[Samba] Cannot authenticate the administrator account
Mike
1100100 at gmail.com
Wed Apr 22 05:13:45 MDT 2015
AD DC default shares are okay after provisioning -
smbclient -L localhost -U%:
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba
4.1.17-SerNet-RedHat-11.el7)
Domain=[CONPAGO] OS=[Unix] Server=[Samba 4.1.17-SerNet-RedHat-11.el7]
Server Comment
--------- -------
Workgroup Master
--------- -------
Cannot authenticate the administrator account -
smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter Administrator's password:
session setup failed: NT_STATUS_LOGON_FAILURE
- - - - - - - - - - - - - - - - - -
I turned up the log level to 3 and found the following:
[2015/04/22 06:17:54.074716, 0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for A10$@MWLLC.INFO failed
(Cannot contact any KDC for requested realm)
A10 is the server hostname, CONPAGO is the domain, and MWLLC.INFO is the
realm.
-----------------------------------------
ps axf | egrep "samba|smbd|nmbd|winbindd"
886 pts/5 S+ 0:00 \_ grep -E --color=auto
samba|smbd|nmbd|winbindd
32620 ? Ss 0:00 samba
32621 ? S 0:00 \_ samba
32623 ? Ss 0:00 | \_ /usr/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
32637 ? S 0:00 | \_ /usr/sbin/smbd -D --option=server
role check:inhibit=yes --foreground
32622 ? S 0:00 \_ samba
32624 ? S 0:00 \_ samba
32625 ? S 0:00 \_ samba
32626 ? S 0:00 \_ samba
32627 ? S 0:00 \_ samba
32628 ? S 0:00 \_ samba
32629 ? S 0:00 \_ samba
32630 ? S 0:00 \_ samba
32631 ? S 0:00 \_ samba
32632 ? S 0:00 \_ samba
32633 ? S 0:00 \_ samba
32634 ? S 0:00 \_ samba
The above looks the same as the troubleshooting page.
------------------------------------------------------------------------
Cannot figure out why kerberos authentication fails.
Also notice nmbd and winbindd logs that say, "server role = 'active
directory domain controller' not compatible with running the <<nmbd>> and
<<winbindd>> binary.
You should start 'samba' instead, and it will control starting the
internal AD DC <<nmbd>> and <<winbindd>> implementation, which is not the
same as this one."
However, I did execute using "samba".
samba-tool testparm -v ---
# Global parameters
[global]
dos charset = CP850
unix charset = UTF8
workgroup = CONPAGO
realm = MWLLC.INFO
netbios name = A10
netbios aliases =
netbios scope =
server string = Samba 4.1.17-SerNet-RedHat-11.el7
interfaces = lo, eno1
bind interfaces only = Yes
config backend = file
server role = active directory domain controller
security = AUTO
auth methods =
encrypt passwords = Yes
client schannel = No
server schannel = No
allow trusted domains = No
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file =
private dir = /var/lib/samba/private
passdb backend =
algorithmic rid base = 0
root directory =
guest account =
enable privileges = No
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 0
check password script =
username map =
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
client use spnego principal = No
preload modules =
dedicated keytab file =
kerberos method = default
map untrusted to domain = No
log level = 3
syslog = 1
syslog only = No
log file =
max log size = 0
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = Yes
debug pid = No
debug uid = No
debug class = No
enable core files = No
smb ports = 445, 139
large readwrite = Yes
server max protocol = NT1
server min protocol = CORE
client max protocol = NT1
client min protocol = CORE
unicode = Yes
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
log writeable files on exit = No
defer sharing violations = No
nt pipe support = No
nt status support = Yes
max mux = 50
max xmit = 12288
name resolve order = wins, host, bcast
max ttl = 0
max wins ttl = 518400
min wins ttl = 10
time server = No
unix extensions = No
use spnego = Yes
client signing = default
server signing = default
client use spnego = No
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
cldap port = 389
dgram port = 138
nbt port = 137
krb5 port = 88
kpasswd port = 464
web port = 901
rpc big endian = No
deadtime = 0
getwd cache = No
keepalive = 0
lpq cache time = 0
max smbd processes = 0
max disk size = 0
max open files = 0
socket options = TCP_NODELAY
use mmap = Yes
use ntdb = No
hostname lookups = No
name cache timeout = 0
ctdbd socket =
cluster addresses =
clustering = No
ctdb timeout = 0
ctdb locktime warn threshold = 0
smb2 max read = 0
smb2 max write = 0
smb2 max trans = 0
smb2 max credits = 0
load printers = No
printcap cache time = 0
printcap name =
cups server =
cups encrypt = No
cups connection timeout = 0
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = No
os2 driver map =
mangling method =
mangle prefix = 0
max stat cache size = 0
stat cache = No
machine password timeout = 0
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script =
shutdown script =
abort shutdown script =
username map script =
username map cache time = 0
logon script =
logon path =
logon drive =
logon home =
domain logons = No
init logon delayed hosts =
init logon delay = 0
os level = 0
lm announce = No
lm interval = 0
preferred master = Auto
local master = Yes
domain master = Auto
browse list = No
enhanced browsing = No
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
lock spin time = 0
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = yes
ldap replication sleep = 0
ldap suffix =
ldap ssl = no
ldap ssl ads = No
ldap deref = never
ldap follow referral = No
ldap timeout = 0
ldap connection timeout = 0
ldap page size = 0
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 0
eventlog list =
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
state directory = /var/lib/samba
cache directory = /var/cache/samba
pid directory = /var/run/samba
ntp signd socket directory = /var/lib/samba/ntp_signd
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
nbt client socket address =
nmbd bind explicit broadcast = No
homedir map =
afs username map =
afs token lifetime = 0
log nt token command =
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = No
usershare path =
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
allow insecure wide links = No
async smb echo handler = No
panic action =
perfcount module =
host msdfs = Yes
passdb expand explicit = No
idmap backend =
idmap cache time = 0
idmap negative cache time = 0
idmap uid =
idmap gid =
template homedir = /home/%WORKGROUP%/%ACCOUNTNAME%
template shell = /bin/false
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info =
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
create krb5 conf = No
ncalrpc dir = /var/run/samba/ncalrpc
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
allow dns updates = secure only
dns forwarder = 75.75.76.76
dns update command = /usr/sbin/samba_dnsupdate
nsupdate command = /usr/bin/nsupdate -g
rndc command = /usr/sbin/rndc
multicast dns register = No
samba kcc command = /usr/sbin/samba_kcc
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver
spn update command = /usr/sbin/samba_spnupdate
share backend = classic
tls enabled = Yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile = tls/ca.pem
tls crlfile =
tls dh params file =
idmap_ldb:use rfc2307 = yes
prefork children:smb = 4
registry:hkey_users = hku.ldb
registry:hkey_local_machine = hklm.ldb
[netlogon]
path = /var/lib/samba/sysvol/mwllc.info/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
(END)
More information about the samba
mailing list