[Samba] no logon server
Dale Schroeder
dale at BriannasSaladDressing.com
Tue Mar 29 14:06:18 UTC 2016
Thanks for responding, Nicholas!
No, I didn't include anything about DNS, but it seems to be working
correctly. I have a BIND9 master for the domain's zone on the PDC and a
slave on a different system. Zone changes are propagating to the slave
from the master. Hosts have no trouble finding each other. DHCP is on
the PDC and is updating records in BIND. WINS is on the PDC and has
records for all systems, so that part of smb.conf is working.
I don't have a Windows server on which to try a join, but I doubt it
would work. Thinking that maybe a corrupted join was the problem, I
attempted to have a linux system leave the domain to try to rejoin, but
even leaving was not possible because it was unable to find the logon
server.
What DNS management tool did you specifically want me to use to check DNS?
If you notice in smb.conf on the systems, I did reorder 'name resolve
order' to list wins first. I don't know if that is a big deal or not.
It feels as if there is another option to set on the PDC, but I can't
seem to find any more listed.
Dale
On 03/28/2016 5:55 PM, Nicholas Rudd wrote:
>
> You may have included this in another email however I will ask anyway,
> did you set DNS to your server in the Linux and Windows clients? Can
> you check if a Windows Server can join? Can you use DNS management to
> check the DNS on you samba server?
>
> On Mar 28, 2016 2:15 PM, "Dale Schroeder"
> <dale at briannassaladdressing.com
> <mailto:dale at briannassaladdressing.com>> wrote:
>
> No takers thus far. These are the Samba 4.2 changes to which I
> previously referred
> (https://www.samba.org/samba/history/samba-4.2.0.html) :
>
> For the client side we have the following new options:
> "require strong key" (yes by default), "reject md5 servers"
> (no by default).
> E.g. for Samba 3.0.37 you need "require strong key = no" and
> for NT4 DCs you need "require strong key = no" and "client
> NTLMv2 auth = no",
>
> On the server side (as domain controller) we have the
> following new options:
> "allow nt4 crypto" (no by default), "reject md5 client" (no by
> default).
> E.g. in order to allow Samba < 3.0.27 or NT4 members to work
> you need "allow nt4 crypto = yes"
>
> I believe I have applied them correctly, but have not had any
> success to date. All member servers are Debian Jessie or Stretch,
> and the Windows systems are all Win7.
>
> Can anyone please advise as to why the clients see no logon server?
>
> Thanks,
> Dale
>
>
> On 03/24/2016 1:34 PM, Dale Schroeder wrote:
>
> I have an NT domain on Debian Stretch. It's been upgraded
> numerous times, but has been running for almost a decade.
> Since upgrading from 4.1.17 to 4.3.3 (huge Debian jump), then
> to 4.3.6, clients cannot connect to shares. Prior to
> upgrading, I found the changes mentioned for 4.2 regarding NT
> domains and applied them. Even so, I still cannot connect to
> network shares nor print to network printers.
>
> smb.conf for DC
>
> [global]
> workgroup = DOMAIN.COM <http://DOMAIN.COM>
> server string = Samba PDC
> map to guest = Bad User
> passdb backend = ldapsam:"ldap://127.0.0.1
> <http://127.0.0.1> ldap://192.168.0.z"
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> client NTLMv2 auth = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins host bcast
> time server = Yes
> deadtime = 15
> load printers = No
> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m
> '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod
> -x '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g
> '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> shutdown script = /sbin/shutdown -h now
> abort shutdown script = /sbin/shutdown -c
> logon script = %U.bat
> logon path = ""
> logon drive = U:
> logon home = \\am1100\users\%U
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=admin,dc=domain,dc=com
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap suffix = dc=domain,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users
> panic action = /usr/share/samba/panic-action %d
> require strong key = No
> allow nt4 crypto = Yes
> idmap config * : backend = tdb
> admin users = root dale "@Domain Admins"
> hosts allow = 192.168.0. 127.
> ea support = Yes
> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
> map archive = No
> map readonly = no
> store dos attributes = Yes
>
> member server smb.conf
>
> [global]
> workgroup = DOMAIN.COM <http://DOMAIN.COM>
> server string = Samba File Server
> server role = member server
> security = DOMAIN
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> passdb backend = ldapsam:"ldap://127.0.0.1
> <http://127.0.0.1> ldap://192.168.0.y"
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> map untrusted to domain = Yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins host bcast
> client signing = No
> server signing = No
> deadtime = 15
> printcap cache time = 300
> printcap name = cups
> wins server = 192.168.0.y
> ldap admin dn = cn=admin,dc=domain,dc=com
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap suffix = dc=domain,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users
> panic action = /usr/share/samba/panic-action %d
> require strong key = No
> allow nt4 crypto = Yes
> admin users = root dale "@Domain Admins"
> hosts allow = 192.168.0.0/255.255.255.0
> <http://192.168.0.0/255.255.255.0> 127.0.0.1
> ea support = Yes
> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
> map archive = No
> map readonly = no
> store dos attributes = Yes
>
> Connecting to the DC from a Win7 system, I get this:
>
> [2016/03/10 18:06:08.234861, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] ->
> [dale] -> [dale] succeeded
> [2016/03/10 18:57:24.235719, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] ->
> [dale] -> [dale] succeeded
> [2016/03/10 19:55:30.516145, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client
> ipv4:192.168.0.3:49899 <http://192.168.0.3:49899> read error =
> NT_STATUS_CONNECTION_RESET.
> [2016/03/10 19:55:56.746553, 0]
> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
> ../source3/rpc_server/srv_pipe.c:443:
> auth_generic_server_authtype_start[68/6] failed:
> NT_STATUS_NOT_FOUND
> [2016/03/10 19:55:56.886317, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [MASTER$] ->
> [MASTER$] -> [master$] succeeded
> [2016/03/10 19:55:56.915982, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] ->
> [dale] -> [dale] succeeded
>
> Connecting to the DC from a linux desktop, I get this:
>
> [2016/03/23 20:56:45.371682, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [dale] ->
> [dale] FAILED with error NT_STATUS_WRONG_PASSWORD
> [2016/03/23 21:06:56.306813, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> [2016/03/23 21:06:56.306829, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client
> ipv4:192.168.0.15:43982 <http://192.168.0.15:43982> read error
> = NT_STATUS_CONNECTION_RESET.
> receive_smb_raw_talloc failed for client
> ipv4:192.168.0.15:44055 <http://192.168.0.15:44055> read error
> = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.307205, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client
> ipv4:192.168.0.15:43805 <http://192.168.0.15:43805> read error
> = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.311944, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client
> ipv4:192.168.0.15:44638 <http://192.168.0.15:44638> read error
> = NT_STATUS_CONNECTION_RESET.
>
> Connecting to the file server from Win7:
>
> [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
> check_samstrict_security: DOMAIN.COM <http://DOMAIN.COM> is
> not one of my local names (ROLE_DOMAIN_MEMBER)
> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: sam had nothing to say
> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [dale]
> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
> check_winbind_security: wbcAuthenticateUserEx failed:
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
> Check auth for: [dale]
> [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
> check_ntdomain_security: unable to locate a DC for domain
> DOMAIN.COM <http://DOMAIN.COM>
> [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:252(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [dale]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [dale] ->
> [dale] FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> Connecting to the file server from linux system:
>
> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_util.c:1548(is_trusted_domain)
> wb_is_trusted_domain returned error:
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/user_info.c:62(make_user_info)
> attempting to make a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/user_info.c:70(make_user_info)
> making strings for ABORT's user_info struct
> [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/user_info.c:108(make_user_info)
> making blobs for ABORT's user_info struct
> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/user_info.c:159(make_user_info)
> made a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN.COM <http://DOMAIN.COM>]\[ABORT]@[MASTER2015] with the
> new password interface
> [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [DOMAIN.COM
> <http://DOMAIN.COM>]\[ABORT]@[MASTER2015]
> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:190(auth_check_ntlm_password)
> check_ntlm_password: auth_context challenge created by random
> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:192(auth_check_ntlm_password)
> challenge is:
> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_builtin.c:44(check_guest_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: guest had nothing to say
> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
> check_samstrict_security: DOMAIN.COM <http://DOMAIN.COM> is
> not one of my local names (ROLE_DOMAIN_MEMBER)
> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: sam had nothing to say
> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
> check_winbind_security: wbcAuthenticateUserEx failed:
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
> check_ntdomain_security: unable to locate a DC for domain
> DOMAIN.COM <http://DOMAIN.COM>
> [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:252(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [ABORT]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0),
> real(0, 0), class=auth]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [ABORT] ->
> [ABORT] FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> The winbind error messages are correct, as I use
> nss_ldap/pam_ldap for authentication, and that works. getent
> retrieves all ldap users and groups on both DC and member. I
> can successfully ssh into either the DC or member. Oddly, I
> can access a share on the DC from the Win7 system, but no
> other shares.
>
> Can anyone spot what I've missed in the upgrade?
>
> Thanks,
> Dale
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list