[Samba] Samba and AD based home shares are visible but not accessible / NT_STATUS_LOGON_FAILURE

Cybulski, Adam M acybulski at albany.edu
Mon Jul 17 12:11:33 UTC 2017 

I don't think my emails were going through before, here is an attempt to resend them:


Does anyone have any insight into this? I added the domain admin account to the group that is supposed to have privileges on the linux machine, and this morning I received:

# sudo net rpc rights grant '<DOMAINALIAS>\linuxprojectgroup' SeDiskOperatorPrivilege -U <DOMAINALIAS>\<Domainadmin> Enter <DOMAINALIAS>\<Domainadmin> password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

I added these lines to SMB.conf and restarted the service, but nothing changed:

bind interfaces only = yes
interfaces = lo ens160

-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 12:12 PM
To: 'Rowland Penny' <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible

Ok, Here are all the steps I took today, I am still receiving the same issue after following the wiki. Any time I have sanitized something  I have put it in <carrots> and tried to maintain the capitalization as it appeared. Everything else is exactly as written or displayed. 

Samba reinstall:
Cleanup:
# ps ax | egrep "samba|smbd|nmbd|winbindd"
18562 ?        Ss     1:43 /usr/sbin/nmbd
23030 ?        Ss     0:04 /usr/sbin/winbindd
23031 ?        S      0:01 /usr/sbin/winbindd
23038 ?        S      0:02 /usr/sbin/winbindd
23039 ?        S      0:01 /usr/sbin/winbindd
23041 ?        S      0:00 /usr/sbin/winbindd
23866 pts/3    S+     0:00 grep -E --color=auto samba|smbd|nmbd|winbindd
24590 ?        Ss     0:00 /usr/sbin/smbd
24593 ?        S      0:00 /usr/sbin/smbd
24594 ?        S      0:00 /usr/sbin/smbd
24610 ?        S      0:00 /usr/sbin/smbd

# systemctl stop smb
# systemctl stop nmb
# systemctl stop winbind

Renamed smb.conf to smb.conf.broken

# smbd -b | egrep "LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR"
   LOCKDIR: /var/lib/samba/lock
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/lib/samba
   PRIVATE_DIR: /var/lib/samba/private

Deleted all .tdb in var/lib/samba plus sub folders lock and private

Kerberos:
Krb5.conf: 
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
default_ccache_name = KEYRING:persistent:%{uid}  default_realm = UNIV.<SCHOOL>.EDU [realms] UNIV.<SCHOOL>.EDU = {  }  UNIV.<SCHOOL>.EDU = {
  kdc = *
 }
[domain_realm]
univ.<school>.edu = UNIV.<SCHOOL>.EDU
 .univ.<school>.edu = UNIV.<SCHOOL>.EDU

Time Sync”
I didn’t have an ntp.conf file, so I made one to the specks provided, changing DC1&2.samdom.example.com to my DC’s fqdns. 

Local Host name:
# Getent Hosts
127.0.0.1       localhost localhost.localdomain localhost4 localhost4.localdomain4
<PublicIP>  <hostname>.univ.<school>.edu <HOSTNAME>

I am not using DHCP

Configure Samba:

Made new smb.conf with following information:

[global]
	security = ADS
	workgroup = <DOMAINALIAS>
	realm = UNIV.<SCHOOL>.EDU

	log file = /var/log/samba/%m.log
	log level = 1
      
	idmap config * : backend = ad
   	idmap config * : range = 3000-7999
	username map = /usr/local/samba/etc/smbuser.map
	vfs objects = acl_xattr
	map acl inherit = yes
	store dos attributes = yes


MAPPING DOMAIN ADMIN ACCOUNT: (I think this is where I may have been going wrong. I was using a domain account, that is supposed to have admin permissions on this system, but does not have “Domain Join” privileges in our domain. This may cause issues, as there are not supposed to be any accounts that have both admin privileges on this box, and have domain admin privileges. I have changed this to an account with domain join privlidges.)

Smbusers.map
# Unix_name = SMB_Name1 SMB_Name2 ...
 ! root = <DOMAINALIAS>\<Domainadmin> <DOMAINALIAS>\<domainadmin> <Domainadmin> <domainadmin> nobody = guest smbguest pcguest

Join the domain:

#net ads join -U <domainadmin>
Enter <domainadmin>'s password:
Using short domain name -- <DOMAINALIAS> Joined '<HOSTNAME>' to dns domain 'univ.<school>.edu'
DNS Update for <hostname>.univ.<school>.edu failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL

The wiki advises I test if dynamic DNS updates are working. I cannot run any commands on the DC, I’m in one department at a university, this is handles at the University IT level. 10,000 other systems are working fine though. 

Configuring NSS:
Nsswitch.conf:
passwd:     files sss winbind
shadow:     files sss 
group:      files sss winbind
hosts:      files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus

Starting services: 

 # systemctl start winbind
 # systemctl start smbd
Failed to start smbd.service: Unit not found.
 # systemctl start smb
 # systemctl start nmb

Testing:  <-------WIKI OUT OF DATE? -----> #wbinfo --ping-dc
bash: wbinfo: command not found...

Setting up a share:

I have ACL support, and it is in the smb.conf

#net rpc rights grant "<DOMAINALIAS\<LinuxProjectADGroup>" SeDiskOperatorPrivilege -U "<DOMAINALIAS>\<domainadmin>"
Enter <DOMAINALIAS>\<domainadmin>’s password:
Failed to grant privileges for "<DOMAINALIAS\<LinuxProjectADGroup>" (NT_STATUS_ACCESS_DENIED)


-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 10:47 AM
To: 'Rowland Penny' <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible

Oh, I ran getent with my <Adminaccount> and it brought back a result which included the domain. So name resolution seems to work. I'm going to start over from the beginning of the wiki now any way and post up my results. 

-----Original Message-----
From: Cybulski, Adam M
Sent: Wednesday, July 12, 2017 10:36 AM
To: Rowland Penny <rpenny at samba.org>
Subject: RE: [Samba] Samba and AD based home shares are visible but not accessible

>sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege -U domain\admin I constantly get:
>This clearly shows a user called 'admin'

Well I'm not going to tell you the name of one of my domain admin accounts 😊 I guess we're both getting confused on what's been replaced. I'll try to carrot out my variables in the future. 

I read the Wiki, I was working through it, some steps have already been done though, like joining the domain, so when I do them again with Samba and Winbind, they fail. I'll try it all again and let you know where I get stuck. 

Adam


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: Tuesday, July 11, 2017 4:23 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba and AD based home shares are visible but not accessible

On Tue, 11 Jul 2017 20:03:33 +0000
"Cybulski, Adam M" <acybulski at albany.edu> wrote:

> Thanks Roland, I'm giving it a go with winbind. Do I have to remove 
> SSSD and drop off the domain to make it work?

I would do both.
> I've tried following
> the steps to join as a member server, but it's not gone that smoothly. 
> I may try from the beginning with a second server.

What steps are you following ?
Have you read the Samba wiki ?

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> One of the things I've been struggling with is knowing when 
> instructions want me to replace something with my environments 
> settings and when it needs to be typed as written.

Yes, it can sometimes be confusing ;-)
If you follow the Samba wiki and don't understand something, please ask, the only dumb question is the one you do not ask. It is also a two way street, if you don't understand something, chances are that others don't understand it either, so we need to make it clearer on the wiki.

> 
> Getent passwd admin does not return anything, but I don't know why it 
> would, I have no account named Admin, neither on the Linux box, nor in 
> my domain. Why would I map an account that doesn't exist?
> 

I asked because you posted this:

sudo net rpc rights grant 'domain\linuxproject' SeDiskOperatorPrivilege -U domain\admin I constantly get:

This clearly shows a user called 'admin'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list