[Samba] AD integration not working after move/version
Henrik Johansson
henrikj at henkis.net
Sat Mar 18 15:06:28 UTC 2017
Hi!
I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files also (passed.tbd and secrets.tbd).
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?
Some error messages I was able to find:
[2017/03/18 15:33:21.544063, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED
Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[homes]
browseable = No
comment = Home Directories
writable = yes
create mode = 775
directory mode = 775
[string2]
user = user1,user2
path = /path/string2
write list = userx,userx
[string3]
path = /string3
read only = Yes
write list = user3,user4,user5
create mask = 0760
force create mode = 0760
[home]
path = /path/home
read only = No
[string4]
path = /path
read only = Yes
write list = user9,user10,user11
[string5]
revalidate = yes
browseable = no
writeable = yes
valid users = @string5, at string6, at string7
path = /path/path
[string11]
path = /path/path2/path3
writeable = yes
valid users = @string9,string9
browseable = no
create mask = 0660
force group = groupx
[string8]
comment = Comment1 here
path = /path/string8
force group = userx
valid users = @string10, @string11
writeable = yes
Thankful for any assistance.
More information about the samba
mailing list