[Samba] NT_STATUS_ACCESS_DENIED when issuing smbclient -k
Marlon Franco
lonmarlon at yahoo.com
Wed Feb 26 08:19:07 UTC 2020
Hi Rowland,
I tried to set that option but still same result.
I recreated the setup in old debian wheezy 7.11 and it's working.
set the log level = 10
'abcd' is the user account
then i noticed this in /var/log/samba/log.10.0.2.15 = the ip of the samba server, i am issuing the smbclient in the samba server itself.
Unix User found. Rid marked as special and sid (S-1-22-1-12658) saved as extra sid
[2020/02/24 21:13:21.436397, 1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info.c:484(SamInfo3_handl
e_sids)
The primary group domain sid(S-1-5-21-2449491038-845518472-943770720-512) does not match the domain sid(S-1-5-21-3914098627-448258
429-2114528033) for abcd(S-1-22-1-12658)
[2020/02/24 21:13:21.436416, 1, pid=5914, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_krb5.c:254(make_session_inf
o_krb5)
make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2020/02/24 21:13:21.436435, 1, pid=5914, effective(0, 0), real(0, 0)] ../source3/auth/auth_generic.c:174(auth3_generate_session_in
fo_pac)
Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID)
[2020/02/24 21:13:21.436477, 3, pid=5914, effective(0, 0), real(0, 0), class=smb2] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED]
Thanks!
On Monday, February 24, 2020, 8:37:07 PM GMT+1, Rowland penny via samba <samba at lists.samba.org> wrote:
On 24/02/2020 19:00, Marlon Franco wrote:
> Hi Rowland,
>
> Can we at least make it work in a new server, i need to virtualize
> this first before i moved to Samba AD domain, this conf came from the
> debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD
> server exactly as much as possible because i might break something.
>
> I tried to changed the security = ads and kerberos method = secrets
> and keytab but still could not work
>
> when i do smbclient -k -L //sample.test.de/ -d 2
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> or you saying it is not possible unless i moved to samba ad?
>
It wasn't very common to use kerberos with a PDC, so I am unsure if it
will work now. However, it could be fallout from the various changes
since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2.
Try setting these options in smb.conf:
ntlm auth = yes
server max protocol = NT1
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list