I have an NT domain on Debian Stretch. It's been upgraded numerous times, but has been running for almost a decade. Since upgrading from 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot connect to shares. Prior to upgrading, I found the changes mentioned for 4.2 regarding NT domains and applied them. Even so, I still cannot connect to network shares nor print to network printers. smb.conf for DC [global] workgroup = DOMAIN.COM server string = Samba PDC map to guest = Bad User passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z" passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = No log file = /var/log/samba/log.%m max log size = 1000 name resolve order = wins host bcast time server = Yes deadtime = 15 load printers = No add user script = /usr/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' shutdown script = /sbin/shutdown -h now abort shutdown script = /sbin/shutdown -c logon script = %U.bat logon path = "" logon drive = U: logon home = \\am1100\users\%U domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=admin,dc=domain,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=domain,dc=com ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d require strong key = No allow nt4 crypto = Yes idmap config * : backend = tdb admin users = root dale "@Domain Admins" hosts allow = 192.168.0. 127. ea support = Yes veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ map archive = No map readonly = no store dos attributes = Yes member server smb.conf [global] workgroup = DOMAIN.COM server string = Samba File Server server role = member server security = DOMAIN allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y" passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . map untrusted to domain = Yes log file = /var/log/samba/log.%m max log size = 1000 name resolve order = wins host bcast client signing = No server signing = No deadtime = 15 printcap cache time = 300 printcap name = cups wins server = 192.168.0.y ldap admin dn = cn=admin,dc=domain,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=domain,dc=com ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d require strong key = No allow nt4 crypto = Yes admin users = root dale "@Domain Admins" hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 ea support = Yes veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ map archive = No map readonly = no store dos attributes = Yes Connecting to the DC from a Win7 system, I get this: [2016/03/10 18:06:08.234861, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [dale] -> [dale] -> [dale] succeeded [2016/03/10 18:57:24.235719, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [dale] -> [dale] -> [dale] succeeded [2016/03/10 19:55:30.516145, 1] ../source3/smbd/process.c:554(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read error = NT_STATUS_CONNECTION_RESET. [2016/03/10 19:55:56.746553, 0] ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind) ../source3/rpc_server/srv_pipe.c:443: auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND [2016/03/10 19:55:56.886317, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [MASTER$] -> [MASTER$] -> [master$] succeeded [2016/03/10 19:55:56.915982, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [dale] -> [dale] -> [dale] succeeded Connecting to the DC from a linux desktop, I get this: [2016/03/23 20:56:45.371682, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [dale] -> [dale] FAILED with error NT_STATUS_WRONG_PASSWORD [2016/03/23 21:06:56.306813, 1] ../source3/smbd/process.c:554(receive_smb_talloc) [2016/03/23 21:06:56.306829, 1] ../source3/smbd/process.c:554(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read error = NT_STATUS_CONNECTION_RESET. receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read error = NT_STATUS_CONNECTION_RESET. [2016/03/23 21:06:56.307205, 1] ../source3/smbd/process.c:554(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read error = NT_STATUS_CONNECTION_RESET. [2016/03/23 21:06:56.311944, 1] ../source3/smbd/process.c:554(receive_smb_talloc) receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read error = NT_STATUS_CONNECTION_RESET. Connecting to the file server from Win7: [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: DOMAIN.COM is not one of my local names (ROLE_DOMAIN_MEMBER) [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: sam had nothing to say [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) Check auth for: [dale] [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) Check auth for: [dale] [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [dale] FAILED with error NT_STATUS_NO_LOGON_SERVERS [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [dale] -> [dale] FAILED with error NT_STATUS_NO_LOGON_SERVERS Connecting to the file server from linux system: [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain) wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:62(make_user_info) attempting to make a user_info for ABORT (ABORT) [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:70(make_user_info) making strings for ABORT's user_info struct [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:108(make_user_info) making blobs for ABORT's user_info struct [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) made a user_info for ABORT (ABORT) [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015] [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) challenge is: [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security) Check auth for: [ABORT] [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: guest had nothing to say [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) Check auth for: [ABORT] [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) check_samstrict_security: DOMAIN.COM is not one of my local names (ROLE_DOMAIN_MEMBER) [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) check_ntlm_password: sam had nothing to say [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) Check auth for: [ABORT] [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_WINBIND_NOT_AVAILABLE [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) Check auth for: [ABORT] [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: winbind authentication for user [ABORT] FAILED with error NT_STATUS_NO_LOGON_SERVERS [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [ABORT] -> [ABORT] FAILED with error NT_STATUS_NO_LOGON_SERVERS The winbind error messages are correct, as I use nss_ldap/pam_ldap for authentication, and that works. getent retrieves all ldap users and groups on both DC and member. I can successfully ssh into either the DC or member. Oddly, I can access a share on the DC from the Win7 system, but no other shares. Can anyone spot what I've missed in the upgrade? Thanks, Dale
No takers thus far. These are the Samba 4.2 changes to which I previously referred (https://www.samba.org/samba/history/samba-4.2.0.html) : For the client side we have the following new options: "require strong key" (yes by default), "reject md5 servers" (no by default). E.g. for Samba 3.0.37 you need "require strong key = no" and for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth = no", On the server side (as domain controller) we have the following new options: "allow nt4 crypto" (no by default), "reject md5 client" (no by default). E.g. in order to allow Samba < 3.0.27 or NT4 members to work you need "allow nt4 crypto = yes" I believe I have applied them correctly, but have not had any success to date. All member servers are Debian Jessie or Stretch, and the Windows systems are all Win7. Can anyone please advise as to why the clients see no logon server? Thanks, Dale On 03/24/2016 1:34 PM, Dale Schroeder wrote:> I have an NT domain on Debian Stretch. It's been upgraded numerous > times, but has been running for almost a decade. Since upgrading from > 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot > connect to shares. Prior to upgrading, I found the changes mentioned > for 4.2 regarding NT domains and applied them. Even so, I still > cannot connect to network shares nor print to network printers. > > smb.conf for DC > > [global] > workgroup = DOMAIN.COM > server string = Samba PDC > map to guest = Bad User > passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z" > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > client NTLMv2 auth = No > log file = /var/log/samba/log.%m > max log size = 1000 > name resolve order = wins host bcast > time server = Yes > deadtime = 15 > load printers = No > add user script = /usr/sbin/smbldap-useradd -a -m '%u' > delete user script = /usr/sbin/smbldap-userdel '%u' > add group script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' > '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > shutdown script = /sbin/shutdown -h now > abort shutdown script = /sbin/shutdown -c > logon script = %U.bat > logon path = "" > logon drive = U: > logon home = \\am1100\users\%U > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = cn=admin,dc=domain,dc=com > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap passwd sync = yes > ldap suffix = dc=domain,dc=com > ldap ssl = no > ldap user suffix = ou=Users > panic action = /usr/share/samba/panic-action %d > require strong key = No > allow nt4 crypto = Yes > idmap config * : backend = tdb > admin users = root dale "@Domain Admins" > hosts allow = 192.168.0. 127. > ea support = Yes > veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ > map archive = No > map readonly = no > store dos attributes = Yes > > member server smb.conf > > [global] > workgroup = DOMAIN.COM > server string = Samba File Server > server role = member server > security = DOMAIN > allow trusted domains = No > map to guest = Bad User > obey pam restrictions = Yes > passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y" > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n . > map untrusted to domain = Yes > log file = /var/log/samba/log.%m > max log size = 1000 > name resolve order = wins host bcast > client signing = No > server signing = No > deadtime = 15 > printcap cache time = 300 > printcap name = cups > wins server = 192.168.0.y > ldap admin dn = cn=admin,dc=domain,dc=com > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Computers > ldap passwd sync = yes > ldap suffix = dc=domain,dc=com > ldap ssl = no > ldap user suffix = ou=Users > panic action = /usr/share/samba/panic-action %d > require strong key = No > allow nt4 crypto = Yes > admin users = root dale "@Domain Admins" > hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 > ea support = Yes > veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ > map archive = No > map readonly = no > store dos attributes = Yes > > Connecting to the DC from a Win7 system, I get this: > > [2016/03/10 18:06:08.234861, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [dale] -> [dale] -> > [dale] succeeded > [2016/03/10 18:57:24.235719, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [dale] -> [dale] -> > [dale] succeeded > [2016/03/10 19:55:30.516145, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read > error = NT_STATUS_CONNECTION_RESET. > [2016/03/10 19:55:56.746553, 0] > ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind) > ../source3/rpc_server/srv_pipe.c:443: > auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND > [2016/03/10 19:55:56.886317, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [MASTER$] -> [MASTER$] > -> [master$] succeeded > [2016/03/10 19:55:56.915982, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [dale] -> [dale] -> > [dale] succeeded > > Connecting to the DC from a linux desktop, I get this: > > [2016/03/23 20:56:45.371682, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [dale] -> [dale] > FAILED with error NT_STATUS_WRONG_PASSWORD > [2016/03/23 21:06:56.306813, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > [2016/03/23 21:06:56.306829, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 > read error = NT_STATUS_CONNECTION_RESET. > receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 > read error = NT_STATUS_CONNECTION_RESET. > [2016/03/23 21:06:56.307205, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 > read error = NT_STATUS_CONNECTION_RESET. > [2016/03/23 21:06:56.311944, 1] > ../source3/smbd/process.c:554(receive_smb_talloc) > receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 > read error = NT_STATUS_CONNECTION_RESET. > > Connecting to the file server from Win7: > > [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) > check_samstrict_security: DOMAIN.COM is not one of my local names > (ROLE_DOMAIN_MEMBER) > [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) > check_ntlm_password: sam had nothing to say > [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [dale] > [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_winbind.c:105(check_winbind_security) > check_winbind_security: wbcAuthenticateUserEx failed: > WBC_ERR_WINBIND_NOT_AVAILABLE > [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_domain.c:280(check_ntdomain_security) > Check auth for: [dale] > [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_domain.c:297(check_ntdomain_security) > check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM > [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [dale] FAILED > with error NT_STATUS_NO_LOGON_SERVERS > [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [dale] -> [dale] > FAILED with error NT_STATUS_NO_LOGON_SERVERS > > Connecting to the file server from linux system: > > [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain) > wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE > [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/user_info.c:62(make_user_info) > attempting to make a user_info for ABORT (ABORT) > [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/user_info.c:70(make_user_info) > making strings for ABORT's user_info struct > [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/user_info.c:108(make_user_info) > making blobs for ABORT's user_info struct > [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/user_info.c:159(make_user_info) > made a user_info for ABORT (ABORT) > [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface > [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015] > [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) > check_ntlm_password: auth_context challenge created by random > [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) > challenge is: > [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security) > Check auth for: [ABORT] > [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) > check_ntlm_password: guest had nothing to say > [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) > Check auth for: [ABORT] > [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) > check_samstrict_security: DOMAIN.COM is not one of my local names > (ROLE_DOMAIN_MEMBER) > [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) > check_ntlm_password: sam had nothing to say > [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [ABORT] > [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_winbind.c:105(check_winbind_security) > check_winbind_security: wbcAuthenticateUserEx failed: > WBC_ERR_WINBIND_NOT_AVAILABLE > [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_domain.c:280(check_ntdomain_security) > Check auth for: [ABORT] > [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, > 0), class=auth] > ../source3/auth/auth_domain.c:297(check_ntdomain_security) > check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM > [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) > check_ntlm_password: winbind authentication for user [ABORT] FAILED > with error NT_STATUS_NO_LOGON_SERVERS > [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, > 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [ABORT] -> [ABORT] > FAILED with error NT_STATUS_NO_LOGON_SERVERS > > The winbind error messages are correct, as I use nss_ldap/pam_ldap for > authentication, and that works. getent retrieves all ldap users and > groups on both DC and member. I can successfully ssh into either the > DC or member. Oddly, I can access a share on the DC from the Win7 > system, but no other shares. > > Can anyone spot what I've missed in the upgrade? > > Thanks, > Dale > > > > > > >
You may have included this in another email however I will ask anyway, did you set DNS to your server in the Linux and Windows clients? Can you check if a Windows Server can join? Can you use DNS management to check the DNS on you samba server? On Mar 28, 2016 2:15 PM, "Dale Schroeder" <dale at briannassaladdressing.com> wrote:> No takers thus far. These are the Samba 4.2 changes to which I previously > referred (https://www.samba.org/samba/history/samba-4.2.0.html) : > > For the client side we have the following new options: > "require strong key" (yes by default), "reject md5 servers" (no by > default). > E.g. for Samba 3.0.37 you need "require strong key = no" and > for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth > = no", > > On the server side (as domain controller) we have the following new > options: > "allow nt4 crypto" (no by default), "reject md5 client" (no by > default). > E.g. in order to allow Samba < 3.0.27 or NT4 members to work > you need "allow nt4 crypto = yes" > > I believe I have applied them correctly, but have not had any success to > date. All member servers are Debian Jessie or Stretch, and the Windows > systems are all Win7. > > Can anyone please advise as to why the clients see no logon server? > > Thanks, > Dale > > > On 03/24/2016 1:34 PM, Dale Schroeder wrote: > >> I have an NT domain on Debian Stretch. It's been upgraded numerous >> times, but has been running for almost a decade. Since upgrading from >> 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot connect >> to shares. Prior to upgrading, I found the changes mentioned for 4.2 >> regarding NT domains and applied them. Even so, I still cannot connect to >> network shares nor print to network printers. >> >> smb.conf for DC >> >> [global] >> workgroup = DOMAIN.COM >> server string = Samba PDC >> map to guest = Bad User >> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z" >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> client NTLMv2 auth = No >> log file = /var/log/samba/log.%m >> max log size = 1000 >> name resolve order = wins host bcast >> time server = Yes >> deadtime = 15 >> load printers = No >> add user script = /usr/sbin/smbldap-useradd -a -m '%u' >> delete user script = /usr/sbin/smbldap-userdel '%u' >> add group script = /usr/sbin/smbldap-groupadd -p '%g' >> delete group script = /usr/sbin/smbldap-groupdel '%g' >> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' >> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' >> '%g' >> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' >> add machine script = /usr/sbin/smbldap-useradd -w '%u' >> shutdown script = /sbin/shutdown -h now >> abort shutdown script = /sbin/shutdown -c >> logon script = %U.bat >> logon path = "" >> logon drive = U: >> logon home = \\am1100\users\%U >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> ldap admin dn = cn=admin,dc=domain,dc=com >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> ldap passwd sync = yes >> ldap suffix = dc=domain,dc=com >> ldap ssl = no >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> require strong key = No >> allow nt4 crypto = Yes >> idmap config * : backend = tdb >> admin users = root dale "@Domain Admins" >> hosts allow = 192.168.0. 127. >> ea support = Yes >> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ >> map archive = No >> map readonly = no >> store dos attributes = Yes >> >> member server smb.conf >> >> [global] >> workgroup = DOMAIN.COM >> server string = Samba File Server >> server role = member server >> security = DOMAIN >> allow trusted domains = No >> map to guest = Bad User >> obey pam restrictions = Yes >> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y" >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> map untrusted to domain = Yes >> log file = /var/log/samba/log.%m >> max log size = 1000 >> name resolve order = wins host bcast >> client signing = No >> server signing = No >> deadtime = 15 >> printcap cache time = 300 >> printcap name = cups >> wins server = 192.168.0.y >> ldap admin dn = cn=admin,dc=domain,dc=com >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> ldap passwd sync = yes >> ldap suffix = dc=domain,dc=com >> ldap ssl = no >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> require strong key = No >> allow nt4 crypto = Yes >> admin users = root dale "@Domain Admins" >> hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 >> ea support = Yes >> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ >> map archive = No >> map readonly = no >> store dos attributes = Yes >> >> Connecting to the DC from a Win7 system, I get this: >> >> [2016/03/10 18:06:08.234861, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> [2016/03/10 18:57:24.235719, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> [2016/03/10 19:55:30.516145, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/10 19:55:56.746553, 0] >> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind) >> ../source3/rpc_server/srv_pipe.c:443: >> auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND >> [2016/03/10 19:55:56.886317, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [MASTER$] -> [MASTER$] -> >> [master$] succeeded >> [2016/03/10 19:55:56.915982, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> >> Connecting to the DC from a linux desktop, I get this: >> >> [2016/03/23 20:56:45.371682, 2] >> ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED >> with error NT_STATUS_WRONG_PASSWORD >> [2016/03/23 21:06:56.306813, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> [2016/03/23 21:06:56.306829, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read >> error = NT_STATUS_CONNECTION_RESET. >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/23 21:06:56.307205, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/23 21:06:56.311944, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read >> error = NT_STATUS_CONNECTION_RESET. >> >> Connecting to the file server from Win7: >> >> [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) >> check_samstrict_security: DOMAIN.COM is not one of my local names >> (ROLE_DOMAIN_MEMBER) >> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: sam had nothing to say >> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) >> Check auth for: [dale] >> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) >> check_winbind_security: wbcAuthenticateUserEx failed: >> WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) >> Check auth for: [dale] >> [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) >> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM >> [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) >> check_ntlm_password: winbind authentication for user [dale] FAILED with >> error NT_STATUS_NO_LOGON_SERVERS >> [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> >> Connecting to the file server from linux system: >> >> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain) >> wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:62(make_user_info) >> attempting to make a user_info for ABORT (ABORT) >> [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:70(make_user_info) >> making strings for ABORT's user_info struct >> [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:108(make_user_info) >> making blobs for ABORT's user_info struct >> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:159(make_user_info) >> made a user_info for ABORT (ABORT) >> [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) >> check_ntlm_password: Checking password for unmapped user [DOMAIN.COM]\[ABORT]@[MASTER2015] >> with the new password interface >> [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) >> check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015] >> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) >> check_ntlm_password: auth_context challenge created by random >> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) >> challenge is: >> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: guest had nothing to say >> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) >> check_samstrict_security: DOMAIN.COM is not one of my local names >> (ROLE_DOMAIN_MEMBER) >> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: sam had nothing to say >> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) >> check_winbind_security: wbcAuthenticateUserEx failed: >> WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) >> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM >> [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) >> check_ntlm_password: winbind authentication for user [ABORT] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [ABORT] -> [ABORT] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> >> The winbind error messages are correct, as I use nss_ldap/pam_ldap for >> authentication, and that works. getent retrieves all ldap users and groups >> on both DC and member. I can successfully ssh into either the DC or >> member. Oddly, I can access a share on the DC from the Win7 system, but no >> other shares. >> >> Can anyone spot what I've missed in the upgrade? >> >> Thanks, >> Dale >> >> >> >> >> >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >