[Samba] no logon server on trusted domain

Mario Codeniera mario.codeniera at gmail.com
Mon Jan 29 03:13:45 UTC 2018


Hi,

I'm doing Samba PDC (named as LUMAD, 192.168.2.154 on Fedora 27) using
samba 4.7.4 with Windows 2016 AD (named as SANDBOX, ip 192.168.2.144) as
the trusted domain, but there's some issue with it. I *can't login *using
Windows AD credentials but on the *Samba PDC account works well *on Windows
7 as initial test and it's mimicking with our production server. I used to
classic upgrade and successfully made it with some users been remove, but
my concern is on the trust if broken or not once upgraded as the main
purpose of this testing machines before applying it to the production
server.

In other words,LUMAD has one way trust to the SANDBOX, supposedly any users
in the SANDBOX can login to LUMAD domain.

If login as sandbox\txunil (with WINS pointed to 192.168.2.144, tried also
without WINS) got these issues:
On Windows 7: “There are currrently no logon servers available to service
the logon request.”

on logs:
2018/01/29 15:38:10.466015,  0]
../source3/passdb/lookup_sid.c:1605(get_primary_group_sid)
  Failed to find a Unix account for win7test$
[2018/01/29 15:38:11.178995,  0]
../source3/passdb/lookup_sid.c:1605(get_primary_group_sid)
  Failed to find a Unix account for win7test$
[2018/01/29 15:38:11.247683,  0]
../source3/auth/check_samsec.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2018/01/29 15:41:00.966585,  0]
../source3/passdb/lookup_sid.c:1605(get_primary_group_sid)
  Failed to find a Unix account for win7test$
[2018/01/29 15:41:01.033220,  0]
../source3/auth/check_samsec.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'

or using smbclient
[root at lumad samba]#  smbclient -L 192.168.2.144 -U sandbox\\txunil
WARNING: The "syslog" option is deprecated
WARNING: The "use spnego" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter SANDBOX\txunil's password:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share
SYSVOL          Disk      Logon server share
Reconnecting with SMB1 for workgroup listing.
Connection to 192.168.2.144 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

Hope someone can please give insights or any missed configurations.

Thanks,
Mario




Some other infos:
[root at lumad samba]# net rpc trustdom list
Enter root's password:
Trusted domains list:

SANDBOX             S-1-5-21-784393921-3851942112-706912257

Trusting domains list:

none

[root at lumad samba]# smbclient -V
Version 4.7.4
[root at lumad samba]# samba -V
Version 4.7.4

[root at lumad samba]# nmblookup -T -M -A 192.168.2.144
Looking up status of 192.168.2.144
SANDBOXPC       <00> -         M <ACTIVE>
SANDBOX         <00> - <GROUP> M <ACTIVE>
SANDBOX         <1c> - <GROUP> M <ACTIVE>
SANDBOXPC       <20> -         M <ACTIVE>
SANDBOX         <1b> -         M <ACTIVE>

MAC Address = 00-0D-30-C3-16-72

[root at lumad samba]# nmblookup -T -M -A LUMAD
Looking up status of 192.168.2.154
LUMAD-DC        <00> -         H <ACTIVE>
LUMAD-DC        <03> -         H <ACTIVE>
LUMAD-DC        <20> -         H <ACTIVE>
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
LUMAD           <1b> -         H <ACTIVE>
LUMAD           <1c> - <GROUP> H <ACTIVE>
LUMAD           <1d> -         H <ACTIVE>
LUMAD           <1e> - <GROUP> H <ACTIVE>

MAC Address = 00-00-00-00-00-00

[root at lumad samba]# wbinfo -g
domain admins
domain computers
summer
postgrads
generic
domain users
domain guests
...

getent passwd and wbinfo -u will display the users... but not on the
Windows AD.
alu:*:111132:513:alu:/home/alu:
bdu:*:105297:513:bdu:/home/bdu:
bli:*:111143:513:bli:/home/bli:
....


More information about the samba mailing list