[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Roland Schwingel roland.schwingel at onevision.com
Fri Jul 3 15:31:48 UTC 2015


Hi ...

When trying to migrate from samba3 to samba 4.2.2 I am facing a severe 
problem that bugs me for hours now. I cannot get a samba 4.2.2 
fileserver to work with a samba 4.2.2 PDC as a domain member.

My scenario:
Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
We can't move to AD right now so I wanted to move to the current 4.2.2
at least to do this step but to still keep NT-4 style domains.

Yesterday I migrated one PDC in a certain network to samba 4.2.2.
After some tweaking of smb.conf it works now. And I believe without
any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
Also printing and joining machines to the domain works as before. So far 
so good.

Here is the smb.conf of the PDC:
[global]
         unix charset = UTF-8
         workgroup = MYDOM
         server string = domaincontroller
         passdb backend = ldapsam:"ldap://localhost"
         log file = /usr/local/samba/var/log.%m
         max log size = 500
         large readwrite = No
         name resolve order = host bcast
         time server = Yes
         add machine script = 
/usr/local/samba/bin/createSambaMachineAccount.php "%u"
         logon script = logonscripts/%U/logon.bat
         logon path = \\%N\profiles\%U
         logon home =
         domain logons = Yes
         os level = 66
         preferred master = Yes
         domain master = Yes
         dns proxy = No
         ldap admin dn = cn=Directory Manager
         ldap group suffix = ou=groups
         ldap idmap suffix = ou=idmap,ou=samba
         ldap machine suffix = ou=computers,ou=samba
         ldap passwd sync = yes
         ldap suffix = dc=MYDOM,dc=com
         ldap user suffix = ou=people
         idmap config * : range =
         idmap config * : backend = tdb
         create mask = 0755
         hide dot files = No
         map hidden = Yes
         csc policy = disable
         strict locking = No

So I did setup a test machine with samba 4.2.2 as fileserver. Working as 
domain member. Here is the smb.conf of the fileserver machine:
[global]
    unix charset = UTF-8
    workgroup = MYDOM
    server string = Fileserver
    security = DOMAIN
    log level = 2
    log file = /usr/local/samba/var/log.%m
    max log size = 500
    name resolve order = host bcast
    unix extensions = No
    hide dot files = No
    csc policy = disable
    strict locking = No
    wide links = Yes

[testshare]
    comment = test
    path = /testshare
    read only = No
    inherit permissions = Yes

I joined the machine (osuse-test) to the network using this call. I 
tried a couple of other but this is the only one that produced a join:

osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland
No realm has been specified! Do you really want to join an Active 
Directory server?
Enter roland's password:
No realm has been specified! Do you really want to join an Active 
Directory server?
Using short domain name -- MYDOM
Joined 'OSUSE-TEST' to domain 'MYDOM'

When I try to access osuse-test by trying to open \\osuse-test from 
windows 7 after few seconds windows presents me a panel with a locking 
error.

On osuse-test I see these errors in the log file for the win7 client:
[2015/07/03 17:23:30.718802,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:30.892601,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_ACCESS_DENIED.
[2015/07/03 17:23:30.893802,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.893837,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.939343,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.110024,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.111246,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.111278,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.131118,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.296986,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.298164,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.298195,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.318922,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.485074,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.486119,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.486162,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED

So there seems to be an auth error with the user. The user is fully 
working and correct. Passwords are correct.

Has anyone any clue whats going on here?

Thanks for your help,

Roland


More information about the samba mailing list