Linux – Samba login failure: getpwuid failed

authenticationlinuxsamba

I cannot access a remote drive using Windows or smbclient; my authentication appears successful according to the samba log file, but getpwuid fails. The server (remote) is running CentOS 7.2 and Samba 4.2.3. The client is CentOS 7.2 and smbclient 4.2.3. The logfile shows:

[2017/05/06 22:57:48.729284,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [developer_prod] -> [developer_prod] -> [developer_prod] succeeded
[2017/05/06 22:57:48.731091,  1] ../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-4007675785-2624567327-467545301-1000 -> getpwuid(16777216) failed
[2017/05/06 22:57:48.731164,  1] ../source3/smbd/sesssetup.c:280(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL

Strangely, the SID corresponds to a local user:

# wbinfo -s S-1-5-21-4007675785-2624567327-467545301-1000         
NY4010\developer_prod 1

(ny4010 is my samba server machine) Even though on the client I am logging in using a domain user:

$ smbclient -U 'my_domain\developer_prod' \\\\ny4010\\release 'password'
session setup failed: NT_STATUS_UNSUCCESSFUL

Here is my smb.conf file:

[global]
   workgroup = MYDOMAIN
   password server = my_domain_server.mydomain.local
   realm = MYDOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template homedir = /home/%U
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false
   log level = 2
   encrypt passwords = yes
       unix extensions = no
        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        max log size = 50
        security = ads
        passdb backend = tdbsam
        realm = MYDOMAIN.LOCAL
        password server = my_domain_server.mydomain.local
        local master = no
[homes]
        comment = Home Directories
        browseable = no
        writable = yes
[release]
       comment = Shared directory: /prod
       path = /prod
       browseable = yes
       read only = no
       valid users = developer_prod
       guest ok = yes
       public = yes
       follow symlinks = yes
       wide links = yes
       force user = developer_prod
[log]
       comment = Shared directory: /prod/log
       path = /prod/log
       browseable = yes
       read only = yes
       guest ok = yes
       public = yes

my nsswitch.conf file looks like:
passwd: files winbind

I think the smoking gun here is that a local user's SID is showing up in that getpwuid failed line…

Best Answer

For us everything was working till Samba version 4.8.3 on Centos 7, it broke with samba update samba-4.9.1-6.el7.x86_64.

I was getting this error :

[2019/10/04 11:28:52.458451, 2] ../source3/auth/auth.c:316(auth_check_ntlm_password) check_ntlm_password: authentication for user [singh] -> [singh] -> [singh] succeeded

[2019/10/04 11:28:52.458736, 1] ../source3/auth/token_util.c:561(add_local_groups) SID S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxxx-16811 -> getpwuid(50000) failed

So after hours of troubleshooting adding winbind instead of sss to "/etc/nsswitch.conf" worked. 

passwd:     files winbind
shadow:     files
group:      files winbind

Also added these new options to smb.conf

idmap config *:backend = tdb
idmap config *:range = 1000-9999
## map ids from the domain  the ranges may not overlap !
idmap config LIBRARY : backend = rid
idmap config LIBRARY : range = 10000-999999
Related Topic