[Samba] no logon server

Dale Schroeder dale at BriannasSaladDressing.com
Mon Mar 28 17:55:23 UTC 2016 

No takers thus far.  These are the Samba 4.2 changes to which I 
previously referred (https://www.samba.org/samba/history/samba-4.2.0.html) :

     For the client side we have the following new options:
     "require strong key" (yes by default), "reject md5 servers" (no by 
default).
     E.g. for Samba 3.0.37 you need "require strong key = no" and
     for NT4 DCs you need "require strong key = no" and "client NTLMv2 
auth = no",

     On the server side (as domain controller) we have the following new 
options:
     "allow nt4 crypto" (no by default), "reject md5 client" (no by 
default).
     E.g. in order to allow Samba < 3.0.27 or NT4 members to work
     you need "allow nt4 crypto = yes"

I believe I have applied them correctly, but have not had any success to 
date.  All member servers are Debian Jessie or Stretch, and the Windows 
systems are all Win7.

Can anyone please advise as to why the clients see no logon server?

Thanks,
Dale


On 03/24/2016 1:34 PM, Dale Schroeder wrote:
> I have an NT domain on Debian Stretch.  It's been upgraded numerous 
> times, but has been running for almost a decade.  Since upgrading from 
> 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot 
> connect to shares.  Prior to upgrading, I found the changes mentioned 
> for 4.2 regarding NT domains and applied them.  Even so, I still 
> cannot connect to network shares nor print to network printers.
>
> smb.conf for DC
>
> [global]
>     workgroup = DOMAIN.COM
>     server string = Samba PDC
>     map to guest = Bad User
>     passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z"
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n .
>     client NTLMv2 auth = No
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     name resolve order = wins host bcast
>     time server = Yes
>     deadtime = 15
>     load printers = No
>     add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>     delete user script = /usr/sbin/smbldap-userdel '%u'
>     add group script = /usr/sbin/smbldap-groupadd -p '%g'
>     delete group script = /usr/sbin/smbldap-groupdel '%g'
>     add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>     delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' 
> '%g'
>     set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>     add machine script = /usr/sbin/smbldap-useradd -w '%u'
>     shutdown script = /sbin/shutdown -h now
>     abort shutdown script = /sbin/shutdown -c
>     logon script = %U.bat
>     logon path = ""
>     logon drive = U:
>     logon home = \\am1100\users\%U
>     domain logons = Yes
>     os level = 65
>     preferred master = Yes
>     domain master = Yes
>     wins support = Yes
>     ldap admin dn = cn=admin,dc=domain,dc=com
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Computers
>     ldap passwd sync = yes
>     ldap suffix = dc=domain,dc=com
>     ldap ssl = no
>     ldap user suffix = ou=Users
>     panic action = /usr/share/samba/panic-action %d
>     require strong key = No
>     allow nt4 crypto = Yes
>     idmap config * : backend = tdb
>     admin users = root dale "@Domain Admins"
>     hosts allow = 192.168.0. 127.
>     ea support = Yes
>     veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>
> member server smb.conf
>
> [global]
>     workgroup = DOMAIN.COM
>     server string = Samba File Server
>     server role = member server
>     security = DOMAIN
>     allow trusted domains = No
>     map to guest = Bad User
>     obey pam restrictions = Yes
>     passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y"
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n .
>     map untrusted to domain = Yes
>     log file = /var/log/samba/log.%m
>     max log size = 1000
>     name resolve order = wins host bcast
>     client signing = No
>     server signing = No
>     deadtime = 15
>     printcap cache time = 300
>     printcap name = cups
>     wins server = 192.168.0.y
>     ldap admin dn = cn=admin,dc=domain,dc=com
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Computers
>     ldap passwd sync = yes
>     ldap suffix = dc=domain,dc=com
>     ldap ssl = no
>     ldap user suffix = ou=Users
>     panic action = /usr/share/samba/panic-action %d
>     require strong key = No
>     allow nt4 crypto = Yes
>     admin users = root dale "@Domain Admins"
>     hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
>     ea support = Yes
>     veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>
> Connecting to the DC from a Win7 system, I get this:
>
> [2016/03/10 18:06:08.234861,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [dale] -> [dale] -> 
> [dale] succeeded
> [2016/03/10 18:57:24.235719,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [dale] -> [dale] -> 
> [dale] succeeded
> [2016/03/10 19:55:30.516145,  1] 
> ../source3/smbd/process.c:554(receive_smb_talloc)
>   receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read 
> error = NT_STATUS_CONNECTION_RESET.
> [2016/03/10 19:55:56.746553,  0] 
> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
>   ../source3/rpc_server/srv_pipe.c:443: 
> auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND
> [2016/03/10 19:55:56.886317,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [MASTER$] -> [MASTER$] 
> -> [master$] succeeded
> [2016/03/10 19:55:56.915982,  2] 
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>   check_ntlm_password:  authentication for user [dale] -> [dale] -> 
> [dale] succeeded
>
> Connecting to the DC from a linux desktop, I get this:
>
> [2016/03/23 20:56:45.371682,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [dale] -> [dale] 
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2016/03/23 21:06:56.306813,  1] 
> ../source3/smbd/process.c:554(receive_smb_talloc)
> [2016/03/23 21:06:56.306829,  1] 
> ../source3/smbd/process.c:554(receive_smb_talloc)
>   receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 
> read error = NT_STATUS_CONNECTION_RESET.
>   receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 
> read error = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.307205,  1] 
> ../source3/smbd/process.c:554(receive_smb_talloc)
>   receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 
> read error = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.311944,  1] 
> ../source3/smbd/process.c:554(receive_smb_talloc)
>   receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 
> read error = NT_STATUS_CONNECTION_RESET.
>
> Connecting to the file server from Win7:
>
> [2016/03/23 20:47:16.885244,  6, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
>   check_samstrict_security: DOMAIN.COM is not one of my local names 
> (ROLE_DOMAIN_MEMBER)
> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>   check_ntlm_password: sam had nothing to say
> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
>   Check auth for: [dale]
> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
>   check_winbind_security: wbcAuthenticateUserEx failed: 
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
>   Check auth for: [dale]
> [2016/03/23 20:47:16.885544,  5, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
>   check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
> [2016/03/23 20:47:16.885584,  5, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [dale] FAILED 
> with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/23 20:47:16.885646,  2, pid=10907, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [dale] -> [dale] 
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> Connecting to the file server from linux system:
>
> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain)
>   wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752144,  5, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/user_info.c:62(make_user_info)
>   attempting to make a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752195,  5, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/user_info.c:70(make_user_info)
>   making strings for ABORT's user_info struct
> [2016/03/15 19:00:08.752237,  5, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/user_info.c:108(make_user_info)
>   making blobs for ABORT's user_info struct
> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/user_info.c:159(make_user_info)
>   made a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752310,  3, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user 
> [DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface
> [2016/03/15 19:00:08.752350,  3, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015]
> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password)
>   check_ntlm_password: auth_context challenge created by random
> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
>   challenge is:
> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security)
>   Check auth for: [ABORT]
> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>   check_ntlm_password: guest had nothing to say
> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
>   Check auth for: [ABORT]
> [2016/03/15 19:00:08.752601,  6, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
>   check_samstrict_security: DOMAIN.COM is not one of my local names 
> (ROLE_DOMAIN_MEMBER)
> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>   check_ntlm_password: sam had nothing to say
> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
>   Check auth for: [ABORT]
> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
>   check_winbind_security: wbcAuthenticateUserEx failed: 
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
>   Check auth for: [ABORT]
> [2016/03/15 19:00:08.752898,  5, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] 
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
>   check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
> [2016/03/15 19:00:08.752939,  5, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
>   check_ntlm_password: winbind authentication for user [ABORT] FAILED 
> with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/15 19:00:08.752997,  2, pid=30212, effective(0, 0), real(0, 
> 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [ABORT] -> [ABORT] 
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> The winbind error messages are correct, as I use nss_ldap/pam_ldap for 
> authentication, and that works.  getent retrieves all ldap users and 
> groups on both DC and member.  I can successfully ssh into either the 
> DC or member.  Oddly, I can access a share on the DC from the Win7 
> system, but no other shares.
>
> Can anyone spot what I've missed in the upgrade?
>
> Thanks,
> Dale
>
>
>
>
>
>
>

More information about the samba mailing list