[Samba] Errors "Domain password server not available" and (samba-ml: samba at lists.samba.org exclusive) "SPNEGO login failed: The request is not supported"

Rowland Penny rpenny at samba.org
Mon Jul 9 10:48:09 UTC 2018 

On Mon, 9 Jul 2018 11:54:11 +0200
M.Eng. René Schwarz via samba <samba at lists.samba.org> wrote:

> On 2018/07/09 11:15, Rowland Penny via samba - samba at lists.samba.org
> wrote:
> > At first glance it looks like your Ubuntu server is trying to use
> > NTLMv1 against something that no longer uses it.
> > 
> > Can you post your smb.conf and tell us what your windows servers
> > are ?
> 
> Hi Rowland,
> 
> 
> thank you very much for your quick response. Yes, please find my
> reduced smb.conf attached below. I have just removed the 20+ share
> definitions we have; they are all similar to the example one
> displayed.
> 
> Unfortunately, I can't tell you any details about the Windows servers
> since they are centrally managed (by another organizational unit) and
> I don't know much about them.

You need to find out.

> 
> 
> Kind regards and thank you for your support,
> René
> 
> 
> [global]
>     workgroup = [REDACTED]
>     local master = no
>     server string = %h server (Samba, Ubuntu)
>     wins support = no
>     wins server = [REDACTED]
>     dns proxy = no
>     realm = [REDACTED]
>     security = ads
>     domain master = no
>     domain logons = no
>     machine password timeout = 0
>     kerberos method = dedicated keytab
>     dedicated keytab file = /etc/opt/quest/vas/host.keytab
>     idmap uid = 1-2147483647
>     idmap gid = 1-2147483647
>     encrypt passwords = yes
>     lanman auth = no
>     ntlm auth = no
>     use spnego = yes
>     log file = /var/log/samba/samba.log
>     max log size = 10000
>     syslog = 0
>     panic action = /usr/share/samba/panic-action %d
>     server role = standalone server
>     passdb backend = tdbsam
>     obey pam restrictions = yes
>     unix password sync = yes
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Entersnews*spassword:* %nn *Retypesnews*spassword:*
> %nn *passwordsupdatedssuccessfully* .
>     pam password change = yes
>     map to guest = bad user
>     usershare allow guests = yes
>     guest account = nobody
> 

Can anybody else see the glaring errors in the above smb.conf ?

Okay, just in case you cannot, lets start with these:

    security = ads
    server role = standalone server


So what is it ?
Is it a Unix domain member, or is a standalone server ?
It cannot be both.

If it is a Unix domain member, you should not have:

unix password sync = yes

All your users must be in AD

Speaking of which, this is the old way of doing things:

    idmap uid = 1-2147483647
    idmap gid = 1-2147483647

Not only that, the range '1-2147483647' is a stupid range, not only can
you not have ANY local Unix users & groups, you cannot have ANY local
Unix system users & groups.

It also looks like you are using the totally unnecessary Quest. If you
require a keytab on the client, you would be better off just using
winbind.

There are other things wrong, but I need to know just what Samba
server you require (Unix domain member or standalone server) before I
can comment further.

Rowland

More information about the samba mailing list