[Samba] samba member, NT_STATUS_LOGON_FAILURE

Rowland Penny rowlandpenny241155 at gmail.com
Sun Oct 4 17:11:28 UTC 2015 

On 04/10/15 17:43, Norberto Bensa wrote:
> Hello,
>
> I've followed two or three articles on how to configure samba 4 as a
> member server. One of these articles is from the samba wiki:
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> The server joins, but it cannot authenticate users. I don't care about
> nss, winbind, etc. unless it is REALLY necessary. All I want is to use
> this server as a file server for workstations while the AD server
> (also running on samba) acts as an authentication server only.
>
> On the client:
>
> $ smbclient -L //samba -U zoolook
>
> where samba is the ad server and zoolook is a domain user. This works.
>
> $ smbclient -L //servidor -U zoolook
>
> where servidor is the file server. This doesn't work and gives
> NT_STATUS_LOGON_FAILURE
>
>
> I've increased log level
>
> $ smbclient -d 3 -L //servidor -U zoolook
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[global]"
> added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0
> Client started (version 4.3.0).
> Enter zoolook's password:
> tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not
> open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado
> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20>
> resolve_wins: WINS server resolution selected and no WINS servers listed.
> resolve_hosts: Attempting host lookup for name servidor<0x20>
> Connecting to 10.0.3.251 at port 445
> Doing spnego session setup (blob length=96)
> got OID=1.2.840.48018.1.2.2
> got OID=1.2.840.113554.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=not_defined_in_RFC4178 at please_ignore
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> In the ad server I ran /usr/local/samba/sbin/samba in interactive mode
> with -d3 and I get:
>
> schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/SERVIDOR
> auth_check_password_send: Checking password for unmapped user
> [ENEABE]\[zoolook]@[\\SERVIDOR]
> auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR]
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
>
>
> Windows machines also joined and authenticate againts the ad server
> (samba) but cannot access the file server (servidor).
>
> Samba is 4.3.0 in both ad and member servers. Self compiled using
> instructions from the wiki.
>
>
> This is the smb.conf of the file server (member server):
>
> [global]
>    netbios name = SERVIDOR
>    workgroup = ENEABE
>    security = ADS
>    realm = ENEABE.COM.AR
>    encrypt passwords = yes
>
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config ENEABE:backend = ad
>    idmap config ENEABE:schema_mode = rfc2307
>    idmap config ENEABE:range = 3000000-4000000

Have you added uidNumber attributes to users object in AD and a 
gidNumber to Domain Users ?

Rowland

>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>
>
>
> BTW, anonymous logins work:
>
> $ smbclient -L //servidor -U%
> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
>
> Sharename       Type      Comment
> ---------       ----      -------
> IPC$            IPC       IPC Service (Samba 4.3.0)
> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0]
>
> Server               Comment
> ---------            -------
>
> Workgroup            Master
> ---------            -------
>
>
> What am I doing wrong?
>
> Thanks!
> Norberto
>
> -- To unsubscribe from this list go to the following URL and read the 
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list