[Samba] AD integration not working after move/version

Henrik Johansson henrikj at henkis.net
Sat Mar 18 15:06:28 UTC 2017


Hi!

I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files also (passed.tbd and secrets.tbd).

Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.

Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?

Some error messages I was able to find:

[2017/03/18 15:33:21.544063,  0] auth/auth_domain.c:331(domain_client_validate)  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235,  0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
  rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330,  0] auth/auth_domain.c:331(domain_client_validate)
  domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED


Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.

# Global parameters
[global]
        log file = /var/samba/log/clientlog.%m
        dns proxy = No
        acl check permissions = False
        netbios aliases = string1
        server string = string1
        name resolve order = hosts bcast
        realm = DOMAIN.NET
        password server = server3.string1.net sever4.string1.net
#       wins server = x.x.x.x
        local master = no
        workgroup = WGNAME
        os level = 0
        domain master = no
        encrypt passwords = yes
        security = DOMAIN
        unix charset = ISO8859-1
        max log size = 50
        # Fix for not to do lpstat since we don't use printers in Samba
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes


[homes]
        browseable = No
        comment = Home Directories
        writable = yes
        create mode = 775
        directory mode = 775

[string2]
        user = user1,user2
        path = /path/string2
        write list = userx,userx

[string3]
        path = /string3
        read only = Yes
        write list = user3,user4,user5
        create mask = 0760
        force create mode = 0760

[home]
        path = /path/home
        read only = No

[string4]
        path = /path
        read only = Yes
        write list = user9,user10,user11

[string5]
        revalidate = yes
        browseable = no
        writeable = yes
        valid users = @string5, at string6, at string7
        path = /path/path

[string11]
        path = /path/path2/path3
        writeable = yes
        valid users = @string9,string9
        browseable = no
        create mask = 0660
        force group = groupx


[string8]
        comment = Comment1 here
        path = /path/string8
        force group = userx
        valid users = @string10, @string11
        writeable = yes

Thankful for any assistance.



More information about the samba mailing list