[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working

Rowland Penny rowlandpenny241155 at gmail.com
Fri Jul 3 16:36:32 UTC 2015 

On 03/07/15 16:31, Roland Schwingel wrote:
> Hi ...
>
> When trying to migrate from samba3 to samba 4.2.2 I am facing a severe 
> problem that bugs me for hours now. I cannot get a samba 4.2.2 
> fileserver to work with a samba 4.2.2 PDC as a domain member.
>
> My scenario:
> Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
> We can't move to AD right now so I wanted to move to the current 4.2.2
> at least to do this step but to still keep NT-4 style domains.
>
> Yesterday I migrated one PDC in a certain network to samba 4.2.2.
> After some tweaking of smb.conf it works now. And I believe without
> any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
> Also printing and joining machines to the domain works as before. So 
> far so good.
>
> Here is the smb.conf of the PDC:
> [global]
>         unix charset = UTF-8
>         workgroup = MYDOM
>         server string = domaincontroller
>         passdb backend = ldapsam:"ldap://localhost"
>         log file = /usr/local/samba/var/log.%m
>         max log size = 500
>         large readwrite = No
>         name resolve order = host bcast
>         time server = Yes
>         add machine script = 
> /usr/local/samba/bin/createSambaMachineAccount.php "%u"
>         logon script = logonscripts/%U/logon.bat
>         logon path = \\%N\profiles\%U
>         logon home =
>         domain logons = Yes
>         os level = 66
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         ldap admin dn = cn=Directory Manager
>         ldap group suffix = ou=groups
>         ldap idmap suffix = ou=idmap,ou=samba
>         ldap machine suffix = ou=computers,ou=samba
>         ldap passwd sync = yes
>         ldap suffix = dc=MYDOM,dc=com
>         ldap user suffix = ou=people
>         idmap config * : range =
>         idmap config * : backend = tdb
>         create mask = 0755
>         hide dot files = No
>         map hidden = Yes
>         csc policy = disable
>         strict locking = No
>
> So I did setup a test machine with samba 4.2.2 as fileserver. Working 
> as domain member. Here is the smb.conf of the fileserver machine:
> [global]
>    unix charset = UTF-8
>    workgroup = MYDOM
>    server string = Fileserver
>    security = DOMAIN
>    log level = 2
>    log file = /usr/local/samba/var/log.%m
>    max log size = 500
>    name resolve order = host bcast
>    unix extensions = No
>    hide dot files = No
>    csc policy = disable
>    strict locking = No
>    wide links = Yes
>
> [testshare]
>    comment = test
>    path = /testshare
>    read only = No
>    inherit permissions = Yes
>
> I joined the machine (osuse-test) to the network using this call. I 
> tried a couple of other but this is the only one that produced a join:
>
> osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST 
> -Uroland
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Enter roland's password:
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Using short domain name -- MYDOM
> Joined 'OSUSE-TEST' to domain 'MYDOM'
>
> When I try to access osuse-test by trying to open \\osuse-test from 
> windows 7 after few seconds windows presents me a panel with a locking 
> error.
>
> On osuse-test I see these errors in the log file for the win7 client:
> [2015/07/03 17:23:30.718802,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:30.892601,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_ACCESS_DENIED.
> [2015/07/03 17:23:30.893802,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_ACCESS_DENIED
> [2015/07/03 17:23:30.893837,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_ACCESS_DENIED
> [2015/07/03 17:23:30.939343,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.110024,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.111246,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.111278,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.131118,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.296986,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.298164,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.298195,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.318922,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.485074,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.486119,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.486162,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
>
> So there seems to be an auth error with the user. The user is fully 
> working and correct. Passwords are correct.
>
> Has anyone any clue whats going on here?
>
> Thanks for your help,
>
> Roland

Hi, there was some changes made when 4.2.0 came out, these changes may 
be your problem, see here:

https://www.samba.org/samba/history/samba-4.2.0.html

Under the heading:  Winbindd/Netlogon improvements

Rowland

More information about the samba mailing list