Looks like Samba 4.9 became a bit more strict about creating a local NT token and a failure to resolve or create BUILTIN\Guests group will cause a rejection of the connection for a successfully authenticated one.
[2018/09/19 09:37:45.374839, 4, pid=5319, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2018/09/19 09:37:45.374849, 4, pid=5319, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:527(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2018/09/19 09:37:45.374858, 4, pid=5319, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/09/19 09:37:45.374867, 5, pid=5319, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2018/09/19 09:37:45.374876, 5, pid=5319, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:850(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2018/09/19 09:37:45.374897, 5, pid=5319, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [dc=example,dc=test], filter => [(&(ipaNTSecurityIdentifier=S-1-5-32-546)(|(objectClass=ipaNTGroupAttrs)(objectClass=ipaNTUserAttrs)))], scope => [2] [2018/09/19 09:37:45.374912, 11, pid=5319, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1126(smbldap_open) smbldap_open: already connected to the LDAP server [2018/09/19 09:37:45.375434, 10, pid=5319, effective(0, 0), real(0, 0)] ipa_sam.c:809(ldapsam_sid_to_id) Got 0 entries, expected one [2018/09/19 09:37:45.375612, 10, pid=5319, effective(0, 0), real(0, 0)] ../source3/groupdb/mapping.c:814(pdb_create_builtin_alias) Trying to create builtin alias 546 [2018/09/19 09:37:45.375629, 10, pid=5319, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1061(lookup_sid) lookup_sid called for SID 'S-1-5-32-546' [2018/09/19 09:37:45.375643, 10, pid=5319, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:813(check_dom_sid_to_level) Accepting SID S-1-5-32 in level 1 [2018/09/19 09:37:45.375653, 10, pid=5319, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:574(lookup_rids) lookup_rids called for domain sid 'S-1-5-32' [2018/09/19 09:37:45.375665, 10, pid=5319, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1096(lookup_sid) Sid S-1-5-32-546 -> BUILTIN\Guests(4) [2018/09/19 09:37:45.376009, 3, pid=5319, effective(0, 0), real(0, 0)] ../source3/groupdb/mapping.c:834(pdb_create_builtin_alias) pdb_create_builtin_alias: Could not get a gid out of winbind [2018/09/19 09:37:45.376020, 5, pid=5319, effective(0, 0), real(0, 0)] ../source3/passdb/pdb_util.c:201(create_builtin_guests) create_builtin_guests: Failed to create Guests [2018/09/19 09:37:45.376036, 4, pid=5319, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2018/09/19 09:37:45.376046, 2, pid=5319, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:774(finalize_local_nt_token) Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids? [2018/09/19 09:37:45.376062, 3, pid=5319, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3) Failed to finalize nt token [2018/09/19 09:37:45.376074, 10, pid=5319, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:274(make_session_info_krb5) failed to create local token: NT_STATUS_ACCESS_DENIED [2018/09/19 09:37:45.376083, 1, pid=5319, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:174(auth3_generate_session_info_pac) Failed to map kerberos pac to server info (NT_STATUS_ACCESS_DENIED)
Adding a default mapping of the nobody group to BUILTIN\Guests solves the problem for me.
# net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin Successfully added group nobody to the mapping db as a wellknown group # echo Secret123 | ipa trust-add ipaad2016.test --admin Administrator --range-type=ipa-ad-trust --password --two-way=True ------------------------------------------------------- Added Active Directory trust for realm "ipaad2016.test" ------------------------------------------------------- Realm name: ipaad2016.test Domain NetBIOS name: IPAAD2016 Domain Security Identifier: S-1-5-21-813110839-3732285123-1597101681 Trust direction: Two-way trust Trust type: Active Directory domain Trust status: Established and verified
Metadata Update from @abbra: - Issue assigned to abbra
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.7
PR: https://github.com/freeipa/freeipa/pull/2373
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1623895
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1623895, https://bugzilla.redhat.com/show_bug.cgi?id=1623895 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1623895)
Issue linked to Bugzilla: Bug 1623895
master:
ipa-4-7:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-6:
One more PR for ipa-4-6 backport: https://github.com/freeipa/freeipa/pull/2988
Metadata Update from @abbra: - Issue set to the milestone: None (was: FreeIPA 4.7)
Login to comment on this ticket.