[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Roland Schwingel
roland.schwingel at onevision.com
Fri Jul 3 15:31:48 UTC 2015
Hi ...
When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
problem that bugs me for hours now. I cannot get a samba 4.2.2
fileserver to work with a samba 4.2.2 PDC as a domain member.
My scenario:
Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
We can't move to AD right now so I wanted to move to the current 4.2.2
at least to do this step but to still keep NT-4 style domains.
Yesterday I migrated one PDC in a certain network to samba 4.2.2.
After some tweaking of smb.conf it works now. And I believe without
any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
Also printing and joining machines to the domain works as before. So far
so good.
Here is the smb.conf of the PDC:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = domaincontroller
passdb backend = ldapsam:"ldap://localhost"
log file = /usr/local/samba/var/log.%m
max log size = 500
large readwrite = No
name resolve order = host bcast
time server = Yes
add machine script =
/usr/local/samba/bin/createSambaMachineAccount.php "%u"
logon script = logonscripts/%U/logon.bat
logon path = \\%N\profiles\%U
logon home =
domain logons = Yes
os level = 66
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=computers,ou=samba
ldap passwd sync = yes
ldap suffix = dc=MYDOM,dc=com
ldap user suffix = ou=people
idmap config * : range =
idmap config * : backend = tdb
create mask = 0755
hide dot files = No
map hidden = Yes
csc policy = disable
strict locking = No
So I did setup a test machine with samba 4.2.2 as fileserver. Working as
domain member. Here is the smb.conf of the fileserver machine:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = Fileserver
security = DOMAIN
log level = 2
log file = /usr/local/samba/var/log.%m
max log size = 500
name resolve order = host bcast
unix extensions = No
hide dot files = No
csc policy = disable
strict locking = No
wide links = Yes
[testshare]
comment = test
path = /testshare
read only = No
inherit permissions = Yes
I joined the machine (osuse-test) to the network using this call. I
tried a couple of other but this is the only one that produced a join:
osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland
No realm has been specified! Do you really want to join an Active
Directory server?
Enter roland's password:
No realm has been specified! Do you really want to join an Active
Directory server?
Using short domain name -- MYDOM
Joined 'OSUSE-TEST' to domain 'MYDOM'
When I try to access osuse-test by trying to open \\osuse-test from
windows 7 after few seconds windows presents me a panel with a locking
error.
On osuse-test I see these errors in the log file for the win7 client:
[2015/07/03 17:23:30.718802, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:30.892601, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_ACCESS_DENIED.
[2015/07/03 17:23:30.893802, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.893837, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.939343, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.110024, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.111246, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.111278, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.131118, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.296986, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.298164, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.298195, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.318922, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.485074, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.486119, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.486162, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
So there seems to be an auth error with the user. The user is fully
working and correct. Passwords are correct.
Has anyone any clue whats going on here?
Thanks for your help,
Roland
More information about the samba
mailing list