[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Marlon Franco lonmarlon at yahoo.com
Wed Feb 26 08:19:07 UTC 2020

 Hi Rowland,
I tried to set that option but still same result.
I recreated the setup in old debian wheezy 7.11 and it's working.
set the log level = 10
'abcd' is the user account

then i noticed this in /var/log/samba/log. = the ip of the samba server, i am issuing the smbclient in the samba server itself.

Unix User found. Rid marked as special and sid (S-1-22-1-12658) saved as extra sid
[2020/02/24 21:13:21.436397,  1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:484(SamInfo3_handl
  The primary group domain sid(S-1-5-21-2449491038-845518472-943770720-512) does not match the domain sid(S-1-5-21-3914098627-448258
429-2114528033) for abcd(S-1-22-1-12658)
[2020/02/24 21:13:21.436416,  1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:254(make_session_inf
  make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2020/02/24 21:13:21.436435,  1, pid=5914, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:174(auth3_generate_session_in
  Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID)
[2020/02/24 21:13:21.436477,  3, pid=5914, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED]


    On Monday, February 24, 2020, 8:37:07 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote:  
 On 24/02/2020 19:00, Marlon Franco wrote:
> Hi Rowland,
> Can we at least make it work in a new server, i need to virtualize 
> this first before i moved to Samba AD domain, this conf came from the 
> debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD 
> server exactly as much as possible because i might break something.
> I tried to changed the security = ads and kerberos method = secrets 
> and keytab but still could not work
> when i do smbclient -k -L //sample.test.de/ -d 2
> session setup failed: NT_STATUS_ACCESS_DENIED
> or you saying it is not possible unless i moved to samba ad?
It wasn't very common to use kerberos with a PDC, so I am unsure if it 
will work now. However, it could be fallout from the various changes 
since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2.

Try setting these options in smb.conf:

ntlm auth = yes

server max protocol = NT1


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list