start846432 Posted August 11, 2020 Share Posted August 11, 2020 (edited) Hello, Currently trialing Unraid and am hitting a problem with SMB shares in a domain setup. Unraid is domain joined and everything works well - I've setup privs on shares through Windows such that my normal account I logon to the computer with can access them. However, I find that frequently I come back to them after some period of time and I am prompted to enter a username/password to access the shares but this does not work. I've upped the logging in smb.conf to 3 and get the following when trying to access shares: Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246495, 1] ../../lib/param/loadparm.c:1837(lpcfg_do_global_parameter) Aug 10 22:50:40 unraid-server smbd[60301]: WARNING: The "encrypt passwords" option is deprecated Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246530, 1] ../../lib/param/loadparm.c:1837(lpcfg_do_global_parameter) Aug 10 22:50:40 unraid-server smbd[60301]: WARNING: The "null passwords" option is deprecated Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246664, 1] ../../lib/param/loadparm.c:1837(lpcfg_do_global_parameter) Aug 10 22:50:40 unraid-server smbd[60301]: WARNING: The "syslog" option is deprecated Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246707, 1] ../../lib/param/loadparm.c:1837(lpcfg_do_global_parameter) Aug 10 22:50:40 unraid-server smbd[60301]: WARNING: The "syslog only" option is deprecated Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246802, 1] ../../lib/param/loadparm.c:1837(lpcfg_do_global_parameter) Aug 10 22:50:40 unraid-server smbd[60301]: WARNING: The "allocation roundup size" option is deprecated Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246874, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Backups]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246930, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Downloads]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.246986, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Home Videos]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247048, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Movies]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247106, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Pictures]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247165, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Scanned Documents]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247222, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Software]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247279, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[TV Series]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247359, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[Videos]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.247418, 2] ../../source3/param/loadparm.c:2800(lp_do_section) Aug 10 22:50:40 unraid-server smbd[60301]: Processing section "[eBooks]" Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.248618, 0] ../../source3/auth/token_util.c:565(add_local_groups) Aug 10 22:50:40 unraid-server smbd[60301]: add_local_groups: SID S-1-5-21-118681608-2407770303-1789361243-1106 -> getpwuid(697828434) failed, is nsswitch configured? Aug 10 22:50:40 unraid-server smbd[60301]: [2020/08/11 06:50:40.248645, 1] ../../source3/auth/auth_generic.c:173(auth3_generate_session_info_pac) Aug 10 22:50:40 unraid-server smbd[60301]: Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER) The SID on the 3rd to last line is the SID for my account. I've restarted my computer but no change. I've stopped and started the array but no change. If I enter a different set of credentials at the login prompt, then that does work. SMB config: root@unraid-server:~# cat /etc/samba/smb-names.conf # Generated names netbios name = unraid-server server string = Media server hide dot files = yes multicast dns register = No disable netbios = yes server min protocol = SMB2 security = ADS workgroup = ad realm = ad.xxxx.xx encrypt passwords = Yes null passwords = Yes idmap config * : backend = hash idmap config * : range = 10000-4000000000 winbind use default domain = Yes ldap ssl = No nt acl support = Yes acl map full control = Yes acl group control = Yes inherit acls = Yes inherit permissions = Yes map acl inherit = Yes dos filemode = Yes store dos attributes = Yes map archive = No map hidden = No map system = No map readonly = No Edited August 11, 2020 by start846432 smb.conf Quote Link to comment
Frank1940 Posted August 11, 2020 Share Posted August 11, 2020 You should probably read this thread starting with this post for few pages: https://forums.unraid.net/topic/25064-user-share-problem/?tab=comments#comment-228392 I am not sure if this is part of your problem of not.... If you have set your shares as secure or Public, there is also the issue that SMB allows only one 'user' from each computer to log into SMB at a time. You have to make sure that you always log in as a registered user rather than as a Public 'Guest' User. Unfortunately, logging in as a Public Guest User often happens in the background when you first access a Public or Secure share. You mentioned Domains. May we assume that you have a MS Domain master somewhere on your network? (The last I heard, Unraid can join an MS Domain but can't be the Domain Master.) Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 Thanks for the reply. All shares are Secure, and as domain accounts will be used the issue of single user per SMB server only won't (shouldn't) affect me. When you say domain master, are you talking about an Active Directory domain controller? Unraid is a domain member now (computer account created). Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 I read the link above and don't believe it applies to me. So the plot thickens... If I ssh to the server and run id stuart, it cant find my account. If I run id <any other account in AD>, it works fine: root@unraid-server:~# id stuart id: ‘stuart’: no such user root@unraid-server:~# id stuart.admin uid=697828445(stuart.admin) gid=697827841(domain users) groups=697827841(domain users),697827840(domain admins) <blah> So I am leaning towards the issue being limited to my account. Not sure if its relavant, but I had tried creating an account within the Unraid webUI with the username stuart, although this always failed - having learnt a bit more, I'm thinking this is because you cant have a user in both AD and passwd with the same username? I'm also thinking if this is potentially where the problem is - maybe there is some artifact of that local account creation lying around somewhere. passwd and shadow appear to be clear though: root@unraid-server:~# grep stuart /etc/passwd root@unraid-server:~# grep stuart /etc/shadow root@unraid-server:~# grep stuart /etc/group root@unraid-server:~# Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 I've dialed the logging up to 10 in smb.conf and grabbed a copy of syslog after trying to access a share. I'm not that conversant with SMB as a protocol but it appears that I do login successfully, although the wheels come off after samba has read the smb-shares.conf file - windbindd appears to try and convert a SID to a username, but its using a SID I don't recognise (S-1-5-21-3082517578-424073282-931750821-1000 rather than S-1-5-21-118681608-2407770303-1789361243-1106 - line 1508 in the attached log). syslog_fail1.txt Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 Ok so there is definately some entry locally for my username - that SID I dont recognise is local: root@unraid-server:/# wbinfo -s S-1-5-21-3082517578-424073282-931750821-1000 UNRAID-SERVER\stuart 1 root@unraid-server:/# wbinfo -s S-1-5-21-118681608-2407770303-1789361243-1106 ad\stuart 1 Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 There she blows: root@unraid-server:/# pdbedit -L INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 doing parameter syslog = 10 WARNING: The "syslog" option is deprecated doing parameter syslog only = Yes WARNING: The "syslog only" option is deprecated doing parameter show add printer wizard = No doing parameter disable spoolss = Yes doing parameter load printers = No doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter invalid users = root doing parameter unix extensions = No doing parameter wide links = Yes doing parameter use sendfile = Yes doing parameter aio read size = 0 doing parameter aio write size = 4096 doing parameter allocation roundup size = 4096 WARNING: The "allocation roundup size" option is deprecated doing parameter acl allow execute always = Yes doing parameter ntlm auth = Yes doing parameter include = /boot/config/smb-extra.conf doing parameter include = /tmp/unassigned.devices/smb-settings.conf doing parameter include = /etc/samba/smb-shares.conf pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="UNRAID-SERVER" Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to find a passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb pdb_set_username: setting username stuart, was pdb_set_domain: setting domain UNRAID-SERVER, was pdb_set_nt_username: setting nt username , was pdb_set_full_name: setting full name Stuart, was Home server: unraid-server pdb_set_homedir: setting home dir \\unraid-server\stuart, was pdb_set_dir_drive: setting dir drive , was NULL pdb_set_logon_script: setting logon script , was Home server: unraid-server pdb_set_profile_path: setting profile path \\unraid-server\stuart\profile, was pdb_set_workstations: setting workstations , was account_policy_get: name: password history, val: 0 pdb_set_user_sid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 pdb_set_user_sid_from_rid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 from rid 1000 pdb_set_username: setting username stuart, was pdb_set_domain: setting domain UNRAID-SERVER, was pdb_set_nt_username: setting nt username , was pdb_set_full_name: setting full name Stuart, was Home server: unraid-server pdb_set_homedir: setting home dir \\unraid-server\stuart, was pdb_set_dir_drive: setting dir drive , was NULL pdb_set_logon_script: setting logon script , was Home server: unraid-server pdb_set_profile_path: setting profile path \\unraid-server\stuart\profile, was pdb_set_workstations: setting workstations , was account_policy_get: name: password history, val: 0 pdb_set_user_sid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 pdb_set_user_sid_from_rid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 from rid 1000 Finding user stuart Trying _Get_Pwnam(), username as lowercase is stuart Get_Pwnam_internals did find user [stuart]! stuart:697828434:Stuart And then its gone: root@unraid-server:/# pdbedit -x -u stuart INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 dsdb_audit: 10 dsdb_json_audit: 10 dsdb_password_audit: 10 dsdb_password_json_audit: 10 dsdb_transaction_audit: 10 dsdb_transaction_json_audit: 10 dsdb_group_audit: 10 dsdb_group_json_audit: 10 doing parameter syslog = 10 WARNING: The "syslog" option is deprecated doing parameter syslog only = Yes WARNING: The "syslog only" option is deprecated doing parameter show add printer wizard = No doing parameter disable spoolss = Yes doing parameter load printers = No doing parameter printing = bsd doing parameter printcap name = /dev/null doing parameter invalid users = root doing parameter unix extensions = No doing parameter wide links = Yes doing parameter use sendfile = Yes doing parameter aio read size = 0 doing parameter aio write size = 4096 doing parameter allocation roundup size = 4096 WARNING: The "allocation roundup size" option is deprecated doing parameter acl allow execute always = Yes doing parameter ntlm auth = Yes doing parameter include = /boot/config/smb-extra.conf doing parameter include = /tmp/unassigned.devices/smb-settings.conf doing parameter include = /etc/samba/smb-shares.conf pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="UNRAID-SERVER" Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to find a passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb pdb_set_username: setting username stuart, was pdb_set_domain: setting domain UNRAID-SERVER, was pdb_set_nt_username: setting nt username , was pdb_set_full_name: setting full name Stuart, was Home server: unraid-server pdb_set_homedir: setting home dir \\unraid-server\stuart, was pdb_set_dir_drive: setting dir drive , was NULL pdb_set_logon_script: setting logon script , was Home server: unraid-server pdb_set_profile_path: setting profile path \\unraid-server\stuart\profile, was pdb_set_workstations: setting workstations , was account_policy_get: name: password history, val: 0 pdb_set_user_sid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 pdb_set_user_sid_from_rid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 from rid 1000 account_policy_get: name: maximum password age, val: -1 Finding user stuart Trying _Get_Pwnam(), username as lowercase is stuart Get_Pwnam_internals did find user [stuart]! Opening cache file at /var/cache/samba/gencache.tdb xid_to_sid: GID 697827841 -> S-1-5-21-118681608-2407770303-1789361243-513 from cache Forcing Primary Group to 'Domain Users' for stuart account_policy_get: name: password history, val: 0 pdb_set_username: setting username stuart, was pdb_set_domain: setting domain UNRAID-SERVER, was pdb_set_nt_username: setting nt username , was pdb_set_full_name: setting full name Stuart, was Home server: unraid-server pdb_set_homedir: setting home dir \\unraid-server\stuart, was pdb_set_dir_drive: setting dir drive , was NULL pdb_set_logon_script: setting logon script , was Home server: unraid-server pdb_set_profile_path: setting profile path \\unraid-server\stuart\profile, was pdb_set_workstations: setting workstations , was account_policy_get: name: password history, val: 0 pdb_set_user_sid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 pdb_set_user_sid_from_rid: setting user sid S-1-5-21-3082517578-424073282-931750821-1000 from rid 1000 pdb_set_group_sid: setting group sid S-1-5-21-3082517578-424073282-931750821-513 dbwrap_lock_order_lock: check lock order 1 for /var/lib/samba/private/passdb.tdb lock order: 1:/var/lib/samba/private/passdb.tdb 2:<none> 3:<none> dbwrap_lock_order_unlock: release lock order 1 for /var/lib/samba/private/passdb.tdb dbwrap_lock_order_lock: check lock order 1 for /var/lib/samba/private/passdb.tdb lock order: 1:/var/lib/samba/private/passdb.tdb 2:<none> 3:<none> dbwrap_lock_order_unlock: release lock order 1 for /var/lib/samba/private/passdb.tdb Restart samba, make sure there are no SMB sessions, and delete all sessions on Windows and..... still doesnt work.... fault finding continues.... root@unraid-server:/# samba restart Starting Samba: /usr/sbin/smbd -D /usr/sbin/wsdd /usr/sbin/winbindd -D root@unraid-server:/# smbstatus Samba version 4.11.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- No locked files PS C:\Users\stuart> net use New connections will be remembered. Status Local Remote Network ------------------------------------------------------------------------------- OK \\unraid-server\Movies Microsoft Windows Network The command completed successfully. PS C:\Users\stuart> net use * /d You have these remote connections: \\unraid-server\Movies Continuing will cancel the connections. Do you want to continue this operation? (Y/N) [N]: y The command completed successfully. Quote Link to comment
Frank1940 Posted August 11, 2020 Share Posted August 11, 2020 While I have been involved with SMB since Workgroups for Windows days, I have never used a Active Domain account which means I also have zero experience with it. The only things I know is what I have gleaned from the few users who have posted about their experiences on the forum. However, I would not think that it would be a good practice (from a security standpoint) for an Administrator account to be able to access a user account. (The issue is actually the reverse of what the last sentence implied. User credentials should never be able to access an Administration account!) Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 Not sure if your comment is in response to something I have done or said directly, but I am in agreement. In my case, my normal daily account (stuart) is a standard user with no extra privs outside of those granted on Unraid shares. An admin account (stuart.admin) is used for any admin tasks. Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 Its still trying to lookup that old SID: Aug 11 10:20:39 unraid-server winbindd[4975]: winbindd_getpwuid_send: [nss_winbind (8365)] getpwuid 697828434 Aug 11 10:20:39 unraid-server winbindd[4975]: [2020/08/11 18:20:39.219803, 1, pid=4975, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) Aug 11 10:20:39 unraid-server winbindd[4975]: wbint_LookupSid: struct wbint_LookupSid Aug 11 10:20:39 unraid-server winbindd[4975]: in: struct wbint_LookupSid Aug 11 10:20:39 unraid-server winbindd[4975]: sid : * Aug 11 10:20:39 unraid-server winbindd[4975]: sid : S-1-5-21-3082517578-424073282-931750821-1000 Which doesn't appear to exist: root@unraid-server:/# wbinfo -s S-1-5-21-3082517578-424073282-931750821-1000 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-21-3082517578-424073282-931750821-1000 Not sure what service would need restarting or what cache needs flushing, so in the interests of speed and effort I think I will go full Windows on this problem and restart the Unraid server. Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 So that problem above has gone away, but now have another. Aug 11 18:43:53 unraid-server smbd[5215]: [2020/08/11 18:43:53.857174, 2] ../../source3/auth/token_util.c:719(finalize_local_nt_token) Aug 11 18:43:53 unraid-server smbd[5215]: WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? Aug 11 18:43:53 unraid-server smbd[5215]: [2020/08/11 18:43:53.857380, 2] ../../source3/auth/token_util.c:739(finalize_local_nt_token) Aug 11 18:43:53 unraid-server smbd[5215]: WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids? Quote Link to comment
start846432 Posted August 11, 2020 Author Share Posted August 11, 2020 Unjoined and rejoined the domain and it looks to be working for now. Will see if its still working in a couple of days: root@unraid-server:~# smbstatus Samba version 4.11.4 PID Username Group Machine Protocol Version Encryption Signing ---------------------------------------------------------------------------------------------------------------------------------------- 35566 stuart domain users 192.168.20.101 (ipv4:192.168.20.101:55358) SMB3_11 - partial(AES-128-CMAC) Service pid Machine Connected at Encryption Signing --------------------------------------------------------------------------------------------- IPC$ 35566 192.168.20.101 Tue Aug 11 09:18:34 PM 2020 BST - - Movies 35566 192.168.20.101 Tue Aug 11 09:18:39 PM 2020 BST - - TV Series 35566 192.168.20.101 Tue Aug 11 09:18:34 PM 2020 BST - - Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.