[Samba] no logon server
Nicholas Rudd
nicholas.m.rudd at gmail.com
Mon Mar 28 22:55:08 UTC 2016
You may have included this in another email however I will ask anyway, did
you set DNS to your server in the Linux and Windows clients? Can you check
if a Windows Server can join? Can you use DNS management to check the DNS
on you samba server?
On Mar 28, 2016 2:15 PM, "Dale Schroeder" <dale at briannassaladdressing.com>
wrote:
> No takers thus far. These are the Samba 4.2 changes to which I previously
> referred (https://www.samba.org/samba/history/samba-4.2.0.html) :
>
> For the client side we have the following new options:
> "require strong key" (yes by default), "reject md5 servers" (no by
> default).
> E.g. for Samba 3.0.37 you need "require strong key = no" and
> for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth
> = no",
>
> On the server side (as domain controller) we have the following new
> options:
> "allow nt4 crypto" (no by default), "reject md5 client" (no by
> default).
> E.g. in order to allow Samba < 3.0.27 or NT4 members to work
> you need "allow nt4 crypto = yes"
>
> I believe I have applied them correctly, but have not had any success to
> date. All member servers are Debian Jessie or Stretch, and the Windows
> systems are all Win7.
>
> Can anyone please advise as to why the clients see no logon server?
>
> Thanks,
> Dale
>
>
> On 03/24/2016 1:34 PM, Dale Schroeder wrote:
>
>> I have an NT domain on Debian Stretch. It's been upgraded numerous
>> times, but has been running for almost a decade. Since upgrading from
>> 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot connect
>> to shares. Prior to upgrading, I found the changes mentioned for 4.2
>> regarding NT domains and applied them. Even so, I still cannot connect to
>> network shares nor print to network printers.
>>
>> smb.conf for DC
>>
>> [global]
>> workgroup = DOMAIN.COM
>> server string = Samba PDC
>> map to guest = Bad User
>> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z"
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>> client NTLMv2 auth = No
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> name resolve order = wins host bcast
>> time server = Yes
>> deadtime = 15
>> load printers = No
>> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>> delete user script = /usr/sbin/smbldap-userdel '%u'
>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
>> '%g'
>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>> shutdown script = /sbin/shutdown -h now
>> abort shutdown script = /sbin/shutdown -c
>> logon script = %U.bat
>> logon path = ""
>> logon drive = U:
>> logon home = \\am1100\users\%U
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> ldap admin dn = cn=admin,dc=domain,dc=com
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap suffix = dc=domain,dc=com
>> ldap ssl = no
>> ldap user suffix = ou=Users
>> panic action = /usr/share/samba/panic-action %d
>> require strong key = No
>> allow nt4 crypto = Yes
>> idmap config * : backend = tdb
>> admin users = root dale "@Domain Admins"
>> hosts allow = 192.168.0. 127.
>> ea support = Yes
>> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>>
>> member server smb.conf
>>
>> [global]
>> workgroup = DOMAIN.COM
>> server string = Samba File Server
>> server role = member server
>> security = DOMAIN
>> allow trusted domains = No
>> map to guest = Bad User
>> obey pam restrictions = Yes
>> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y"
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>> map untrusted to domain = Yes
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> name resolve order = wins host bcast
>> client signing = No
>> server signing = No
>> deadtime = 15
>> printcap cache time = 300
>> printcap name = cups
>> wins server = 192.168.0.y
>> ldap admin dn = cn=admin,dc=domain,dc=com
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap suffix = dc=domain,dc=com
>> ldap ssl = no
>> ldap user suffix = ou=Users
>> panic action = /usr/share/samba/panic-action %d
>> require strong key = No
>> allow nt4 crypto = Yes
>> admin users = root dale "@Domain Admins"
>> hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
>> ea support = Yes
>> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>>
>> Connecting to the DC from a Win7 system, I get this:
>>
>> [2016/03/10 18:06:08.234861, 2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>> check_ntlm_password: authentication for user [dale] -> [dale] ->
>> [dale] succeeded
>> [2016/03/10 18:57:24.235719, 2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>> check_ntlm_password: authentication for user [dale] -> [dale] ->
>> [dale] succeeded
>> [2016/03/10 19:55:30.516145, 1]
>> ../source3/smbd/process.c:554(receive_smb_talloc)
>> receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read
>> error = NT_STATUS_CONNECTION_RESET.
>> [2016/03/10 19:55:56.746553, 0]
>> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
>> ../source3/rpc_server/srv_pipe.c:443:
>> auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND
>> [2016/03/10 19:55:56.886317, 2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>> check_ntlm_password: authentication for user [MASTER$] -> [MASTER$] ->
>> [master$] succeeded
>> [2016/03/10 19:55:56.915982, 2]
>> ../source3/auth/auth.c:305(auth_check_ntlm_password)
>> check_ntlm_password: authentication for user [dale] -> [dale] ->
>> [dale] succeeded
>>
>> Connecting to the DC from a linux desktop, I get this:
>>
>> [2016/03/23 20:56:45.371682, 2]
>> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
>> with error NT_STATUS_WRONG_PASSWORD
>> [2016/03/23 21:06:56.306813, 1]
>> ../source3/smbd/process.c:554(receive_smb_talloc)
>> [2016/03/23 21:06:56.306829, 1]
>> ../source3/smbd/process.c:554(receive_smb_talloc)
>> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read
>> error = NT_STATUS_CONNECTION_RESET.
>> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read
>> error = NT_STATUS_CONNECTION_RESET.
>> [2016/03/23 21:06:56.307205, 1]
>> ../source3/smbd/process.c:554(receive_smb_talloc)
>> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read
>> error = NT_STATUS_CONNECTION_RESET.
>> [2016/03/23 21:06:56.311944, 1]
>> ../source3/smbd/process.c:554(receive_smb_talloc)
>> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read
>> error = NT_STATUS_CONNECTION_RESET.
>>
>> Connecting to the file server from Win7:
>>
>> [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
>> check_samstrict_security: DOMAIN.COM is not one of my local names
>> (ROLE_DOMAIN_MEMBER)
>> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>> check_ntlm_password: sam had nothing to say
>> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
>> Check auth for: [dale]
>> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
>> check_winbind_security: wbcAuthenticateUserEx failed:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
>> Check auth for: [dale]
>> [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
>> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
>> [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
>> check_ntlm_password: winbind authentication for user [dale] FAILED with
>> error NT_STATUS_NO_LOGON_SERVERS
>> [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
>> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
>> with error NT_STATUS_NO_LOGON_SERVERS
>>
>> Connecting to the file server from linux system:
>>
>> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain)
>> wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE
>> [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/user_info.c:62(make_user_info)
>> attempting to make a user_info for ABORT (ABORT)
>> [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/user_info.c:70(make_user_info)
>> making strings for ABORT's user_info struct
>> [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/user_info.c:108(make_user_info)
>> making blobs for ABORT's user_info struct
>> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/user_info.c:159(make_user_info)
>> made a user_info for ABORT (ABORT)
>> [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
>> check_ntlm_password: Checking password for unmapped user [DOMAIN.COM]\[ABORT]@[MASTER2015]
>> with the new password interface
>> [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
>> check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015]
>> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password)
>> check_ntlm_password: auth_context challenge created by random
>> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
>> challenge is:
>> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security)
>> Check auth for: [ABORT]
>> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>> check_ntlm_password: guest had nothing to say
>> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
>> Check auth for: [ABORT]
>> [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
>> check_samstrict_security: DOMAIN.COM is not one of my local names
>> (ROLE_DOMAIN_MEMBER)
>> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
>> check_ntlm_password: sam had nothing to say
>> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
>> Check auth for: [ABORT]
>> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
>> check_winbind_security: wbcAuthenticateUserEx failed:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
>> Check auth for: [ABORT]
>> [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
>> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
>> [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
>> check_ntlm_password: winbind authentication for user [ABORT] FAILED
>> with error NT_STATUS_NO_LOGON_SERVERS
>> [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0),
>> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
>> check_ntlm_password: Authentication for user [ABORT] -> [ABORT] FAILED
>> with error NT_STATUS_NO_LOGON_SERVERS
>>
>> The winbind error messages are correct, as I use nss_ldap/pam_ldap for
>> authentication, and that works. getent retrieves all ldap users and groups
>> on both DC and member. I can successfully ssh into either the DC or
>> member. Oddly, I can access a share on the DC from the Win7 system, but no
>> other shares.
>>
>> Can anyone spot what I've missed in the upgrade?
>>
>> Thanks,
>> Dale
>>
>>
>>
>>
>>
>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list