[Samba] Unable to contact active directory or verify claim types

Rowland Penny rpenny at samba.org
Wed Jul 25 16:44:57 UTC 2018 

On Wed, 25 Jul 2018 12:14:30 -0400
Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:

> My partial smb.conf and nsswitch.conf is as follows.  FYI the user in 
> question is able to access directories via ssh so the permissions and 
> group membership seems correct - at least on the unix level.
> 
> 
> root at weirdserver:~# getent passwd | grep myname
> myname:x:123:999::/home/myname:/bin/bash
> MYDOMAIN\myname:*:123:999:My Name:/home/MYDOMAIN/myname:/bin/false
> root at weirdserver:~#
> 
> Rebooting the Win 2012 R2 server did fix the network share access
> caused by changing the max protocol.
> 
> Thanks
> 
> 
> 
> 
> ___________________________________________________________________________________________________________________________________________
> 
> #smb.conf
> 
> [global]
> 
> 
> server min protocol = SMB2
> 
> server max protocol = SMB3
> 
> smb ports = 445
> 
> disable netbios = yes
> 
> 
> syslog = 3
> 
> log level=3
> 
> 
> 
> 
> workgroup = MYDOMAIN
> 
> realm = MYDOMAIN.COM
> 
> security = ads
> 
> include system krb5 conf = no
> 
> winbind nss info = rfc2307
> 
> kerberos method = system keytab
> 
> 
> 
> #ID MAPPING
> 
> 
> idmap config *:backend = tdb
> 
> idmap config *:range = 2000-2999
> 
> 
> idmap config MYDOMAIN:backend = ad
> 
> idmap config MYDOMAIN:schema_mode = rfc2307
> 
> idmap config MYDOMAIN:range = 100-1999
> 
> 
> 
> name resolve order = host wins bcast
> 
> 
> # server string is the equivalent of the NT Description field
> 
> server string = weirdserver
> 
> winbind enum users = Yes
> 
> winbind enum groups = Yes
> 
> domain master = no
> 
> domain logons = no
> 
> wins server = w.z.y.z
> 
> dns proxy = no
> 
> 
> 
> #============================ Share Definitions 
> ==============================
> 
> 
> [dept]
> 
> msdfs root = yes
> 
> path = /Disk1/Dept
> 
> read only = No
> 
> hide special files = Yes
> 
> map archive = No
> 
> inherit permissions = Yes
> 
> inherit acls = Yes
> 
> vfs objects = zfsacl
> 
> nfs4:acedup = merge
> 
> nfs4:chown = yes
> 
> nfs4: mode = special
> 
> mapread only = no
> 
> ea support = yes
> 
> store dos attributes = yes
> 
> create mask = 0770
> 
> force create mode = 0600
> 
> directory mask = 0775
> 
> force directory mode = 0600
> 
> zfsacl: acesort = dontcare
> 
> 
> 
> 
> 
> ___________________________________________________________________________________________________________________________________________
> 
> 
> 
> 
> Partial /etc/nsswitch.conf
> 
> 
> passwd: files ldap winbind
> group:  files ldap winbind
> hosts:  files dns
> 
> 
> ___________________________________________________________________________________________________________________________________________
> 
> 
> 
> On 07/25/18 03:37, Rowland Penny via samba wrote:
> > On Tue, 24 Jul 2018 22:59:42 -0400
> > Gaeseric Vandal via samba <samba at lists.samba.org> wrote:
> >
> >> I set "server min protocol = SMB2" and "server max protocol =
> >> SMB2" .
> >>
> >>
> >> Which then resulted in the Win 2012 R2 server being unable to
> >> access the Samba server as \\weirdserver <file://weirdserver> .
> >> But I can access via \\weirdserver.mydomain.com
> >> <file://weirdserver.mydomain.com>  or \\ipaddres
> >> <file://ipaddres> .
> >>
> >>   
> >>
> >>   
> >>
> >> Logs on samba server for that client shows "bad SMB2 signing."
> >>
> >>   
> >>
> >>   
> >>
> >> [2018/07/24 22:34:19.865792,  3]
> >> ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
> >>
> >>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_ACCESS_DENIED] ||
> >> at ../source3/smbd/smb2_server.c:2447
> >>
> >> [2018/07/24 22:34:19.867152,
> >> 3] ../lib/util/access.c:365(allow_access)
> >>
> >>    Allowed connection from 192.168.x.x. (192.168.x.x)
> >>
> >> [2018/07/24 22:34:19.867325,  3]
> >> ../source3/smbd/service.c:595(make_connection_snum)
> >>
> >>    Connect path is 'xxxxfor service [users]
> >>
> >> [2018/07/24 22:34:19.867420,
> >> 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> >>
> >>    Initialising default vfs hooks
> >>
> >> [2018/07/24 22:34:19.867502,
> >> 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
> >>
> >>    Initialising custom vfs hooks from [/[Default VFS]/]
> >>
> >> [2018/07/24 22:34:19.867556,
> >> 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
> >>
> >>    Initialising custom vfs hooks from [zfsacl]
> >>
> >> [2018/07/24 22:34:19.867918,  2]
> >> ../source3/smbd/service.c:841(make_connection_snum)
> >>
> >>    192.168.3.225 (ipv4:192.168.3.225:60275) connect to service
> >> users initially as user MYDOMAIN\someuser (uid=xxxx, gid=xxx) (pid
> >> 6264)
> >>
> >> [2018/07/24 22:34:19.868642,  0]
> >> ../libcli/smb/smb2_signing.c:171(smb2_signing_check_pdu)
> >>
> >>    Bad SMB2 signature for message
> >>
> >> [2018/07/24 22:34:19.868723,  0] ../lib/util/util.c:515(dump_data)
> >>
> >>    [0000] F7 44 6E EC BE 8F A2 B3   5F 45 D0 82 44 7E 3C D1
> >> -Dn-.-- _E-.D~<-
> >>
> >> [2018/07/24 22:34:19.868795,  0] ../lib/util/util.c:515(dump_data)
> >>
> >>    [0000] 67 29 61 2A 76 DD D8 8E   91 9C 03 D2 E6 A2 51 0F
> >> g)a*v--. ...--Q.
> >>
> >> [2018/07/24 22:34:19.868862,  3]
> >> ../source3/smbd/smb2_server.c:3139(smbd_smb2_request_error_ex)
> >>
> >>    smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_ACCESS_DENIED] ||
> >> at ../source3/smbd/smb2_server.c:2447
> >>
> >> Reenableing "server max protocol = SMB3" didn't help - tho I
> >> presume this is because the Win 2012 R2 server didn't try to
> >> connect with SMB3.  I would probably have to reboot but that isn't
> >> an option at the moment.
> >>
> >> Appreciate any feedback.
> > You seem to told us everything except the vital thing, what is in
> > your smb.conf ?
> >
> > Rowland
> >
> 

First thing I would do is to read man smb.conf and remove any default
settings.
Secondly I would ask myself why I have 'ldap' in the nsswitch.conf
lines ;-)

Rowland

More information about the samba mailing list