[Samba] Mounting Linux Samba Shares on Windows when Active Directory Server is down

Jeremy Allison jra at samba.org
Mon Oct 28 12:29:21 MDT 2013 

On Sat, Oct 26, 2013 at 05:42:31PM -0400, Andy Liebman wrote:
> Jeremy Alison wrote:
> 
> >>  [2013/10/26 11:12:29.712417,  2]
> auth/auth.c:319(check_ntlm_password)
> >>  check_ntlm_password:  Authentication for user [andyl]
> >>  [andyl]> FAILED with error NT_STATUS_NO_LOGON_SERVERS
> >>  [2013/10/26 11:12:29.712475,  3] smbd/error.c:81(error_packet_set)
> >>  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
> >>  NT_STATUS_NO_LOGON_SERVERS
> >>  [2013/10/26 11:12:42.348928,  1]
> smbd/process.c:457(receive_smb_talloc)
> >>  receive_smb_raw_talloc failed for client 172.16.3.129 read
> >>error
> => NT_STATUS_CONNECTION_RESET.>
> 
> > You need to be using kerberos.ntlm needs access to a
> >authentication
> server to check access,
> > kerberos doesn't (the authentication info is already embedded in
> >the
> ticket).
> >
> > Jeremy.
> 
> What do you mean by "I need to be using?' Where?  Have I
> misconfigured something wrong on the Linux side or on the Windows
> side, and if so, what? On the Linux side, it looks like kerberos is
> working.   At the Microsoft support site:
> 
> http://support.microsoft.com/kb/555092
> 
> ... there are instructions for how to verify that kerberos is
> working on Linux.
> 
> 1.  Type in command prompt:  kinit some_active_directory_user.
> When I do that, I get prompted for a password, and my password seems
> to be accepted.  I get a return command prompt. I'm assuming this
> means "it works".
> 
> 2.  type:  klist
> I get back info about what is in the "ticket cache".  I see there is
> a ticket for "andyl" and information about when it is valid and when
> it expires.  I assume this means it works.
> 
> So does this mean Windows 7 is configured wrong?  Thanks again for
> your input.

How are your Win7 boxes connecting to Samba ? Are you
specifying name or IP address. If you're connecting
by IP address then the Windows boxes will use NTLMSSP,
only if you use a name that the Windows client can
look up to use to get a krb5 ticket will it use kerberos.

The support info you are looking at are to do with
setting up kerberos as a *client* on Linux to AD.
That's not what you're doing, you want to see the
Win7 client do these lookups instead to get krb5
tickets for the Samba server.

Jeremy.

More information about the samba mailing list