHEIN\<username>'s password:
Try "help" to get a list of possible commands.
smb: \>; dir
NT_STATUS_ACCESS_DENIED listing \*
You should check:
- the acls via getfacl
getfacl /data/
getfacl: Entferne führende '/' von absoluten Pfadnamen
# file: data
# owner: cscheini
# group: admins
# flags: -s-
user::rwx
group::rwx
other::---
- the wbinfo check is very important, and should work:
wbinfo -a <username>%<password> oder wbinfo -a WINDOWSDOMAIN+<username>
wbinfo -u |grep -i <username>
wbinfo -n <username>
wbinfo -S <result of wbinfo -n >
wbinfo -U <result of wbinfo -S>
wbinfo -s <result of wbinfo -U >
But you get this errors:
:~# wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2258265772-2118630786-446722657-500 to uid
and using the uid shows the same:
:~# wbinfo -U 2002
failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert uid 2002 to sid
-
net rpc testjoin
Join to 'SCHEIN' is OK
net cache flush
systemctl restart winbind.service
So we can see, winbind has a problem here, converting SID to UID.
Investigation by digging deep down:
- Deep, but not deep enough:
Activate logging in backgroud, this helps, because you can see the entire winbind comunication in order of appearance.
tail -f /var/log/samba/log.w* &
Raise winbind debuglevel on the fly and loose the cache:
smbcontrol winbindd debug 10
net cache flush
Execute the problematic command:
wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
==> /var/log/samba/log.winbindd-idmap <==
[2019/03/12 12:51:09.383683, 10, pid=23133, effective(0, 0), real(0, 0), class=idmap] ../source3/winbindd/idmap.c:525(idmap_find_domain)
idmap_find_domain called for domain 'SCHEIN'
[2019/03/12 12:51:09.383699, 10, pid=23133, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_dual_srv.c:168(_wbint_Sids2UnixIDs)
idmap domain SCHEIN: S-1-5-21-2258265772-2118630786-446722657-500 not found
Unfortunately this is not helping, because we do not see WHY
- deep in the pit
We will need the winbind startup with debug 10, so:
Stopping the daemon
/etc/init.d/winbindd stop
and starting it again on the commandline
/usr/sbin/winbindd -F -n -i -S > 2.log 2>&1 &
net cache flush
wbinfo -S S-1-5-21-2258265772-2118630786-446722657-500
[...]
idmap_init(): calling static_init_idmap
calling idmap_tdb_init
Successfully added idmap backend 'tdb'
Successfully added idmap backend 'passdb'
Successfully added idmap backend 'nss'
idmap backend ldap not found
load_module_absolute_path: Probing module '/usr/lib/x86_64-linux-gnu/samba/idmap/ldap.so'
load_module_absolute_path: Module '/usr/lib/x86_64-linux-gnu/samba/idmap/ldap.so' loaded
Successfully added idmap backend 'ldap'
smbldap_search_ext: base => [cn=idmap,cn=univention,dc=schein,dc=ig], filter => [(objectclass=sambaUnixIdPool)], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://master.schein.ig:7389
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://master.schein.ig:7389 as "cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig"
failed to bind to server ldap://master.schein.ig:7389 with dn="cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig" Error: Invalid credentials
(unknown)
Connection to LDAP server failed for the 1 try!
Solution:
failed to bind to server ldap://master.schein.ig:7389 with dn=“cn=member,cn=memberserver,cn=computers,dc=schein,dc=ig” Error: Invalid credentials
Maybe something went wrong within server-password-change. So we need to reset the machine.secret of the memberserver accouont.
ucr get samba/user/pwdfile
smbpasswd -w "$(cat /etc/machine.secret)"
net idmap set secret '*' "$(cat /etc/machine.secret)"
net cache flush