[Samba] samba member, NT_STATUS_LOGON_FAILURE

Norberto Bensa nbensa+samba at gmail.com
Sun Oct 4 18:02:02 UTC 2015 

Nope. Do I need to?

For now I only want to authenticate Windows boxes. *nix boxes later.

Thanks.

2015-10-04 14:11 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 04/10/15 17:43, Norberto Bensa wrote:
>>
>> Hello,
>>
>> I've followed two or three articles on how to configure samba 4 as a
>> member server. One of these articles is from the samba wiki:
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> The server joins, but it cannot authenticate users. I don't care about
>> nss, winbind, etc. unless it is REALLY necessary. All I want is to use
>> this server as a file server for workstations while the AD server
>> (also running on samba) acts as an authentication server only.
>>
>> On the client:
>>
>> $ smbclient -L //samba -U zoolook
>>
>> where samba is the ad server and zoolook is a domain user. This works.
>>
>> $ smbclient -L //servidor -U zoolook
>>
>> where servidor is the file server. This doesn't work and gives
>> NT_STATUS_LOGON_FAILURE
>>
>>
>> I've increased log level
>>
>> $ smbclient -d 3 -L //servidor -U zoolook
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[global]"
>> added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0
>> Client started (version 4.3.0).
>> Enter zoolook's password:
>> tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not
>> open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado
>> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
>> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>> resolve_hosts: Attempting host lookup for name servidor<0x20>
>> Connecting to 10.0.3.251 at port 445
>> Doing spnego session setup (blob length=96)
>> got OID=1.2.840.48018.1.2.2
>> got OID=1.2.840.113554.1.2.2
>> got OID=1.3.6.1.4.1.311.2.2.10
>> got principal=not_defined_in_RFC4178 at please_ignore
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x60898215
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>> In the ad server I ran /usr/local/samba/sbin/samba in interactive mode
>> with -d3 and I get:
>>
>> schannel_fetch_session_key_tdb: restored schannel info key
>> SECRETS/SCHANNEL/SERVIDOR
>> auth_check_password_send: Checking password for unmapped user
>> [ENEABE]\[zoolook]@[\\SERVIDOR]
>> auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR]
>> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
>> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>>
>>
>> Windows machines also joined and authenticate againts the ad server
>> (samba) but cannot access the file server (servidor).
>>
>> Samba is 4.3.0 in both ad and member servers. Self compiled using
>> instructions from the wiki.
>>
>>
>> This is the smb.conf of the file server (member server):
>>
>> [global]
>>    netbios name = SERVIDOR
>>    workgroup = ENEABE
>>    security = ADS
>>    realm = ENEABE.COM.AR
>>    encrypt passwords = yes
>>
>>    idmap config *:backend = tdb
>>    idmap config *:range = 70001-80000
>>    idmap config ENEABE:backend = ad
>>    idmap config ENEABE:schema_mode = rfc2307
>>    idmap config ENEABE:range = 3000000-4000000
>
>
> Have you added uidNumber attributes to users object in AD and a gidNumber to
> Domain Users ?
>
> Rowland
>
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users = yes
>>    winbind enum groups = yes
>>
>>    vfs objects = acl_xattr
>>    map acl inherit = Yes
>>    store dos attributes = Yes
>>
>>
>>
>> BTW, anonymous logins work:
>>
>> $ smbclient -L //servidor -U%
>> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
>>
>> Sharename       Type      Comment
>> ---------       ----      -------
>> IPC$            IPC       IPC Service (Samba 4.3.0)
>> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
>>
>> Server               Comment
>> ---------            -------
>>
>> Workgroup            Master
>> ---------            -------
>>
>>
>> What am I doing wrong?
>>
>> Thanks!
>> Norberto
>>
>> -- To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list