Samba authentication brocken


#1

Hi all,

It’s a quiet long time since I’ve been here and I’m looking for some help (again…)

For 2 days now my users cannot access to smb shares. It’s like i cannot log my user in.

/var/log/samba/log.smbd

[2016/11/22 14:54:19.865577,  0, pid=8931] ../source3/auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: session setup failed : System error
[2016/11/22 14:54:19.866720,  1, pid=8931] ../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <DOMAIN>+<USERNAME> [smb/4289698136]
[2016/11/22 14:54:19.866745,  1, pid=8931] ../source3/smbd/smb2_sesssetup.c:462(smbd_smb2_auth_generic_return)
  smb2: Failed to claim session for vuid=4289698136
[2016/11/22 14:54:20.910945,  0, pid=8938] ../source3/auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: session setup failed : System error
[2016/11/22 14:54:20.912004,  1, pid=8938] ../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <DOMAIN>+<USERNAME> [smb/3727794745]
[2016/11/22 14:54:20.912028,  1, pid=8938] ../source3/smbd/smb2_sesssetup.c:462(smbd_smb2_auth_generic_return)
  smb2: Failed to claim session for vuid=3727794745
[2016/11/22 14:54:21.840054,  0, pid=8945] ../source3/auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: session setup failed : System error
[2016/11/22 14:54:21.841127,  1, pid=8945] ../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <DOMAIN>+<USERNAME> [smb/2691592045]
[2016/11/22 14:54:21.841151,  1, pid=8945] ../source3/smbd/smb2_sesssetup.c:462(smbd_smb2_auth_generic_return)
  smb2: Failed to claim session for vuid=2691592045
[2016/11/22 14:54:22.712135,  0, pid=8952] ../source3/auth/pampass.c:89(smb_pam_error_handler)
  smb_pam_error_handler: PAM: session setup failed : System error
[2016/11/22 14:54:22.713218,  1, pid=8952] ../source3/smbd/session.c:70(session_claim)
  pam_session rejected the session for <DOMAIN>+<USERNAME> [smb/1386718137]
[2016/11/22 14:54:22.713242,  1, pid=8952] ../source3/smbd/sesssetup.c:379(reply_sesssetup_and_X_spnego)
  smb1: Failed to claim session for vuid=51641

/var/log/samba/log.nmdb

[2016/11/22 14:54:13.064088,  0, pid=2953] ../source3/nmbd/nmbd_namequery.c:109(query_name_response)
  query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.115 for name SISTEER<1d>.
  This response was from IP 172.16.43.8, reporting an IP address of 172.16.43.8.
[2016/11/22 14:59:13.396160,  0, pid=2953] ../source3/nmbd/nmbd_namequery.c:109(query_name_response)
  query_name_response: Multiple (2) responses received for a query on subnet 192.168.0.115 for name SISTEER<1d>.
  This response was from IP 172.16.43.8, reporting an IP address of 172.16.43.8.

The log.samba doesn’t output anything for this time period

If i try su -

It answers

su : System Error

My users cannot access SMB shares, printers, etc…

Rgds,

Valentin


#2

Can you post a relevant part of /var/log/auth.log?

Show me please:

univention-ldapsearch uid=username getent passwd username

Kind Regards,
Jens Thorp-Hansen


#3

Hi, tks for reactivity

univention-ldapsearch uid=sthomas

Outputs the user Object

# extended LDIF
#
# LDAPv3
# base <dc=sisteer,dc=intra> (default) with scope subtree
# filter: uid=sthomas
# requesting: ALL
#

# sthomas, users, sisteer.intra
dn: uid=sthomas,cn=users,dc=sisteer,dc=intra
uid: sthomas
krb5PrincipalName: sthomas@SISTEER.INTRA
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionSAMLEnabled
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: posixAccount
objectClass: univentionObject
uidNumber: 2025
sambaAcctFlags: [U          ]
sambaPasswordHistory: AF8DC045688FC343650ACCA144755A962C0930FF9BAB6CDCC4F0E303
 41CDFA26
krb5MaxLife: 86400
cn: Samuel THOMAS
title: Mr
sambaMungedDial: bQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkA
 AEAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAFABoACA
 ABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZwBGAGw
 AYQBnAHMAMQAwMDAwMDEwMA==
krb5MaxRenew: 604800
mail: sthomas@sisteer.com
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
displayName: Samuel THOMAS
sambaHomePath: \mlk-srv-ucs01homesthomas
o: SISTEER
gecos: Samuel THOMAS
sn: THOMAS
pwhistory: $6$rruYGdPEWUUPR0UE$aVSgcDH/Z9d9j8j7hlVvoyl.rOyyx6NHr5fXs1JC8rW88Za
 vYasYGslMftj1Yf2GLwBAop4haAyRjWY6BrEmn0
homeDirectory: /home/sthomas
givenName: Samuel
automountInformation: -rw mlk-srv-ucs01.sisteer.intra:/opt/datas/home/sthomas
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-2395090404-1791430051-851640552-513
sambaSID: S-1-5-21-2395090404-1791430051-851640552-1129
sambaNTPassword: 399DE23C6F1A866D24E6523F77118CAC
krb5Key:: MB2hGzAZoAMCARehEgQQOZ3iPG8ahm0k5lI/dxGMrA==
krb5Key:: ME6hKzApoAMCARKhIgQg0M+M06dGSMw8o4Ls1KY0CaZMk/pSuBzr4Kasl4m5VoiiHzAd
 oAMCAQOhFgQUU0lTVEVFUi5JTlRSQXN0aG9tYXM=
krb5Key:: MD6hGzAZoAMCARGhEgQQ6gX0KXytuNO16tIByozMNaIfMB2gAwIBA6EWBBRTSVNURUVS
 LklOVFJBc3Rob21hcw==
krb5Key:: MDahEzARoAMCAQOhCgQIdraehpjpaF2iHzAdoAMCAQOhFgQUU0lTVEVFUi5JTlRSQXN0
 aG9tYXM=
krb5Key:: MDahEzARoAMCAQGhCgQIdraehpjpaF2iHzAdoAMCAQOhFgQUU0lTVEVFUi5JTlRSQXN0
 aG9tYXM=
krb5KeyVersionNumber: 3
userPassword:: e0s1S0VZfQ==
shadowLastChange: 17127
sambaPwdLastSet: 1479822824

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1
getent passwd sthomas
sthomas:x:2025:5001:Samuel THOMAS:/home/sthomas:/bin/bash

You hasked for [quote]A relevant part of /var/log/auth.log[/quote]

May you precise your request please ?

Rgds,

Valentin


#4

can you check the following:

sambaHomePath: mlk-srv-ucs01homesthomas

Is that a typo or just misleading output?

homeDirectory: /home/sthomas

Is the home reachable?

automountInformation: -rw mlk-srv-ucs01.sisteer.intra:/opt/datas/home/sthomas

that seems that it should not work. Can you take a user with the mentioned problem and please remove this attribute and check if the user now can work again?

[code]eval “$(ucr shell)”

ldapmodify -x -D cn=admin,$ldap_base -y /etc/ldap.secret <<EOT
dn: uid=,cn=users,$ldap_base
changetype: modify
delete: automountInformation
EOT[/code]


#5

Hi Thorp

It appears that a misconfiguration has moved my homes directories after update.

Thks for all,

Valentin