[Samba] samba member, NT_STATUS_LOGON_FAILURE
Norberto Bensa
nbensa+samba at gmail.com
Sun Oct 4 16:43:43 UTC 2015
Hello,
I've followed two or three articles on how to configure samba 4 as a
member server. One of these articles is from the samba wiki:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
The server joins, but it cannot authenticate users. I don't care about
nss, winbind, etc. unless it is REALLY necessary. All I want is to use
this server as a file server for workstations while the AD server
(also running on samba) acts as an authentication server only.
On the client:
$ smbclient -L //samba -U zoolook
where samba is the ad server and zoolook is a domain user. This works.
$ smbclient -L //servidor -U zoolook
where servidor is the file server. This doesn't work and gives
NT_STATUS_LOGON_FAILURE
I've increased log level
$ smbclient -d 3 -L //servidor -U zoolook
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0
Client started (version 4.3.0).
Enter zoolook's password:
tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not
open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado
resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name servidor<0x20>
Connecting to 10.0.3.251 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
In the ad server I ran /usr/local/samba/sbin/samba in interactive mode
with -d3 and I get:
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SERVIDOR
auth_check_password_send: Checking password for unmapped user
[ENEABE]\[zoolook]@[\\SERVIDOR]
auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR]
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Windows machines also joined and authenticate againts the ad server
(samba) but cannot access the file server (servidor).
Samba is 4.3.0 in both ad and member servers. Self compiled using
instructions from the wiki.
This is the smb.conf of the file server (member server):
[global]
netbios name = SERVIDOR
workgroup = ENEABE
security = ADS
realm = ENEABE.COM.AR
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config ENEABE:backend = ad
idmap config ENEABE:schema_mode = rfc2307
idmap config ENEABE:range = 3000000-4000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
BTW, anonymous logins work:
$ smbclient -L //servidor -U%
Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.3.0)
Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
Server Comment
--------- -------
Workgroup Master
--------- -------
What am I doing wrong?
Thanks!
Norberto
More information about the samba
mailing list