[Samba] clients not connecting to samba shares

Rowland Penny rpenny at samba.org
Tue Mar 28 08:13:52 UTC 2023 


On 27/03/2023 23:55, Gary Dale via samba wrote:
> My Samba setup was working until several months ago. I didn't do 
> anything to it that I can recall but it stopped letting my Windows VMs 
> connect. When I use smbclient to try to connect, I get session setup 
> failed: NT_STATUS_NO_LOGON_SERVERS
> 
> My Internet searches have revealed that this is a comon and 
> long-standing issue: frequently reported but I've had no luck finding 
> anyone posting a solution.
> 
> I'm running Debian/Bullseye on an AMD64 machine. This is also an NFS 
> server as that's how I connect from my various Linux devices. I only 
> discovered the issue when I tried to install a piece of software on a 
> Windows 10 VM. I have no problem logging into the VMs using domain 
> accounts.
> 
> I've verified that it also affects a Windows 7 VM so it's not problem 
> wth the VM. That led me to trying to debug the server. The Samba DC wiki 
> suggests trying smbclient //localhost/netlogon -UAdministrator -c 'ls', 
> which throws the error.
> 
> Interestingly smbclient -L localhost -U% works:
> # smbclient -L localhost -U%
> 
>         Sharename       Type      Comment
>         ---------       ----      -------
>         netlogon        Disk      Network Logon Service
>         sysvol          Disk
>         shares          Disk
>         archives        Disk
>         communications  Disk
>         office          Disk
>         graphics        Disk
>         hardware        Disk
>         install         Disk
>         media$          Disk
>         system          Disk
>         tools           Disk
>         utility         Disk
>         webpages$       Disk
>         develop         Disk
>         backup          Disk
>         IPC$            IPC       IPC Service (Samba 4.13.13-Debian)
> SMB1 disabled -- no workgroup available
> 
> Can anyone offer any advice on what may be the problem?
> 
> Below is the output with debug information turned up.
> 
> smbclient -d=5 //localhost/netlogon -U Administrator
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
>   tevent: 5
>   auth_audit: 5
>   auth_json_audit: 5
>   kerberos: 5
>   drs_repl: 5
>   smb2: 5
>   smb2_credits: 5
>   dsdb_audit: 5
>   dsdb_json_audit: 5
>   dsdb_password_audit: 5
>   dsdb_password_json_audit: 5
>   dsdb_transaction_audit: 5
>   dsdb_transaction_json_audit: 5
>   dsdb_group_audit: 5
>   dsdb_group_json_audit: 5
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>   all: 5
>   tdb: 5
>   printdrivers: 5
>   lanman: 5
>   smb: 5
>   rpc_parse: 5
>   rpc_srv: 5
>   rpc_cli: 5
>   passdb: 5
>   sam: 5
>   auth: 5
>   winbind: 5
>   vfs: 5
>   idmap: 5
>   quota: 5
>   acls: 5
>   locking: 5
>   msdfs: 5
>   dmapi: 5
>   registry: 5
>   scavenger: 5
>   dns: 5
>   ldb: 5
>   tevent: 5
>   auth_audit: 5
>   auth_json_audit: 5
>   kerberos: 5
>   drs_repl: 5
>   smb2: 5
>   smb2_credits: 5
>   dsdb_audit: 5
>   dsdb_json_audit: 5
>   dsdb_password_audit: 5
>   dsdb_password_json_audit: 5
>   dsdb_transaction_audit: 5
>   dsdb_transaction_json_audit: 5
>   dsdb_group_audit: 5
>   dsdb_group_json_audit: 5
> Processing section "[global]"
> doing parameter netbios name = THELIBRARIAN
> doing parameter realm = RAHIM-DALE.ORG
> doing parameter workgroup = RAHIM-DALE
> doing parameter security = ADS
> doing parameter dns forwarder = 8.8.8.8
> doing parameter server role = active directory domain controller
> doing parameter idmap_ldb:use rfc2307 = yes
> doing parameter allow dns updates = nonsecure
> doing parameter server role check:inhibit = yes
> doing parameter ntlm auth = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> doing parameter log file = /var/log/samba/%m.log
> doing parameter log level = 1
> doing parameter idmap config * : backend = tdb
> doing parameter idmap config * : range = 3000-7999
> doing parameter idmap config RAHIM-DALE:backend = ad
> doing parameter idmap config RAHIM-DALE:schema_mode = rfc2307
> doing parameter idmap config RAHIM-DALE:range = 100000-999999
> doing parameter idmap config RAHIM-DALE:unix_nss_info = yes
> doing parameter vfs objects = dfs_samba4 acl_xattr recycle
> doing parameter map acl inherit = yes
> doing parameter store dos attributes = yes
> doing parameter template shell = /bin/bash
> doing parameter template homedir = /home/%U
> doing parameter username map = /etc/samba/user.map
> pm_process() returned Yes
> added interface br0 ip=192.168.1.14 bcast=192.168.1.255 
> netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="THELIBRARIAN"
> Client started (version 4.13.13-Debian).
> Opening cache file at /run/samba/gencache.tdb
> sitename_fetch: No stored sitename for realm 'RAHIM-DALE.ORG'
> name localhost#20 found.
> Connecting to 127.0.0.1 at port 445
> Socket options:
>         SO_KEEPALIVE = 0
>         SO_REUSEADDR = 0
>         SO_BROADCAST = 0
>         TCP_NODELAY = 1
>         TCP_KEEPCNT = 9
>         TCP_KEEPIDLE = 7200
>         TCP_KEEPINTVL = 75
>         IPTOS_LOWDELAY = 0
>         IPTOS_THROUGHPUT = 0
>         SO_REUSEPORT = 0
>         SO_SNDBUF = 2626560
>         SO_RCVBUF = 131072
>         SO_SNDLOWAT = 1
>         SO_RCVLOWAT = 1
>         SO_SNDTIMEO = 0
>         SO_RCVTIMEO = 0
>         TCP_QUICKACK = 1
>         TCP_DEFER_ACCEPT = 0
>         TCP_USER_TIMEOUT = 0
> session request ok
> negotiated dialect[SMB3_11] against server[localhost]
> Enter RAHIM-DALE\Administrator's password:
> cli_session_setup_spnego_send: Connect to localhost as 
> Administrator at RAHIM-DALE.ORG using SPNEGO
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism gse_krb5
> GSE to 'localhost' does not make sense
> Failed to start GENSEC client mech gse_krb5: NT_STATUS_INVALID_PARAMETER
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_TARGET_TYPE_DOMAIN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_TARGET_INFO
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>   NTLMSSP_NEGOTIATE_VERSION
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: No logon servers are currently available to service 
> the logon request.
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
> root at TheLibrarian:/etc/samba#
> 

Once I picked out your smb.conf from all the above, it became apparent 
that you are running Samba as an AD DC, not only that, but you are also 
using it as a fileserver, this isn't recommended.

There are a few lines in your smb.conf that shouldn't be there:

server role check:inhibit = yes

This is only required to run the 'nmbd' binary, you should never run 
this on a DC, it has its own version built in. If you are running the 
'nmbd' binary, I suggest you turn it off.

winbind enum users = yes
winbind enum groups = yes

Those are not required and can slow things down.

idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config RAHIM-DALE:backend = ad
idmap config RAHIM-DALE:schema_mode = rfc2307
idmap config RAHIM-DALE:range = 100000-999999
idmap config RAHIM-DALE:unix_nss_info = yes

username map = /etc/samba/user.map

Those are only used on a Unix domain member and do nothing on a DC.

Having got that out of the way, You command works for myself, but I only 
use a DC for authentication.

Can I suggest you upgrade to a Samba supported version by using Debian 
backports, this will get you 4.17.6. Can I also suggest you investigate 
running Samba as a Unix domain member instead of using the DC and just 
use the DC for authentication.

I would also check a couple of files, /etc/resolv.conf which should contain:

search rahim-dale.org
nameserver 'THE_DCS_IPADDRESS'

/etc/hosts

127.0.0.1 localhost
'THE_DCS_IPADDRESS' thelibrarian.rahim-dale.org thelibrarian

Please try the above and report back

Rowland

More information about the samba mailing list