[Samba] no logon server
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Mar 24 18:34:03 UTC 2016
I have an NT domain on Debian Stretch. It's been upgraded numerous
times, but has been running for almost a decade. Since upgrading from
4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot
connect to shares. Prior to upgrading, I found the changes mentioned
for 4.2 regarding NT domains and applied them. Even so, I still cannot
connect to network shares nor print to network printers.
smb.conf for DC
[global]
workgroup = DOMAIN.COM
server string = Samba PDC
map to guest = Bad User
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z"
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = No
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins host bcast
time server = Yes
deadtime = 15
load printers = No
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
shutdown script = /sbin/shutdown -h now
abort shutdown script = /sbin/shutdown -c
logon script = %U.bat
logon path = ""
logon drive = U:
logon home = \\am1100\users\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=admin,dc=domain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
require strong key = No
allow nt4 crypto = Yes
idmap config * : backend = tdb
admin users = root dale "@Domain Admins"
hosts allow = 192.168.0. 127.
ea support = Yes
veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
map archive = No
map readonly = no
store dos attributes = Yes
member server smb.conf
[global]
workgroup = DOMAIN.COM
server string = Samba File Server
server role = member server
security = DOMAIN
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y"
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
map untrusted to domain = Yes
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins host bcast
client signing = No
server signing = No
deadtime = 15
printcap cache time = 300
printcap name = cups
wins server = 192.168.0.y
ldap admin dn = cn=admin,dc=domain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
require strong key = No
allow nt4 crypto = Yes
admin users = root dale "@Domain Admins"
hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
ea support = Yes
veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
map archive = No
map readonly = no
store dos attributes = Yes
Connecting to the DC from a Win7 system, I get this:
[2016/03/10 18:06:08.234861, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
[2016/03/10 18:57:24.235719, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
[2016/03/10 19:55:30.516145, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/10 19:55:56.746553, 0]
../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
../source3/rpc_server/srv_pipe.c:443:
auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND
[2016/03/10 19:55:56.886317, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [MASTER$] -> [MASTER$]
-> [master$] succeeded
[2016/03/10 19:55:56.915982, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
Connecting to the DC from a linux desktop, I get this:
[2016/03/23 20:56:45.371682, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2016/03/23 21:06:56.306813, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
[2016/03/23 21:06:56.306829, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read
error = NT_STATUS_CONNECTION_RESET.
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/23 21:06:56.307205, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/23 21:06:56.311944, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read
error = NT_STATUS_CONNECTION_RESET.
Connecting to the file server from Win7:
[2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOMAIN.COM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [dale]
[2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed:
WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
Check auth for: [dale]
[2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
[2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [dale] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
Connecting to the file server from linux system:
[2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain)
wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:62(make_user_info)
attempting to make a user_info for ABORT (ABORT)
[2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:70(make_user_info)
making strings for ABORT's user_info struct
[2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:108(make_user_info)
making blobs for ABORT's user_info struct
[2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:159(make_user_info)
made a user_info for ABORT (ABORT)
[2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface
[2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015]
[2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
challenge is:
[2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOMAIN.COM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed:
WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
[2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [ABORT] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ABORT] -> [ABORT]
FAILED with error NT_STATUS_NO_LOGON_SERVERS
The winbind error messages are correct, as I use nss_ldap/pam_ldap for
authentication, and that works. getent retrieves all ldap users and
groups on both DC and member. I can successfully ssh into either the DC
or member. Oddly, I can access a share on the DC from the Win7 system,
but no other shares.
Can anyone spot what I've missed in the upgrade?
Thanks,
Dale
More information about the samba
mailing list