[Samba] AD integration issues
Rowland Penny
rpenny at samba.org
Sat Sep 15 08:26:34 UTC 2018
On Fri, 14 Sep 2018 14:58:20 -0700
Jagga Soorma via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have a CentOS 7 system configured as a samba server using ADS
> security. I am able to get users to login from PC's that are part of
> the AD domain but users coming from systems that are not part of the
> AD domain are not able to access the smb shares. Here is more
> information about the enviornment and issue:
>
> --
> # rpm -qa | grep -i samba
> samba-client-4.6.2-12.el7_4.x86_64
> samba-4.6.2-12.el7_4.x86_64
> samba-common-libs-4.6.2-12.el7_4.x86_64
> samba-winbind-4.6.2-12.el7_4.x86_64
> samba-winbind-modules-4.6.2-12.el7_4.x86_64
> samba-libs-4.6.2-12.el7_4.x86_64
> samba-common-4.6.2-12.el7_4.noarch
> samba-common-tools-4.6.2-12.el7_4.x86_64
> samba-client-libs-4.6.2-12.el7_4.x86_64
>
> [global]
> security = ADS
> realm = DOMAIN_FQDN
> workgroup = DOMAINX
> netbios name = systemx
> auth methods = guest, sam, winbind, ntdomain
> machine password timeout = 0
> passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
> kerberos method = secrets and keytab
> map untrusted to domain = Yes
> server signing = auto
> client ntlmv2 auth = yes
> client use spnego = yes
> template shell = /bin/bash
> winbind use default domain = Yes
> winbind enum users = No
> winbind enum groups = No
> winbind nested groups = Yes
> idmap cache time = 0
> idmap config * : backend = tdb
> idmap config * : range = 1000 - 200000000
> idmap config * : base_tdb = 0
> enable core files = false
> syslog = 0
> log file = /var/log/samba/log.%m
> log level = 3
> max log size = 50
>
> [data]
> comment = Local data
> path = /opt/test/data/
> valid users = userx
> public = no
> writeable = yes
> browseable = yes
>
> smb error:
>
> [2018/09/14 10:42:45.698030, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62888215
> [2018/09/14 10:42:45.722429, 3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
> Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2]
> len1=24 len2=238 [2018/09/14 10:42:45.722532,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2018/09/14 10:42:45.722647,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2018/09/14 10:42:45.722800,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" [2018/09/14 10:42:45.723210, 1]
> ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
> WARNING: The "syslog" option is deprecated
> [2018/09/14 10:42:45.723258,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[topspin-data]" [2018/09/14 10:42:45.723438,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2018/09/14 10:42:45.724249, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
> [2018/09/14 10:42:45.724310, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is:
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:45.725035,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.743503,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 10.36.241.108 [2018/09/14 10:42:50.743611,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.750094,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.759071, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys3.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.762487, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys1.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.769100, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys2.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.774346, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.782810, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.790827, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.790878, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.790959, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.790984, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.791018, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.791042, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.793014, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.793741, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.799803, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.802540, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.802591, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.802657, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.802680, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.802765, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.802825, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.805115, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.805771, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.818209, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.821149, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.821200, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.821251, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.821271, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.821289, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.821331, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.823274, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.823505, 0]
> ../source3/auth/auth_domain.c:185(domain_client_validate)
> domain_client_validate: Domain password server not available.
> [2018/09/14 10:42:50.823540, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [user1] -> [user1]
> FAILED with error NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.823584, 2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.823705,
> 3]../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NOT_SUPPORTED] || at
> ../source3/smbd/smb2_sesssetup.c:134
> [2018/09/14 10:42:50.861167, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62888215
> [2018/09/14 10:42:50.885503, 3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
> Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2]
> len1=24 len2=238 [2018/09/14 10:42:50.885583,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2018/09/14 10:42:50.885702,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2018/09/14 10:42:50.885879,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" [2018/09/14 10:42:50.886268, 1]
> ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
> WARNING: The "syslog" option is deprecated
> [2018/09/14 10:42:50.886336,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[topspin-data]" [2018/09/14 10:42:50.886510,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2018/09/14 10:42:50.886815, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
> [2018/09/14 10:42:50.886848, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is:
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:50.887490,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.889618,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 10.36.241.108 [2018/09/14 10:42:50.889708,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.896439,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.909971, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys1.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.913371, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys2.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.914733, 3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
> interpret_string_addr_internal: getaddrinfo failed for name
> sys3.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.919404, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.925657, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.928222, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.928275, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.928395, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.928427, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.928448, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.928468, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.930364, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.930986, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.936178, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.938455, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.938501, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.938546, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.938563, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.938579, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.938652, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.940613, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.941187, 3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
> Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.946423, 3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.949509, 3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
> Got challenge flags:
> [2018/09/14 10:42:50.949562, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.949613, 3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.949633, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.949651, 3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.949671, 3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.951526, 3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
> SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.951723, 0]
> ../source3/auth/auth_domain.c:185(domain_client_validate)
> domain_client_validate: Domain password server not available.
> [2018/09/14 10:42:50.951757, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [user1] -> [user1]
> FAILED with error NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.951786, 2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.951864, 3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NOT_SUPPORTED] || at
> ../source3/smbd/smb2_sesssetup.c:134
> --
>
> Any help with this would be greatly appreciated!
>
> Thanks
>
Are you also using sssd ?
If so, go and contact the sssd-users mailing list, it isn't a Samba
problem.
If you are not using sssd, then go and read this Samba wikipage, the
smb.conf is not set up correctly:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
Rowland
More information about the samba
mailing list