[Samba] NT_STATUS_LOGON_FAILURE

Timothy Brewer timothy.brewer at wyo.gov
Tue Oct 22 21:18:13 UTC 2019


Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues. I've tried
all the fixes I could find to no avail.
My environment:  Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1, bound
to AD via Realmd. SSSD for ACL's, winbind for user map.

Installed packages:  nano, ntpdate, ntp, realmd, sssd, sssd-tools,
sssd-winbind-idmap,
samba-winbind, adcli, oddjob, oddjob-mkhomedir, policycoreutils-python, samba,
samba-client samba-common, samba-common-tools

Current iteration of the smb.conf:
[global]
client signing = if_required
domain master = No
local master = No
log file = /var/log/samba/%m
log level = 5
map to guest = Bad User
ntlm auth = ntlmv1-permitted #also tried without this; same result
preferred master = No
realm = <domain.url>
security = ADS
winbind use default domain = Yes
workgroup = <domain>
idmap config * : range = 100000-199999
idmap config <domain>:schema_mode = rfc2307
idmap config <domain>:range = 200000-214748647
idmap config <domain>:backend = sss
idmap config * : backend = tdb

[SHARES]
guest ok = Yes
map acl inherit = Yes
path = /media/usb/SHARES
read only = No
vfs objects = acl_xattr
acl_xattr:ignore system acls = Yes

What does work:
  -SSH connection from another Cent7 using my domain creds.
  -Connecting to the share from another Cent7 using my domain creds (ACLs
are messed up but that's another issue)
  -Connection to the share from Win10 using server hostname\root

What doesn't work is connecting to the share from Win10 using my domain
creds. I get an "incorrect password" error. Samba log shows:
../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [user_name]
FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
Human readable:  Auth: [SMB2,(null)] user [domain]\[username] at [Tue, 22
Oct 2019 13:19:40.290329 MDT] with [NTLMv1] status
[NT_STATUS_LOGON_FAILURE] workstation [hostname] remote host
[ipv4:IPaddr:59691] mapped to [domain]\[username]

Thanks!
Tim

-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.


More information about the samba mailing list