[Samba] samba as ADS member(s) - virtually identical yet..

Tue Sep 13 12:55:34 UTC 2016

no conf files are the the culprit I'm afraid, not that easy.
I programmatically compared all relevant config files, they 
only differ where they have to, exclude shares and only 
differences are:
dedicated keytab file
netbios name

One peculiarity I spotted is when I rejoin that Samba system:

DNS Update for rider.private.domain.local failed: 
ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

Than again a "but" - all four servers are in the same DNS 
domain, and name resolution seems to work ok, from AD DC 
point of view - it resolves Samba systems names - and from 
Samba's, all Samba's get to AD via DNS. Again - everything 
seems to be fine except for that smbclient on that one 
server fails. Guest can list the shares - but a user with 
password fails.
Even AD DC itself sees & lists that Samba's shares - and if 
on Samba I disable guest auth method - that DC authenticates 
with user+pass fine, apparently!

Version 4.2.10 @ centos 7.2 and AD is Win 2021R2.

thanks
L.

On 13/09/16 12:04, Rowland Penny via samba wrote:
> On Tue, 13 Sep 2016 11:37:39 +0100
> lejeczek via samba <samba at lists.samba.org> wrote:
>
>> hi everyone,
>>
>> .. one of the Sambas fails to authenticate users.
>>
>> I have four virtually identical Samba systems which are
>> configured as AD members.
>> All servers seem fine, I can
>> $ net ads lookup | status | dn | user | testjoin .. and so on.
>>
>> But, problem is that all servers except one can successfully:
>>
>> smbclient -L $(hostname) -UDOM\\user
>>
>> here that one server fails:
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> That one server was the only one which was initially
>> configured as local Samba to IPA domain.
>> But I
>> $ net conf drop
>> and I force config backend = file
>>
>> I'm guessing it's somewhere id database/registry of Samba
>> that prevents successful users authentication/verification.
>>
>> Would you suggest how to troubleshoot it? Without wiping
>> samba/configuration clean.
>> Version 4.2.10
>> I have full access to win AD DC (which I'm not very fluent
>> at) if that helps.
>>
>> many thanks for any help
>> L.
>>
>>
> If only one domain member is giving problems, it is likely to be a
> problem with that computer.
> You could start by comparing the conf files on the non working computer
> with a working computer.
>
> It might help if you give us a bit more info, what OS ?
> post your conf files, we might spot something.
>
> Rowland
>