[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED

Bob Tanner tanner at real-time.com
Fri Apr 21 23:44:26 UTC 2017

ubuntu 16.04
samba 4.3.11+dfsg-0ubuntu0.16.04.6
sssd 1.13.4-1ubuntu1.2
Windows Server 2008 R2

At site1 the above works. My ubuntu server running samba+sssd can authenticate to the Windows Server 2008 R2 for services like ssh and samba.

At site2 the same setup as site1 I can authenticate with services like ssh but samba authentication fails with NT_STATUS_NO_LOGON_SERVERS, and/or NT_STATUS_ACCESS_DENIED errors.

    workgroup = CORP
    preferred master = no
    wins server =
    server string = samba-2
    security = ADS
    encrypt passwords = true
    obey pam restrictions = yes
    kerberos method = secrets and keytab

    logging = file at 5
    log file = /var/log/samba/%m.log
    log level = 5

    max xmit = 16384

    # NO roaming profiles http://melecio.org/node/5
    logon path =
    logon home =
    logon script = %U.bat

    idmap config CORP : backend = ad
    idmap uid = 600-20000
    idmap gid = 600-20000
    template shell = /bin/bash
    template homedir = /var/samba/users/%U

    client signing = yes
    client use spnego = yes
    client ntlmv2 auth = yes
    restrict anonymous = 2

    load printers = no

filter_groups = root
filter_users = root
reconnection_retries = 3
# debug_level = 7

reconnection_retries = 3
# debug_level = 7

config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
config_file_version = 2
debug_level = 7

id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = true
debug_level = 7

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /var/samba/users/%u

# Uncomment if the client machine hostname doesn't match the computer object on the DC.
ad_hostname = samba-2

# Uncomment if DNS SRV resolution is not working
ad_server = dc-1.corp.celadonsystems.com

# Uncomment if the AD domain is named differently than the Samba domain

# Enumeration is discouraged for performance reasons.
# enumerate = true

$ smbclient -d3 //samba-2/users -U test
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip= bcast= netmask=
Client started (version 4.3.11-Ubuntu).
Enter test's password:
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20>
resolve_wins: using WINS server and tag '*'
resolve_hosts: Attempting host lookup for name samba-2<0x20>
Connecting to at port 445
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=
got principal=not_defined_in_RFC4178 at please_ignore
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got challenge flags:
Got NTLMSSP neg_flags=0x62898215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
SPNEGO login failed: No logon servers
session setup failed: NT_STATUS_NO_LOGON_SERVERS

https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3 <https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3>

Bob Tanner <tanner at real-time.com>                                 | Phone : 952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax      : 952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7  7785 CBFB 10BF 568B F98C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20170421/b88011ec/signature.sig>

More information about the samba mailing list