[Samba] Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction
Goetz, Patrick G
pgoetz at math.utexas.edu
Fri Jun 14 23:15:58 UTC 2019
OK, At a loss for what to try next.
According to this page, it should be possible to make this work:
http://www.hexblot.com/blog/centos-7-active-directory-and-samba
However, I can't get AD users to authenticate when I run
net use * \\cns-cryo-road1\my_share /user:austin\pgoetz
Authenticating via ssh, su, or from the console using the same AD
UserName is not a problem.
It seems like the relevant smb.conf keys here are:
security = user|ads
server role = auto
I've been leaving server-role set at auto (assuming this will do the
right thing).
When I set security=user and turn up debugging to 10, I see this in the
log file:
---------------------------------------
[2019/06/14 17:34:58.892367, 3, pid=5112, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:34:58.892385, 3, pid=5112, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
[2019/06/14 17:34:58.892644, 5, pid=5112, effective(0, 0), real(0, 0),
class=passdb] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_pgoetz
[2019/06/14 17:34:58.892678, 4, pid=5112, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/06/14 17:34:58.892697, 3, pid=5112, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'pgoetz' in passdb.
---------------------------------------
Yes, of course. There is no passdb, this is a domain user. Further the
"check_ntlm_password" seems to be indicative of attempting to use NTLM,
which won't work with AD. Also, I have netbios turned off:
disable netbios = yes
OK, so I change to security=ads, but get similar same stuff in the
resulting log file:
---------------------------------------
[2019/06/14 17:49:17.067591, 3, pid=5252, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:49:17.067616, 3, pid=5252, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
auth_check_ntlm_password: winbind authentication for user [pgoetz]
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184022, 2, pid=5252, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [pgoetz] -> [pgoetz]
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184060, 2, pid=5252, effective(0, 0), real(0, 0)]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019
17:49:17.184047 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS]
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:34782]
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 17:49:17.184212, 2, pid=5252, effective(0, 0), real(0, 0)]
../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2019-06-14T17:49:17.184116-0500",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress":
"ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:34782",
"serviceDescription": "SMB2", "authDescription": null, "clientDomain":
"austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1",
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)",
"mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 17:49:17.184275, 5, pid=5252, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
Checking NTLMSSP password for austin\pgoetz failed:
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184302, 5, pid=5252, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 17:49:17.184328, 2, pid=5252, effective(0, 0), real(0, 0)]
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------
Why is it trying to use NTLMv2 and looking for NT logon servers when I
specified security=ads?
So, question: it seems some people have this working: mind sharing the
relevant parts of your smb.conf files? I must have some parameter set
wrong, I just can't figure out what it is.
OK, just for fun tried:
security=auto
server role = member server
and it's still trying to do NT authentication!
---------------------------------------
check_ntlm_password: Authentication for user [pgoetz] -> [pgoetz]
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278208, 2, pid=5407, effective(0, 0), real(0, 0)]
../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019
18:12:19.278194 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS]
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:36182]
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 18:12:19.278369, 2, pid=5407, effective(0, 0), real(0, 0)]
../auth/auth_log.c:220(log_json)
JSON Authentication: {"timestamp": "2019-06-14T18:12:19.278263-0500",
"type": "Authentication", "Authentication": {"version": {"major": 1,
"minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress":
"ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:36182",
"serviceDescription": "SMB2", "authDescription": null, "clientDomain":
"austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1",
"becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)",
"mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer":
null, "netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 18:12:19.278415, 5, pid=5407, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
Checking NTLMSSP password for austin\pgoetz failed:
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278440, 5, pid=5407, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 18:12:19.278467, 2, pid=5407, effective(0, 0), real(0, 0)]
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------
Totally at a loss. Did Canonical ship an absolutely broken version of
Samba in an LTS?!
More information about the samba
mailing list