[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Marlon Franco lonmarlon at yahoo.com
Mon Feb 24 19:00:55 UTC 2020 

 Hi Rowland,
Can we at least make it work in a new server, i need to virtualize this first before i moved to Samba AD domain, this conf came from the debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD server exactly as much as possible because i might break something.
I tried to changed the security = ads and kerberos method = secrets and keytab but still could not work
when i do smbclient -k -L //sample.test.de/ -d 2session setup failed: NT_STATUS_ACCESS_DENIED
or you saying it is not possible unless i moved to samba ad?
Thanks!    On Monday, February 24, 2020, 04:31:01 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote:  
 
 On 24/02/2020 14:56, Marlon Franco via samba wrote:
> Hi,
>
> I migrated our OLD system to a NEW Debian 10
> I can verify that ldap and kerberos are working but i am having issue with samba which is also configured for kerberos
>  
> NEW - Debian Buster with samba 4.9.5
> OLD - Debian Wheezy with Samba 3.6.6
>
> root at sample:~# kinit abcd
> Password for abcd at TEST.DE:
> root at sample:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: abcd at TEST.DE
>
> Valid starting Expires Service principal
> 02/24/2020 11:00:47 02/24/2020 21:00:47 krbtgt/test.de at TEST.DE
>   renew until 03/02/2020 11:00:47
>
> root at sample:~# smbclient -k -L //sample.test.de/ -d 2
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> added interface enp0s3 ip=10.0.2.15 bcast=10.0.2.255 netmask=255.255.255.0
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> root at sample:~# smbclient -L localhost -Uabcd
> Enter TEST.DE\abcd's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> root at sample:~# klist -kte
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ------------------- ------------------------------------------------------
>
>   2 07/17/2013 07:22:50 cifs/sample at TEST.DE (arcfour-hmac)
>   2 07/17/2013 07:22:21 cifs/sample.test.de at TEST.DE (arcfour-hmac)
>
> root at sample:~# kvno cifs/sample at TEST.DE
> cifs/sample at TEST.DE: kvno = 2
>
>
> here is my smb.conf
>
> [global]
>
>      workgroup = test.de
>      security = user
>      realm = TEST.DE
>      kerberos method = system keytab
>      domain logons = yes
>      logon path = \\%N\%U\windowsprofile
>      logon drive = H:
>      logon home = \\%N\%U
>      wins support = no
>      logon script = logon.cmd
>      add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
>
>        log file = /var/log/samba/log.%m
>
>      max log size = 1000
>
Why are you using kerberos with an NT4-style PDC ?

You would need to use 'security = ads' (which would make it a Unix 
domain member)

try reading this: 
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I cannot recommend continuing using an NT4-style domain, they depend on 
SMBv1 and this will be removed.

It may just be easier to set up a new Samba AD domain, this will also 
allow you to fix some of the problems the old style domains allowed (low 
IDs for one).

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list