[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
Bob Tanner
tanner at real-time.com
Fri Apr 21 23:44:26 UTC 2017
Environment
==========================================================================
ubuntu 16.04
samba 4.3.11+dfsg-0ubuntu0.16.04.6
sssd 1.13.4-1ubuntu1.2
Windows Server 2008 R2
At site1 the above works. My ubuntu server running samba+sssd can authenticate to the Windows Server 2008 R2 for services like ssh and samba.
At site2 the same setup as site1 I can authenticate with services like ssh but samba authentication fails with NT_STATUS_NO_LOGON_SERVERS, and/or NT_STATUS_ACCESS_DENIED errors.
smb.conf
==========================================================================
[global]
workgroup = CORP
realm = CORP.CELADONSYSTEMS.COM
preferred master = no
wins server = 10.77.14.249
server string = samba-2
security = ADS
encrypt passwords = true
obey pam restrictions = yes
kerberos method = secrets and keytab
logging = file at 5
log file = /var/log/samba/%m.log
log level = 5
max xmit = 16384
# NO roaming profiles http://melecio.org/node/5
logon path =
logon home =
logon script = %U.bat
idmap config CORP : backend = ad
idmap uid = 600-20000
idmap gid = 600-20000
template shell = /bin/bash
template homedir = /var/samba/users/%U
client signing = yes
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
load printers = no
sssd.conf
==========================================================================
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# debug_level = 7
[pam]
reconnection_retries = 3
# debug_level = 7
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
config_file_version = 2
domains = CORP.CELADONSYSTEMS.COM
debug_level = 7
[domain/CORP.CELADONSYSTEMS.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = true
debug_level = 7
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /var/samba/users/%u
# Uncomment if the client machine hostname doesn't match the computer object on the DC.
ad_hostname = samba-2
# Uncomment if DNS SRV resolution is not working
ad_server = dc-1.corp.celadonsystems.com
# Uncomment if the AD domain is named differently than the Samba domain
ad_domain = CORP.CELADONSYSTEMS.COM
# Enumeration is discouraged for performance reasons.
# enumerate = true
==========================================================================
$ smbclient -d3 //samba-2/users -U test
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=10.77.14.251 bcast=10.77.14.255 netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
Enter test's password:
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_wins: using WINS server 10.77.14.249 and tag '*'
resolve_hosts: Attempting host lookup for name samba-2<0x20>
Connecting to 10.77.14.251 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS
/var/log/samba/10.77.14.251.log
==========================================================================
https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3 <https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3>
/var/log/sssd/sssd_CORP.CELADONSYSTEMS.COM.log
==========================================================================
https://gist.github.com/basictheprogram/76d5051b6113f4d9f5731ad8a1216349
--
Bob Tanner <tanner at real-time.com> | Phone : 952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax : 952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7 7785 CBFB 10BF 568B F98C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20170421/b88011ec/signature.sig>
More information about the samba
mailing list