[Samba] getting NT_STATUS_LOGON_FAILURE

Rowland Penny rowlandpenny at googlemail.com
Fri Jan 9 15:42:41 MST 2015 

On 09/01/15 20:37, Rowland Penny wrote:
> On 09/01/15 20:16, Bob of Donelson Trophy wrote:
>>
>> On 2015-01-09 13:43, Rowland Penny wrote:
>>
>>> On 09/01/15 18:56, Bob of Donelson Trophy wrote:
>>> On 2015-01-09 12:45, Rowland Penny wrote: On 09/01/15 18:31, Bob of 
>>> Donelson Trophy wrote: On 2015-01-09 11:40, Rowland Penny wrote: On 
>>> 09/01/15 17:26, Bob of Donelson Trophy wrote: On 2015-01-09 10:23, 
>>> Rowland Penny wrote: On 09/01/15 15:47, Bob of Donelson Trophy 
>>> wrote: On 2015-01-09 09:27, Rowland Penny wrote: On 09/01/15 15:00, 
>>> Bob of Donelson Trophy wrote: On 2015-01-09 08:44, Rowland Penny 
>>> wrote: W7 client "Preferred DNS server" is set to my DC. My DC looks 
>>> like this: root at dtdc01:~# cat /etc/resolv.conf search dtshrm.local 
>>> domain dtshrm.local nameserver 192.168.16.54 root at dtdc01:~# cat 
>>> /etc/network/interfaces # This file describes the network interfaces 
>>> available on your system # and how to activate them. For more 
>>> information, see interfaces(5). # The loopback network interface 
>>> auto lo iface lo inet loopback # The primary network interface 
>>> allow-hotplug eth0 iface eth0 inet static address 192.168.16.54 
>>> netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.25
>>   5
>> gateway 192.168.16.106 # dns-* options are implemented by the 
>> resolvconf package, if ins
>>
>> t
>>
>>> alled dns-nameservers 208.67.222.222 dns-search dtshrm.local 
>>> root at dtdc01:~# cat /etc/hosts 127.0.0.1 localhost 192.168.16.54 
>>> dtdc01.dtshrm.lan dtdc01 # The following lines are desirable for 
>>> IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 
>>> ip6-allnodes f f 02::2 ip6-allrouters Should the /etc/resolv.conf be 
>>> resolving to itself? (I chuckled at you "panic" comment. lol) Fix 
>>> this first, checking for 'libnss_winbind.so.2' is next on my list 
>>> for this morning. Firstly, what email client are you using ? it 
>>> appears to be doing weird things :-) Don't bother about 
>>> libnss_winbind.so.2, you have it, what you don't have is the pam 
>>> config file that automatically sets pam. This is my /etc/resolv.conf 
>>> from my DC: nameserver 127.0.0.1 search example.lan It needs to 
>>> point to itself and you do not need the domain line. domain & search 
>>> are mutually exclusive and the last one wins. This is my 
>>> /etc/network/interfaces # This file describes the network interfaces 
>>> available on you
>>   r syst
>>
>> em
>>
>>> # and how to activate them. For more information, see interfaces(5). 
>>> # The loopback network interface auto lo iface lo inet loopback auto 
>>> eth0 iface eth0 inet static address 192.168.0.2 netmask 
>>> 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 
>>> 192.168.0.1 I also turn off NetworkManager and stop it from starting 
>>> at boot. When you installed your member server via Louis's script, 
>>> did you alter this line: ENABLEPAMAUTH=0 Rowland Email client - 
>>> Louis' email came back looking weird. Don't know about that. How do 
>>> I "turn off NetworkManager" in Debian? (I didn't think it was on a 
>>> server non-gui install?) Ah, didn't know that, you do not have it 
>>> running. And I have not altered any PAM lines so I have not changes 
>>> ENABLEPAMAUTH=0 however, where is it so I can go check it? It is in 
>>> Louis's script, line 100 and if you change it to 1 it runs a block 
>>> of code starting at line 349, this modifies /etc/pam.d/samba. This 
>>> is not what happens if you install libnss-winbind & libpa
>>   m-winb
>>
>> in
>>
>>> d with the debian samba4 packages, unfortunately you cannot install 
>>> these with the sernet packages, but most of the contents of those 
>>> two packages are in sernet-samba-libs, except for the pam config 
>>> file: /usr/share/pam-configs/winbind Name: Winbind NT/Active 
>>> Directory authentication Default: yes Priority: 192 Auth-Type: 
>>> Primary Auth: [success=end default=ignore] pam_winbind.so krb5_auth 
>>> krb5_ccache_type=FILE cached_login try_first_pass Auth-Initial: 
>>> [success=end default=ignore] pam_winbind.so krb5_auth 
>>> krb5_ccache_type=FILE cached_login Account-Type: Primary Account: 
>>> [success=end new_authtok_reqd=done default=ignore] pam_winbind.so 
>>> Password-Type: Primary Password: [success=end default=ignore] 
>>> pam_winbind.so use_authtok try_first_pass Password-Initial: 
>>> [success=end default=ignore] pam_winbind.so Session-Type: Additional 
>>> Session: optional pam_winbind.so You may have to run 
>>> 'pam-auth-update' and select winbind. Rowland -- 
>>> ------------------------- Bob Wooden of Donelson Troph
>>   y
>> 615.885.2846 (main) www.donelsontrophy.com [1] [1] [1] [1] "Everyone 
>> deserves an award!!" Okay, I have resolved my (stupid Windows) "No 
>> internet access" issue on my lone W7 client. Moving forward with 
>> resolving my "getting NT_STATUS_LOGON_FAILURE" issue. I went to my 
>> (modified for me) script and I had "ENABLEPAMAUTH=0" and 
>> "ENABLEPAMSSH=0". Maybe I should simply restore my member server with 
>> 'pre-script backup' and re-run the script with these two options 
>> enabled (set to 1)? Should I enable both or just the "ENABLEAUTH"? Or 
>> can we (with your help, I hope) correct this issue?
>>   As you have a backup, try creating the pam-config script I posted and
>> then run 'pam-auth-update --package', this should get you the same pam
>> setup as my member server. Rowland Maybe I about to do this incorrectly.
>> I create to config file (you sent me) with 'vi
>> /usr/share/pam-configs/winbind' and then started to run
>> "pam-auth-update". Now do I update all three all services listed
>> (Kerberos, Unix and Winbind) or just winbind only? All three Rowland Do
>> I need to install libnss-winbind & libpam-winbind? And if so, with
>> apt-get?
>>
>> you cannot install them, this is because you are using the sernet
>> packages, libnss-winbind & libpam-winbind depend on samba packages that
>> don't start with 'sernet'
>>
>> If it of any help, I now have a sernet-samba member server running on
>> Debian 7.7 in a VM and it works, I followed Louis's script (mostly), I
>> changed the winbind ranges to match my setup.
>>
>> Rowland
>>
>> Rowland,
>>
>> I like to keep life as simple as I can. What I think your saying is that
>> Louis' scripts works (mostly) and it is very simple for me to return to
>> a post installed sernet-samba state and re-run Louis' script with the
>> ENABLEPAMAUTH=1 option engaged.
>>
>> At this point I only have profiles working so, I am not losing much.
>>
>> Last question for today, do I also ENABLEPAMAUTHSSH=1? I think yes, but
>> . . .
>
> OK, to keep it simple, copy the attached tarball to your member 
> server, untar it with 'tar zxf pam-update.sh.tar.gz' , then run the 
> script with 'bash ./pam-update.sh', this must done as root.
>
> Your sernet-samba member server will then match mine.
>
> Rowland
>

OK, I now think that the latest debian sernet-samba 4 is broken, don't 
know what or why, but I cannot log into a member server running it, but 
I can log into the DC (this is running debian samba4 from backports), I 
can also log into my laptop (running the ubuntu 4.1.6 packages) from the 
DC. I can even log into the DC from the sernet-samba member server. I am 
using smbclient to login, it just will not let me log into the sernet 
member server, but I can login via ssh.

This is what I get when I try to login (this is the last part):

added interface wlan0 ip=192.168.0.215 bcast=192.168.0.255 
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="THINKPAD"
Client started (version 4.1.6-Ubuntu).
Opening cache file at /var/cache/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: Returning sitename for HOME.LAN: "Default-First-Site-Name"
name samtest#20 found.
Connecting to 192.168.0.19 at port 445
Socket options:
     SO_KEEPALIVE = 0
     SO_REUSEADDR = 0
     SO_BROADCAST = 0
     TCP_NODELAY = 1
     TCP_KEEPCNT = 9
     TCP_KEEPIDLE = 7200
     TCP_KEEPINTVL = 75
     IPTOS_LOWDELAY = 0
     IPTOS_THROUGHPUT = 0
     SO_REUSEPORT = 0
     SO_SNDBUF = 87040
     SO_RCVBUF = 372480
     SO_SNDLOWAT = 1
     SO_RCVLOWAT = 1
     SO_SNDTIMEO = 0
     SO_RCVTIMEO = 0
     TCP_QUICKACK = 1
     TCP_DEFER_ACCEPT = 0
  session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_TARGET_INFO
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
   NTLMSSP_NEGOTIATE_UNICODE
   NTLMSSP_REQUEST_TARGET
   NTLMSSP_NEGOTIATE_SIGN
   NTLMSSP_NEGOTIATE_NTLM
   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
   NTLMSSP_NEGOTIATE_NTLM2
   NTLMSSP_NEGOTIATE_128
   NTLMSSP_NEGOTIATE_KEY_EXCH
Domain=[HOME] OS=[Unix] Server=[Samba 4.1.14-SerNet-Debian-9.wheezy]
  session setup ok
tree connect failed: NT_STATUS_ACCESS_DENIED

I get the same response when I can login except for the last three lines:

Domain=[HOME] OS=[Unix] Server=[Samba 4.1.6-Ubuntu]
  session setup ok
  tconx ok
smb: \>

Anybody any ideas ???

Rowland

More information about the samba mailing list