[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Rowland penny rpenny at samba.org
Mon Feb 24 15:30:23 UTC 2020 

On 24/02/2020 14:56, Marlon Franco via samba wrote:
> Hi,
>
> I migrated our OLD system to a NEW Debian 10
> I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos
>   
> NEW - Debian Buster with samba 4.9.5
> OLD - Debian Wheezy with Samba 3.6.6
>
> root at sample:~# kinit abcd
> Password for abcd at TEST.DE:
> root at sample:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: abcd at TEST.DE
>
> Valid starting Expires Service principal
> 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
>   renew until 03/02/2020 11:00:47
>
> root at sample:~# smbclient -k -L //sample.test.de/ -d 2
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> root at sample:~# smbclient -L localhost -Uabcd
> Enter TEST.DE\abcd's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> root at sample:~# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ------------------- ------------------------------------------------------
>
>   2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac)
>   2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac)
>
> root at sample:~# kvno cifs/sample at TEST.DE
> cifs/sample at TEST.DE: kvno = 2
>
>
> here is my smb.conf
>
> [global]
>
>      workgroup = test.de
>      security = user
>      realm = TEST.DE
>      kerberos method = system keytab
>      domain logons = yes
>      logon path = \\%N\%U\windowsprofile
>      logon drive = H:
>      logon home = \\%N\%U
>      wins support = no
>      logon script = logon.cmd
>      add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
>
>        log file = /var/log/samba/log.%m
>
>      max log size = 1000
>
Why are you using kerberos with an NT4-style PDC ?

You would need to use 'security = ads' (which would make it a Unix 
domain member)

try reading this: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I cannot recommend continuing using an NT4-style domain, they depend on 
SMBv1 and this will be removed.

It may just be easier to set up a new Samba AD domain, this will also 
allow you to fix some of the problems the old style domains allowed (low 
IDs for one).

Rowland

More information about the samba mailing list