[Samba] NT_STATUS_LOGON_FAILURE

Timothy Brewer timothy.brewer at wyo.gov
Wed Oct 23 16:17:48 UTC 2019


Hi,
Since I don't have access to AD to add uidNumber & gidNumber attributes, I
used the second idmap config set. I also reverified the net ads testjoin -
Join is OK.
Still can't ssh from domain accounts and can't *write to* the share from
Win10 or Cent, but I *can* now see into it from Win10 or Cent.
I think my remaining issues are outside Samba, but suggestions/advice still
welcome.

Reposting my current smb.conf for future use:
# Global parameters
[global]
client signing = if_required
local master = No
log file = /var/log/samba/%m
map to guest = Bad User
preferred master = No
realm = <domain.url>
security = ADS
template shell = /sbin/nologin
winbind use default domain = Yes
workgroup = <domain>
idmap config <domain>:backend = rid
idmap config <domain>:unix_nss_info = yes
idmap config <domain>:range = 10000-600000
idmap config * : range = 1000-2000
idmap config * : backend = tdb


[SHARES]
guest ok = Yes
map acl inherit = Yes
path = /media/usb/SHARES
read only = No
vfs objects = acl_xattr
acl_xattr:ignore system acls = Yes

On Wed, Oct 23, 2019 at 9:44 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 23/10/2019 16:16, Timothy Brewer via samba wrote:
> > Hi,
> > I disabled SSSD and made the suggested changes to my smb.conf. Now Win10
> > says "Windows cannot access <path>". I can no longer ssh to the server -
> > permission denied error.
> >
> >
> OK, have you added any uidNumber & gidNumber attributes to AD, if so
> your 'idmap config' block (based on what you posted earlier) should be:
>
>      idmap config * : backend=tdb
>      idmap config * : range=1000-2000
>      idmap config SAMBADOM : backend = ad
>      idmap config SAMBADOM : range = 10000-600000
>      idmap config SAMBADOM : schema_mode =rfc2307
>      idmap config SAMBADOM : unix_nss_info = yes
>      idmap config SAMBADOM : unix_primary_group = yes
>
> Just as long as the uidNumber & gidNumber attributes contain numbers
> inside the '10000-600000' range AND 'Domain Users' has a gidNumber
>
> If you haven't added any uidNumber & gidNumber attributes, then you need
> to use this:
>
>      idmap config * : backend=tdb
>      idmap config * : range=1000-2000
>      idmap config SAMBADOM : backend = rid
>      idmap config SAMBADOM : range = 10000-600000
>
> You would need to run 'net cache flush'
>
> I would also test the join with 'net ads testjoin'
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Tim Brewer
Field Services Tech - ETS FS region 2
Wyoming Department of Enterprise Technology Services
2020 Grand Ave.
Laramie, WY 82070
tim.brewer at wyo.gov
website:  ets.wyo.gov
Support:  307-777-5000
Direct Line:  307-343-3183

Ensuring Wyoming has trailblazing technology to meet tomorrows challenges
while delivering the finest in business services today.

-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.


More information about the samba mailing list