[Samba] Errors "Domain password server not available" and (samba-ml: samba at lists.samba.org exclusive) "SPNEGO login failed: The request is not supported"
Rowland Penny
rpenny at samba.org
Mon Jul 9 10:48:09 UTC 2018
On Mon, 9 Jul 2018 11:54:11 +0200
M.Eng. René Schwarz via samba <samba at lists.samba.org> wrote:
> On 2018/07/09 11:15, Rowland Penny via samba - samba at lists.samba.org
> wrote:
> > At first glance it looks like your Ubuntu server is trying to use
> > NTLMv1 against something that no longer uses it.
> >
> > Can you post your smb.conf and tell us what your windows servers
> > are ?
>
> Hi Rowland,
>
>
> thank you very much for your quick response. Yes, please find my
> reduced smb.conf attached below. I have just removed the 20+ share
> definitions we have; they are all similar to the example one
> displayed.
>
> Unfortunately, I can't tell you any details about the Windows servers
> since they are centrally managed (by another organizational unit) and
> I don't know much about them.
You need to find out.
>
>
> Kind regards and thank you for your support,
> René
>
>
> [global]
> workgroup = [REDACTED]
> local master = no
> server string = %h server (Samba, Ubuntu)
> wins support = no
> wins server = [REDACTED]
> dns proxy = no
> realm = [REDACTED]
> security = ads
> domain master = no
> domain logons = no
> machine password timeout = 0
> kerberos method = dedicated keytab
> dedicated keytab file = /etc/opt/quest/vas/host.keytab
> idmap uid = 1-2147483647
> idmap gid = 1-2147483647
> encrypt passwords = yes
> lanman auth = no
> ntlm auth = no
> use spnego = yes
> log file = /var/log/samba/samba.log
> max log size = 10000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> server role = standalone server
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:*
> %nn *passwordsupdatedssuccessfully* .
> pam password change = yes
> map to guest = bad user
> usershare allow guests = yes
> guest account = nobody
>
Can anybody else see the glaring errors in the above smb.conf ?
Okay, just in case you cannot, lets start with these:
security = ads
server role = standalone server
So what is it ?
Is it a Unix domain member, or is a standalone server ?
It cannot be both.
If it is a Unix domain member, you should not have:
unix password sync = yes
All your users must be in AD
Speaking of which, this is the old way of doing things:
idmap uid = 1-2147483647
idmap gid = 1-2147483647
Not only that, the range '1-2147483647' is a stupid range, not only can
you not have ANY local Unix users & groups, you cannot have ANY local
Unix system users & groups.
It also looks like you are using the totally unnecessary Quest. If you
require a keytab on the client, you would be better off just using
winbind.
There are other things wrong, but I need to know just what Samba
server you require (Unix domain member or standalone server) before I
can comment further.
Rowland
More information about the samba
mailing list