[Samba] samba member, NT_STATUS_LOGON_FAILURE

Norberto Bensa nbensa+samba at gmail.com
Sun Oct 4 16:43:43 UTC 2015 

Hello,

I've followed two or three articles on how to configure samba 4 as a
member server. One of these articles is from the samba wiki:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

The server joins, but it cannot authenticate users. I don't care about
nss, winbind, etc. unless it is REALLY necessary. All I want is to use
this server as a file server for workstations while the AD server
(also running on samba) acts as an authentication server only.

On the client:

$ smbclient -L //samba -U zoolook

where samba is the ad server and zoolook is a domain user. This works.

$ smbclient -L //servidor -U zoolook

where servidor is the file server. This doesn't work and gives
NT_STATUS_LOGON_FAILURE


I've increased log level

$ smbclient -d 3 -L //servidor -U zoolook
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0
Client started (version 4.3.0).
Enter zoolook's password:
tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not
open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado
resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name servidor<0x20>
Connecting to 10.0.3.251 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE


In the ad server I ran /usr/local/samba/sbin/samba in interactive mode
with -d3 and I get:

schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SERVIDOR
auth_check_password_send: Checking password for unmapped user
[ENEABE]\[zoolook]@[\\SERVIDOR]
auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR]
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]


Windows machines also joined and authenticate againts the ad server
(samba) but cannot access the file server (servidor).

Samba is 4.3.0 in both ad and member servers. Self compiled using
instructions from the wiki.


This is the smb.conf of the file server (member server):

[global]
  netbios name = SERVIDOR
  workgroup = ENEABE
  security = ADS
  realm = ENEABE.COM.AR
  encrypt passwords = yes

  idmap config *:backend = tdb
  idmap config *:range = 70001-80000
  idmap config ENEABE:backend = ad
  idmap config ENEABE:schema_mode = rfc2307
  idmap config ENEABE:range = 3000000-4000000

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users = yes
  winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes



BTW, anonymous logins work:

$ smbclient -L //servidor -U%
Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]

Sharename       Type      Comment
---------       ----      -------
IPC$            IPC       IPC Service (Samba 4.3.0)
Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]

Server               Comment
---------            -------

Workgroup            Master
---------            -------


What am I doing wrong?

Thanks!
Norberto

More information about the samba mailing list