[Samba] User Permissions issue
Denis Cardon
dcardon at tranquil.it
Tue Jan 16 13:31:51 UTC 2018
Hi Harsh,
>
> Thanks for your advise I will not use these wordings here.
thanks!
> Please check the result below when I run the command on the DC-1 when
> DC-2 is off or on
> smbclient -k //IUMSVRAPP01/Pastel12 -d 9
> ...
> session setup failed: NT_STATUS_INVALID_PARAMETER_MIX
Looking at this message, I would start with doing some cleanup in your
smb.conf. I would trim your smb.conf like below:
> *Here is the smb.conf dump from DC-1:*
> # Global parameters
[global]
workgroup = IUMNET
realm = IUMNET.EDU.NA
netbios name = IUMDCDP01
server role = active directory domain controller
dns forwarder = 172.16.10.254
allow dns updates = nonsecure and secure
ntlm auth = yes
client use spnego = no
client ldap sasl wrapping = sign
ldap server require strong auth = no
full_audit:prefix = %u|%I|%m|%S
full_audit:failure = connect
full_audit:success = connect disconnect
log level = 9 dns:0
[netlogon]
path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
read only = No
browsable = no
[sysvol]
path = /var/lib/samba/sysvol
read only = No
You'd better switch your DNS to Bind-DLZ. Internal DNS is not that good
for larger site (looking at your DNS domain name, I guess it might be a
university). You can take a look there [1]
And I wouldn't store anything else than AD stuff on an AD like below:
> [softshare]
> path = /home/administrator/ad
> read only = No
> *When I ran the same command on DC-2 ( Samba 4.7.4) *
>
> smbclient -k //172.16.10.21/Pastel12 -d 9
When doing Kerberos authentication, you shouldn't use ip address,
otherwise kerberos won't work. Try it again with real DNS name.
> ...
> got OID=1.2.840.48018.1.2.2
> Kerberos auth with 'administrator at IUMNET.EDU.NA
> <mailto:administrator at IUMNET.EDU.NA>' (IUMNET\root) to access
> '172.16.10.21' not possible
> SPNEGO login failed: {Access Denied} A process has requested access to
> an object but has not been granted those access rights.
> session setup failed: NT_STATUS_ACCESS_DENIED
>
You can cleanup your smb.conf the same way as pointed before.
> *Here is the smb.conf dump from DC-2:*
>
> # Global parameters
> [global]
> netbios name = IUMSVRPDC
> realm = IUMNET.EDU.NA <http://IUMNET.EDU.NA>
> workgroup = IUMNET
> server role = active directory domain controller
> dns forwarder = 172.16.10.254
> # server services = +s3fs,+dnsupdate,+dns,+winbind,+kdc,+ldap
> allow dns updates = nonsecure and secure
> ntlm auth = yes
> ldap server require strong auth = no
> time server = Yes
> template shell = /bin/bash
> template homedir = /home/%U
> # idmap config * : backend = tdb
> # idmap config *:range = 50000-1000000
> full_audit:prefix = %u|%I|%m|%S
> full_audit:failure = connect
> full_audit:success = connect disconnect
> tls enabled = yes
> tls keyfile = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile = tls/ca.pem
> log level = 9 dns:0
>
> [netlogon]
> path = /var/lib/samba/sysvol/iumnet.edu.na/scripts
> read only = No
> browsable = no
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> *samba-tool drs showrepl on DC-1 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMSVRPDC via RPC
> DSA object GUID: 27182378-a9c7-451e-bb95-7b2172a5f311
> Last attempt @ Tue Jan 16 14:24:05 2018 WAST failed,
> result 58 (WERR_BAD_NET_RESP)
> 17863 consecutive failure(s).
> Last success @ Sat Jan 13 23:16:52 2018 WAST
This is probably your error. Replication of your main partition is not
working. Domain members are changing their machine password one a month.
If it has been changed on one of the server, but the replication didn't
went throught to the other, it is normal to get the failure you are having.
You should look at your samba log when trying replication for that
partition. There is probably a corrupted entry somewhere that is
preventing replication.
> *samba-tool drs showrepl on DC-2 is replicating successfully except for
> below under INBOUND NEIGHBOR: *
>
> CN=Configuration,DC=iumnet,DC=edu,DC=na
> Default-First-Site-Name\IUMDCDP01 via RPC
> DSA object GUID: 8bf63977-f3b3-445e-8eb3-ff74cdd7e0fe
> Last attempt @ Tue Jan 16 14:26:56 2018 CAT failed,
> result 58 (WERR_BAD_NET_RESP)
> 1926 consecutive failure(s).
> Last success @ Tue Jan 9 14:15:43 2018 CAT
this is not good either, and should be resolved too.
Cheers,
Denis
[1] it is in French, but your favorite search engine should be able to
translate it for you :
https://dev.tranquil.it/wiki/SAMBA_-_Integration_avec_bind9
>
>
>
> *Harsh Kukreja *Systems Administrator
>
> **International University of Namibia* *Tel: 061-4336000 -
> E-mail: h.kukreja at ium.edu.na
> <mailto:h.kukreja at ium.edu.na> - Web: _http://www.ium.edu.na
> <http://www.ium.edu.na/>
> _Private Bag 14005,Bachbrech. 21-31 Hercules Street, Dorado Park,
> Windhoek, NAMIBIA
>
> ____
>
>
>
>
>
>
>
>
>
>
> On Tue, Jan 16, 2018 at 11:49 AM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
> Hi Harsh,
>
>
> I have two Samba 4 DC’s as below
> server-1 with all FSMO roles running Samba 4.6.12 on Ubuntu 12.04
> server-2 joined to server-1 as a DC running Samba 4.7.4 Ubuntu
> 16.04
>
> The problem is when I share files from my Windows 2008 file
> sharing server
> which shows it is logged on to Server-2 DC and the client PC
> which logs on
> to the server-1 DC cannot access the shared folder and gives an
> error Logon
> Failure: The target account name is incorrect.
>
>
> Windows error messages are not very sysadmin friendly. Could you
> please use instead smbclient command line from a domain member linux
> client to do your debugging:
> kinit myusername
> smbclient -k //win2k8server/sharename -d 9
>
> And do it with both with dc1 on and off.
>
> To fix the problem I have to shutdown server-2 DC and restart my
> Windows
> File server which logs on to the server-1 and then the client
> can access
> the shared folder.
>
>
> Could you check if replication is working properly?
> samba-tool drs showrepl
>
> Please assist to fix this issue as I have to run both the DC’s
> in the
> network.
>
>
> You should avoid wordings like "please assist for fix". It is deemed
> rude (at least in my culture) to give orders to people who don't owe
> you anything... They are many kind people on this mailing list that
> would be happy to help, but this kind of wording just make them
> dismiss your message directly.
>
> Cheers,
>
> Denis
>
>
> *Harsh Kukreja *Systems Administrator
> *International University of Namibia *Tel: 061-4336000 - E-mail:
> h.kukreja
> @ium.edu.na <http://ium.edu.na> - Web:
> *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
> 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek,
> NAMIBIA
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
> http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
>
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list