[Samba] AD integration issues

Jagga Soorma jagga13 at gmail.com
Fri Sep 14 21:58:20 UTC 2018


Hello,

I have a CentOS 7 system configured as a samba server using ADS
security.  I am able to get users to login from PC's that are part of
the AD domain but users coming from systems that are not part of the
AD domain are not able to access the smb shares.  Here is more
information about the enviornment and issue:

--
# rpm -qa | grep -i samba
samba-client-4.6.2-12.el7_4.x86_64
samba-4.6.2-12.el7_4.x86_64
samba-common-libs-4.6.2-12.el7_4.x86_64
samba-winbind-4.6.2-12.el7_4.x86_64
samba-winbind-modules-4.6.2-12.el7_4.x86_64
samba-libs-4.6.2-12.el7_4.x86_64
samba-common-4.6.2-12.el7_4.noarch
samba-common-tools-4.6.2-12.el7_4.x86_64
samba-client-libs-4.6.2-12.el7_4.x86_64

[global]
    security = ADS
    realm = DOMAIN_FQDN
    workgroup = DOMAINX
    netbios name = systemx
    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
    kerberos method = secrets and keytab
    map untrusted to domain = Yes
    server signing = auto
    client ntlmv2 auth = yes
    client use spnego = yes
    template shell = /bin/bash
    winbind use default domain = Yes
    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes
    idmap cache time = 0
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false
    syslog = 0
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 50

[data]
    comment = Local data
    path = /opt/test/data/
    valid users = userx
    public = no
    writeable = yes
    browseable = yes

smb error:

[2018/09/14 10:42:45.698030,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2018/09/14 10:42:45.722429,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] len1=24 len2=238
[2018/09/14 10:42:45.722532,  3] ../source3/param/loadparm.c:3823(lp_load_ex)
  lp_load_ex: refreshing parameters
[2018/09/14 10:42:45.722647,  3] ../source3/param/loadparm.c:542(init_globals)
  Initialising global parameters
[2018/09/14 10:42:45.722800,  3] ../source3/param/loadparm.c:2752(lp_do_section)
  Processing section "[global]"
[2018/09/14 10:42:45.723210,  1]
../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
  WARNING: The "syslog" option is deprecated
[2018/09/14 10:42:45.723258,  2] ../source3/param/loadparm.c:2769(lp_do_section)
  Processing section "[topspin-data]"
[2018/09/14 10:42:45.723438,  3] ../source3/param/loadparm.c:1592(lp_add_ipc)
  adding IPC service
[2018/09/14 10:42:45.724249,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
[2018/09/14 10:42:45.724310,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[user1]@[USER1-2VFVH5-2]
[2018/09/14 10:42:45.725035,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.743503,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.36.241.108
[2018/09/14 10:42:50.743611,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.750094,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.759071,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys3.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.762487,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys1.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.769100,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys2.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.774346,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.782810,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.790827,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.790878,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.790959,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.790984,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.791018,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.791042,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.793014,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.793741,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.799803,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.802540,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.802591,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.802657,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.802680,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.802765,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.802825,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.805115,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.805771,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.818209,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.821149,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.821200,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.821251,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.821271,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.821289,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.821331,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.823274,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.823505,  0]
../source3/auth/auth_domain.c:185(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2018/09/14 10:42:50.823540,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.823584,  2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.823705,
3]../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at
../source3/smbd/smb2_sesssetup.c:134
[2018/09/14 10:42:50.861167,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62888215
[2018/09/14 10:42:50.885503,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] len1=24 len2=238
[2018/09/14 10:42:50.885583,  3] ../source3/param/loadparm.c:3823(lp_load_ex)
  lp_load_ex: refreshing parameters
[2018/09/14 10:42:50.885702,  3] ../source3/param/loadparm.c:542(init_globals)
  Initialising global parameters
[2018/09/14 10:42:50.885879,  3] ../source3/param/loadparm.c:2752(lp_do_section)
  Processing section "[global]"
[2018/09/14 10:42:50.886268,  1]
../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
  WARNING: The "syslog" option is deprecated
[2018/09/14 10:42:50.886336,  2] ../source3/param/loadparm.c:2769(lp_do_section)
  Processing section "[topspin-data]"
[2018/09/14 10:42:50.886510,  3] ../source3/param/loadparm.c:1592(lp_add_ipc)
  adding IPC service
[2018/09/14 10:42:50.886815,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
[2018/09/14 10:42:50.886848,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[user1]@[USER1-2VFVH5-2]
[2018/09/14 10:42:50.887490,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.889618,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 10.36.241.108
[2018/09/14 10:42:50.889708,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.896439,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.909971,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys1.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.913371,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys2.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.914733,  3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
  interpret_string_addr_internal: getaddrinfo failed for name
sys3.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.919404,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.925657,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.928222,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.928275,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.928395,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.928427,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.928448,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.928468,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.930364,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.930986,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.936178,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.938455,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.938501,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.938546,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.938563,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.938579,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.938652,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.940613,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.941187,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.946423,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.949509,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2018/09/14 10:42:50.949562,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.949613,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2018/09/14 10:42:50.949633,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.949651,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.949671,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.951526,  3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.951723,  0]
../source3/auth/auth_domain.c:185(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2018/09/14 10:42:50.951757,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.951786,  2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.951864,  3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at
../source3/smbd/smb2_sesssetup.c:134
--

Any help with this would be greatly appreciated!

Thanks



More information about the samba mailing list