[Samba] Samba and AD based home shares are visible but not accessible / NT_STATUS_LOGON_FAILURE
Cybulski, Adam M
acybulski at albany.edu
Mon Jul 17 12:11:33 UTC 2017
I don't think my emails were going through before, here is an attempt to resend them:
Does anyone have any insight into this? I added the domain admin account to the group that is supposed to have privileges on the linux machine, and this morning I received:
# sudo net rpc rights grant '<DOMAINALIAS>\linuxprojectgroup' SeDiskOperatorPrivilege -U <DOMAINALIAS>\<Domainadmin> Enter <DOMAINALIAS>\<Domainadmin> password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
I added these lines to SMB.conf and restarted the service, but nothing changed:
bind interfaces only = yes
interfaces = lo ens160
-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 12:12 PM
To: 'Rowland Penny' <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible
Ok, Here are all the steps I took today, I am still receiving the same issue after following the wiki. Any time I have sanitized something I have put it in <carrots> and tried to maintain the capitalization as it appeared. Everything else is exactly as written or displayed.
Samba reinstall:
Cleanup:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
18562 ? Ss 1:43 /usr/sbin/nmbd
23030 ? Ss 0:04 /usr/sbin/winbindd
23031 ? S 0:01 /usr/sbin/winbindd
23038 ? S 0:02 /usr/sbin/winbindd
23039 ? S 0:01 /usr/sbin/winbindd
23041 ? S 0:00 /usr/sbin/winbindd
23866 pts/3 S+ 0:00 grep -E --color=auto samba|smbd|nmbd|winbindd
24590 ? Ss 0:00 /usr/sbin/smbd
24593 ? S 0:00 /usr/sbin/smbd
24594 ? S 0:00 /usr/sbin/smbd
24610 ? S 0:00 /usr/sbin/smbd
# systemctl stop smb
# systemctl stop nmb
# systemctl stop winbind
Renamed smb.conf to smb.conf.broken
# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
LOCKDIR: /var/lib/samba/lock
STATEDIR: /var/lib/samba
CACHEDIR: /var/lib/samba
PRIVATE_DIR: /var/lib/samba/private
Deleted all .tdb in var/lib/samba plus sub folders lock and private
Kerberos:
Krb5.conf:
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid} default_realm = UNIV.<SCHOOL>.EDU [realms] UNIV.<SCHOOL>.EDU = { } UNIV.<SCHOOL>.EDU = {
kdc = *
}
[domain_realm]
univ.<school>.edu = UNIV.<SCHOOL>.EDU
.univ.<school>.edu = UNIV.<SCHOOL>.EDU
Time Sync”
I didn’t have an ntp.conf file, so I made one to the specks provided, changing DC1&2.samdom.example.com to my DC’s fqdns.
Local Host name:
# Getent Hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
<PublicIP> <hostname>.univ.<school>.edu <HOSTNAME>
I am not using DHCP
Configure Samba:
Made new smb.conf with following information:
[global]
security = ADS
workgroup = <DOMAINALIAS>
realm = UNIV.<SCHOOL>.EDU
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = ad
idmap config * : range = 3000-7999
username map = /usr/local/samba/etc/smbuser.map
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
MAPPING DOMAIN ADMIN ACCOUNT: (I think this is where I may have been going wrong. I was using a domain account, that is supposed to have admin permissions on this system, but does not have “Domain Join” privileges in our domain. This may cause issues, as there are not supposed to be any accounts that have both admin privileges on this box, and have domain admin privileges. I have changed this to an account with domain join privlidges.)
Smbusers.map
# Unix_name = SMB_Name1 SMB_Name2 ...
! root = <DOMAINALIAS>\<Domainadmin> <DOMAINALIAS>\<domainadmin> <Domainadmin> <domainadmin> nobody = guest smbguest pcguest
Join the domain:
#net ads join -U <domainadmin>
Enter <domainadmin>'s password:
Using short domain name -- <DOMAINALIAS> Joined '<HOSTNAME>' to dns domain 'univ.<school>.edu'
DNS Update for <hostname>.univ.<school>.edu failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
The wiki advises I test if dynamic DNS updates are working. I cannot run any commands on the DC, I’m in one department at a university, this is handles at the University IT level. 10,000 other systems are working fine though.
Configuring NSS:
Nsswitch.conf:
passwd: files sss winbind
shadow: files sss
group: files sss winbind
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
Starting services:
# systemctl start winbind
# systemctl start smbd
Failed to start smbd.service: Unit not found.
# systemctl start smb
# systemctl start nmb
Testing: <-------WIKI OUT OF DATE? -----> #wbinfo --ping-dc
bash: wbinfo: command not found...
Setting up a share:
I have ACL support, and it is in the smb.conf
#net rpc rights grant "<DOMAINALIAS\<LinuxProjectADGroup>" SeDiskOperatorPrivilege -U "<DOMAINALIAS>\<domainadmin>"
Enter <DOMAINALIAS>\<domainadmin>’s password:
Failed to grant privileges for "<DOMAINALIAS\<LinuxProjectADGroup>" (NT_STATUS_ACCESS_DENIED)
-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 10:47 AM
To: 'Rowland Penny' <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible
Oh, I ran getent with my <Adminaccount> and it brought back a result which included the domain. So name resolution seems to work. I'm going to start over from the beginning of the wiki now any way and post up my results.
-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 10:36 AM
To: Rowland Penny <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible
>sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege -U domain\admin I constantly get:
>This clearly shows a user called 'admin'
Well I'm not going to tell you the name of one of my domain admin accounts 😊 I guess we're both getting confused on what's been replaced. I'll try to carrot out my variables in the future.
I read the Wiki, I was working through it, some steps have already been done though, like joining the domain, so when I do them again with Samba and Winbind, they fail. I'll try it all again and let you know where I get stuck.
Adam
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, July 11, 2017 4:23 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba and AD based home shares are visible but not accessible
On Tue, 11 Jul 2017 20:03:33 +0000
"Cybulski, Adam M" <acybulski at albany.edu> wrote:
> Thanks Roland, I'm giving it a go with winbind. Do I have to remove
> SSSD and drop off the domain to make it work?
I would do both.
> I've tried following
> the steps to join as a member server, but it's not gone that smoothly.
> I may try from the beginning with a second server.
What steps are you following ?
Have you read the Samba wiki ?
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> One of the things I've been struggling with is knowing when
> instructions want me to replace something with my environments
> settings and when it needs to be typed as written.
Yes, it can sometimes be confusing ;-)
If you follow the Samba wiki and don't understand something, please ask, the only dumb question is the one you do not ask. It is also a two way street, if you don't understand something, chances are that others don't understand it either, so we need to make it clearer on the wiki.
>
> Getent passwd admin does not return anything, but I don't know why it
> would, I have no account named Admin, neither on the Linux box, nor in
> my domain. Why would I map an account that doesn't exist?
>
I asked because you posted this:
sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege -U domain\admin I constantly get:
This clearly shows a user called 'admin'
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list