[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED

Bob Tanner tanner at real-time.com
Fri Apr 21 23:44:26 UTC 2017 

Environment
==========================================================================
ubuntu 16.04
samba 4.3.11+dfsg-0ubuntu0.16.04.6
sssd 1.13.4-1ubuntu1.2
Windows Server 2008 R2

At site1 the above works. My ubuntu server running samba+sssd can authenticate to the Windows Server 2008 R2 for services like ssh and samba.

At site2 the same setup as site1 I can authenticate with services like ssh but samba authentication fails with NT_STATUS_NO_LOGON_SERVERS, and/or NT_STATUS_ACCESS_DENIED errors.

smb.conf
==========================================================================
[global]
    workgroup = CORP
    realm = CORP.CELADONSYSTEMS.COM
    preferred master = no
    wins server = 10.77.14.249
    server string = samba-2
    security = ADS
    encrypt passwords = true
    obey pam restrictions = yes
    kerberos method = secrets and keytab

    logging = file at 5
    log file = /var/log/samba/%m.log
    log level = 5

    max xmit = 16384

    # NO roaming profiles http://melecio.org/node/5
    logon path =
    logon home =
    logon script = %U.bat

    idmap config CORP : backend = ad
    idmap uid = 600-20000
    idmap gid = 600-20000
    template shell = /bin/bash
    template homedir = /var/samba/users/%U

    client signing = yes
    client use spnego = yes
    client ntlmv2 auth = yes
    restrict anonymous = 2

    load printers = no

sssd.conf
==========================================================================
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# debug_level = 7

[pam]
reconnection_retries = 3
# debug_level = 7

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
config_file_version = 2
domains = CORP.CELADONSYSTEMS.COM
debug_level = 7

[domain/CORP.CELADONSYSTEMS.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = true
debug_level = 7

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /var/samba/users/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
ad_hostname = samba-2

# Uncomment if DNS SRV resolution is not working
ad_server = dc-1.corp.celadonsystems.com

# Uncomment if the AD domain is named differently than the Samba domain
ad_domain = CORP.CELADONSYSTEMS.COM

# Enumeration is discouraged for performance reasons.
# enumerate = true

==========================================================================
$ smbclient -d3 //samba-2/users -U test
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=10.77.14.251 bcast=10.77.14.255 netmask=255.255.255.0
Client started (version 4.3.11-Ubuntu).
Enter test's password:
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_wins: using WINS server 10.77.14.249 and tag '*'
resolve_hosts: Attempting host lookup for name samba-2<0x20>
Connecting to 10.77.14.251 at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS

/var/log/samba/10.77.14.251.log
==========================================================================
https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3 <https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3>

/var/log/sssd/sssd_CORP.CELADONSYSTEMS.COM.log
==========================================================================
https://gist.github.com/basictheprogram/76d5051b6113f4d9f5731ad8a1216349
--
Bob Tanner <tanner at real-time.com>                                 | Phone : 952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax      : 952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7  7785 CBFB 10BF 568B F98C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20170421/b88011ec/signature.sig>

More information about the samba mailing list