[Samba] Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction

Goetz, Patrick G pgoetz at math.utexas.edu
Fri Jun 14 23:15:58 UTC 2019 

OK, At a loss for what to try next.

According to this page, it should be possible to make this work:

   http://www.hexblot.com/blog/centos-7-active-directory-and-samba

However, I can't get AD users to authenticate when I run

   net use * \\cns-cryo-road1\my_share /user:austin\pgoetz

Authenticating via ssh, su, or from the console using the same AD 
UserName is not a problem.

It seems like the relevant smb.conf keys here are:

   security = user|ads
   server role = auto

I've been leaving server-role set at auto (assuming this will do the 
right thing).

When I set security=user and turn up debugging to 10, I see this in the 
log file:

---------------------------------------
[2019/06/14 17:34:58.892367,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:34:58.892385,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
[2019/06/14 17:34:58.892644,  5, pid=5112, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
   pdb_getsampwnam (TDB): error fetching database.
    Key: USER_pgoetz
[2019/06/14 17:34:58.892678,  4, pid=5112, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/06/14 17:34:58.892697,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/check_samsec.c:399(check_sam_security)
   check_sam_security: Couldn't find user 'pgoetz' in passdb.
---------------------------------------

Yes, of course.  There is no passdb, this is a domain user.  Further the 
"check_ntlm_password" seems to be indicative of attempting to use NTLM, 
which won't work with AD.  Also, I have netbios turned off:

   disable netbios = yes


OK, so I change to security=ads, but get similar same stuff in the 
resulting log file:

---------------------------------------
[2019/06/14 17:49:17.067591,  3, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:49:17.067616,  3, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
   auth_check_ntlm_password: winbind authentication for user [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184022,  2, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [pgoetz] -> [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184060,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 
17:49:17.184047 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] 
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:34782] 
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 17:49:17.184212,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2019-06-14T17:49:17.184116-0500", 
"type": "Authentication", "Authentication": {"version": {"major": 1, 
"minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress": 
"ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:34782", 
"serviceDescription": "SMB2", "authDescription": null, "clientDomain": 
"austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1", 
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", 
"mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 17:49:17.184275,  5, pid=5252, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
   Checking NTLMSSP password for austin\pgoetz failed: 
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184302,  5, pid=5252, effective(0, 0), real(0, 0)] 
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
   ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for 
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 17:49:17.184328,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------

Why is it trying to use NTLMv2 and looking for NT logon servers when I 
specified security=ads?


So, question:  it seems some people have this working: mind sharing the 
relevant parts of your smb.conf files?  I must have some parameter set 
wrong, I just can't figure out what it is.

OK, just for fun tried:

   security=auto
   server role = member server

and it's still trying to do NT authentication!

---------------------------------------
  check_ntlm_password:  Authentication for user [pgoetz] -> [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278208,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 
18:12:19.278194 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] 
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:36182] 
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 18:12:19.278369,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp": "2019-06-14T18:12:19.278263-0500", 
"type": "Authentication", "Authentication": {"version": {"major": 1, 
"minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress": 
"ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:36182", 
"serviceDescription": "SMB2", "authDescription": null, "clientDomain": 
"austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1", 
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", 
"mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer": 
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": 
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": 
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 18:12:19.278415,  5, pid=5407, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
   Checking NTLMSSP password for austin\pgoetz failed: 
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278440,  5, pid=5407, effective(0, 0), real(0, 0)] 
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
   ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for 
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 18:12:19.278467,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------

Totally at a loss.  Did Canonical ship an absolutely broken version of 
Samba in an LTS?!

More information about the samba mailing list