[Samba] AD integration issues

Rowland Penny rpenny at samba.org
Sat Sep 15 08:26:34 UTC 2018


On Fri, 14 Sep 2018 14:58:20 -0700
Jagga Soorma via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I have a CentOS 7 system configured as a samba server using ADS
> security.  I am able to get users to login from PC's that are part of
> the AD domain but users coming from systems that are not part of the
> AD domain are not able to access the smb shares.  Here is more
> information about the enviornment and issue:
> 
> --
> # rpm -qa | grep -i samba
> samba-client-4.6.2-12.el7_4.x86_64
> samba-4.6.2-12.el7_4.x86_64
> samba-common-libs-4.6.2-12.el7_4.x86_64
> samba-winbind-4.6.2-12.el7_4.x86_64
> samba-winbind-modules-4.6.2-12.el7_4.x86_64
> samba-libs-4.6.2-12.el7_4.x86_64
> samba-common-4.6.2-12.el7_4.noarch
> samba-common-tools-4.6.2-12.el7_4.x86_64
> samba-client-libs-4.6.2-12.el7_4.x86_64
> 
> [global]
>     security = ADS
>     realm = DOMAIN_FQDN
>     workgroup = DOMAINX
>     netbios name = systemx
>     auth methods = guest, sam, winbind, ntdomain
>     machine password timeout = 0
>     passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
>     kerberos method = secrets and keytab
>     map untrusted to domain = Yes
>     server signing = auto
>     client ntlmv2 auth = yes
>     client use spnego = yes
>     template shell = /bin/bash
>     winbind use default domain = Yes
>     winbind enum users = No
>     winbind enum groups = No
>     winbind nested groups = Yes
>     idmap cache time = 0
>     idmap config * : backend  = tdb
>     idmap config * : range = 1000 - 200000000
>     idmap config * : base_tdb = 0
>     enable core files = false
>     syslog = 0
>     log file = /var/log/samba/log.%m
>     log level = 3
>     max log size = 50
> 
> [data]
>     comment = Local data
>     path = /opt/test/data/
>     valid users = userx
>     public = no
>     writeable = yes
>     browseable = yes
> 
> smb error:
> 
> [2018/09/14 10:42:45.698030,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62888215
> [2018/09/14 10:42:45.722429,  3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
>   Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2]
> len1=24 len2=238 [2018/09/14 10:42:45.722532,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2018/09/14 10:42:45.722647,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2018/09/14 10:42:45.722800,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" [2018/09/14 10:42:45.723210,  1]
> ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
>   WARNING: The "syslog" option is deprecated
> [2018/09/14 10:42:45.723258,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[topspin-data]" [2018/09/14 10:42:45.723438,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2018/09/14 10:42:45.724249,  3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
> [2018/09/14 10:42:45.724310,  3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is:
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:45.725035,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.743503,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 10.36.241.108 [2018/09/14 10:42:50.743611,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.750094,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.759071,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys3.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.762487,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys1.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.769100,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys2.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.774346,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.782810,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.790827,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.790878,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.790959,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.790984,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.791018,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.791042,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.793014,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.793741,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.799803,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.802540,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.802591,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.802657,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.802680,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.802765,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.802825,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.805115,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.805771,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.818209,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.821149,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.821200,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.821251,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.821271,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.821289,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.821331,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.823274,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.823505,  0]
> ../source3/auth/auth_domain.c:185(domain_client_validate)
>   domain_client_validate: Domain password server not available.
> [2018/09/14 10:42:50.823540,  2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [user1] -> [user1]
> FAILED with error NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.823584,  2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.823705,
> 3]../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NOT_SUPPORTED] || at
> ../source3/smbd/smb2_sesssetup.c:134
> [2018/09/14 10:42:50.861167,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62888215
> [2018/09/14 10:42:50.885503,  3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
>   Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2]
> len1=24 len2=238 [2018/09/14 10:42:50.885583,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2018/09/14 10:42:50.885702,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2018/09/14 10:42:50.885879,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" [2018/09/14 10:42:50.886268,  1]
> ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
>   WARNING: The "syslog" option is deprecated
> [2018/09/14 10:42:50.886336,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[topspin-data]" [2018/09/14 10:42:50.886510,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2018/09/14 10:42:50.886815,  3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
> [2018/09/14 10:42:50.886848,  3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is:
> [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:50.887490,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.889618,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 10.36.241.108 [2018/09/14 10:42:50.889708,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.896439,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2018/09/14 10:42:50.909971,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys1.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.913371,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys2.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.914733,  3]
> ../lib/util/util_net.c:256(interpret_string_addr_internal)
>   interpret_string_addr_internal: getaddrinfo failed for name
> sys3.domain.xx.com (flags 0) [Name or service not known]
> [2018/09/14 10:42:50.919404,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.925657,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.928222,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.928275,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.928395,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.928427,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.928448,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.928468,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.930364,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.930986,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.936178,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.938455,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.938501,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.938546,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.938563,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.938579,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.938652,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.940613,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.941187,  3]
> ../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 10.36.241.108 at port 445
> [2018/09/14 10:42:50.946423,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2018/09/14 10:42:50.949509,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2018/09/14 10:42:50.949562,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
> [2018/09/14 10:42:50.949613,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2018/09/14 10:42:50.949633,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.949651,  3]
> ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2018/09/14 10:42:50.949671,  3]
> ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
> [2018/09/14 10:42:50.951526,  3]
> ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
>   SPNEGO login failed: The request is not supported.
> [2018/09/14 10:42:50.951723,  0]
> ../source3/auth/auth_domain.c:185(domain_client_validate)
>   domain_client_validate: Domain password server not available.
> [2018/09/14 10:42:50.951757,  2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [user1] -> [user1]
> FAILED with error NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.951786,  2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
> [2018/09/14 10:42:50.951864,  3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_NOT_SUPPORTED] || at
> ../source3/smbd/smb2_sesssetup.c:134
> --
> 
> Any help with this would be greatly appreciated!
> 
> Thanks
> 

Are you also using sssd ?
If so, go and contact the sssd-users mailing list, it isn't a Samba
problem.

If you are not using sssd, then go and read this Samba wikipage, the
smb.conf is not set up correctly:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland



More information about the samba mailing list