thr3ads.net - samba - [Samba] get access denied on samba AD share [Sep 2017]

If this information is useful, please help other people find it:
Share via:

Qiao Xu

2017-Sep-21 09:22 UTC

[Samba] get access denied on samba AD share

Hello Sambaers, i can not access my samba shares after upgrade my centos to
7.4,samba version was upgraded to 4.6.2

i joined centos to windows domain by realm command,domain user(format as
username at doaminname) could login to centos

could get kerberos ticket by kinit with domain user


execute net view command at domain windows server get access denied


C:\>net view \\ark-centos-smb4.qa.arkivio.com
System error 5 has occurred.

Access is denied.


C:\>net view \\192.168.32.26
System error 5 has occurred.

Access is denied.


collected following log while get access denied error with samba server ip, i
complains can not find the user,and run getent passwd domainuser at domainname
could finish successfully


[2017/09/21 00:36:03.319546,  3] ../source3/smbd/oplock.c:1322(init_oplocks)
  init_oplocks: initializing messages.
[2017/09/21 00:36:03.319707,  3] ../source3/smbd/process.c:1957(process_smb)
  Transaction 0 of length 159 (0 toread)
[2017/09/21 00:36:03.319744,  3] ../source3/smbd/process.c:1538(switch_message)
  switch message SMBnegprot (pid 23703) conn 0x0
[2017/09/21 00:36:03.319767,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.320414,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/09/21 00:36:03.320441,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LANMAN1.0]
[2017/09/21 00:36:03.320454,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [Windows for Workgroups 3.1a]
[2017/09/21 00:36:03.320466,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LM1.2X002]
[2017/09/21 00:36:03.320482,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [LANMAN2.1]
[2017/09/21 00:36:03.320497,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [NT LM 0.12]
[2017/09/21 00:36:03.320509,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.002]
[2017/09/21 00:36:03.320538,  3] ../source3/smbd/negprot.c:603(reply_negprot)
  Requested protocol [SMB 2.???]
[2017/09/21 00:36:03.320638,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.320722,  3]
../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2017/09/21 00:36:03.321314,  2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
  ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
[2017/09/21 00:36:03.321344,  3]
../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem keytab
from secrets!
[2017/09/21 00:36:03.322377,  3] ../source3/smbd/negprot.c:730(reply_negprot)
  Selected protocol SMB 2.???
[2017/09/21 00:36:03.323207,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.323262,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.323300,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.323326,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.325145,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.325187,  3]
../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2017/09/21 00:36:03.325448,  2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
  ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
[2017/09/21 00:36:03.325466,  3]
../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
  ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem keytab
from secrets!
[2017/09/21 00:36:03.327171,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.327477,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.327498,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.327509,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.327562,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.327754,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_NEGOTIATE_OEM
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_LM_KEY
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
    NTLMSSP_NEGOTIATE_56
[2017/09/21 00:36:03.327897,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.327919,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.327930,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.327951,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.328313,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.328360,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.328376,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.328387,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.328403,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.328478,  3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
  Got user=[arkadmin] domain=[QA] workstation=[NWT-VM-ARK8118] len1=24 len2=350
[2017/09/21 00:36:03.328573,  3] ../source3/param/loadparm.c:3823(lp_load_ex)
  lp_load_ex: refreshing parameters
[2017/09/21 00:36:03.328664,  3] ../source3/param/loadparm.c:542(init_globals)
  Initialising global parameters
[2017/09/21 00:36:03.328773,  3] ../source3/param/loadparm.c:2752(lp_do_section)
  Processing section "[global]"
  doing parameter netbios name = ARK-CENTOS-SMB4
  doing parameter security = ADS
  doing parameter workgroup = QA.ARKIVIO.COM
  doing parameter kerberos method = secrets and keytab
  doing parameter realm = QA.ARKIVIO.COM
  doing parameter log file = /var/log/samba/%m.log
  doing parameter log level = 4
  doing parameter local master = no
  doing parameter domain master = no
  doing parameter server string = Samba Server Version %v
  doing parameter max log size = 5000
  doing parameter load printers = No
  doing parameter wins support = no
  doing parameter wins proxy = no
  doing parameter dns proxy = yes
  doing parameter name resolve order = host lmhosts wins bcast
[2017/09/21 00:36:03.328953,  2] ../source3/param/loadparm.c:2769(lp_do_section)
  Processing section "[arkc1]"
  doing parameter comment = centos samba4 share1
  doing parameter path = /rocket/cifs/cifs1
  doing parameter writable = yes
  doing parameter guest ok = yes
  doing parameter valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM
  doing parameter admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
[2017/09/21 00:36:03.329055,  2] ../source3/param/loadparm.c:2769(lp_do_section)
  Processing section "[arkc2]"
  doing parameter comment = centos samba4 share2
  doing parameter path = /rocket/cifs/cifs2
  doing parameter writable = yes
  doing parameter admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
  doing parameter valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
[2017/09/21 00:36:03.329149,  4] ../source3/param/loadparm.c:3864(lp_load_ex)
  pm_process() returned Yes
[2017/09/21 00:36:03.329186,  3] ../source3/param/loadparm.c:1592(lp_add_ipc)
  adding IPC service
[2017/09/21 00:36:03.329981,  4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
  ads_dc_name: domain=QA.ARKIVIO.COM
[2017/09/21 00:36:03.331294,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/09/21 00:36:03.332043,  4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
  ads_dns_lookup_srv: 2 records returned in the answer section.
[2017/09/21 00:36:03.333572,  4] ../source3/libsmb/namequery.c:3305(get_dc_list)
  get_dc_list: returning 3 ip addresses in an ordered list
[2017/09/21 00:36:03.333594,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
  get_dc_list: 192.168.32.231:389 192.168.32.230:389
2001:21:21:32:743e:17d2:61a4:fdb8:389
[2017/09/21 00:36:03.334552,  3] ../source3/libads/ldap.c:618(ads_connect)
  Successfully contacted LDAP server 192.168.32.231
[2017/09/21 00:36:03.334622,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/09/21 00:36:03.334961,  4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
  ads_dns_lookup_srv: 2 records returned in the answer section.
[2017/09/21 00:36:03.335007,  4] ../source3/libsmb/namequery.c:3305(get_dc_list)
  get_dc_list: returning 3 ip addresses in an ordered list
[2017/09/21 00:36:03.335023,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
  get_dc_list: 192.168.32.230:88 192.168.32.231:88
2001:21:21:32:743e:17d2:61a4:fdb8:88
[2017/09/21 00:36:03.335042,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)
  get_dc_list: preferred server list: ", *"
[2017/09/21 00:36:03.335419,  4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
  ads_dns_lookup_srv: 2 records returned in the answer section.
[2017/09/21 00:36:03.335463,  4] ../source3/libsmb/namequery.c:3305(get_dc_list)
  get_dc_list: returning 3 ip addresses in an ordered list
[2017/09/21 00:36:03.335478,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
  get_dc_list: 192.168.32.230:88 192.168.32.231:88
2001:21:21:32:743e:17d2:61a4:fdb8:88
[2017/09/21 00:36:03.336391,  4]
../source3/libsmb/namequery_dc.c:151(ads_dc_name)
  ads_dc_name: using server='ARK-QA-DC2.QA.ARKIVIO.COM'
IP=192.168.32.231
[2017/09/21 00:36:03.336496,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
  Connecting to 192.168.32.231 at port 445
[2017/09/21 00:36:03.337733,  3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
  got OID=1.3.6.1.4.1.311.2.2.30
  got OID=1.2.840.48018.1.2.2
[2017/09/21 00:36:03.338945,  3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
  Got challenge flags:
[2017/09/21 00:36:03.338973,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62898215
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_TARGET_TYPE_DOMAIN
    NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
    NTLMSSP_NEGOTIATE_TARGET_INFO
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2017/09/21 00:36:03.339060,  3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
  NTLMSSP: Set final flags:
[2017/09/21 00:36:03.339076,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_ANONYMOUS
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2017/09/21 00:36:03.339112,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/09/21 00:36:03.339123,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_ANONYMOUS
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2017/09/21 00:36:03.339972,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/09/21 00:36:03.340000,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62008a15
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_SIGN
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_ANONYMOUS
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_VERSION
    NTLMSSP_NEGOTIATE_128
    NTLMSSP_NEGOTIATE_KEY_EXCH
[2017/09/21 00:36:03.344582,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[QA]\[arkadmin]@[NWT-VM-ARK8118] with the new password interface
[2017/09/21 00:36:03.344615,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is:
[ARK-CENTOS-SMB4]\[arkadmin]@[NWT-VM-ARK8118]
[2017/09/21 00:36:03.344650,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.344698,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.344714,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.344768,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.344785,  3]
../source3/auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'arkadmin' in passdb.
[2017/09/21 00:36:03.344808,  3]
../source3/auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [ARK-CENTOS-SMB4]
was for this SAM.
[2017/09/21 00:36:03.344835,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [arkadmin] -> [arkadmin]
FAILED with error NT_STATUS_NO_SUCH_USER
[2017/09/21 00:36:03.344858,  2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/09/21 00:36:03.344879,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.344891,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2017/09/21 00:36:03.344901,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2017/09/21 00:36:03.344919,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.344949,  3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/09/21 00:36:03.345308,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.345337,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.345351,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.345365,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2017/09/21 00:36:03.345535,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)


here is my smb.conf content


#working since 2017-8-1 with sssd?+ad
[global]
netbios name = ARK-CENTOS-SMB4
security = ADS
#workgroup = QA
workgroup = QA.ARKIVIO.COM
kerberos method = secrets and keytab
realm = QA.ARKIVIO.COM
log file = /var/log/samba/%m.log
log level = 4
#password server = *
#passdb backend  = tdbsam
#template shell  = /bin/bash
#template homedir = /home/%u
#winbind separator = +
local master    = no
domain master   = no
#auth methods    = guest sam_ignoredomain winbind
#guest ok        = no
server string = Samba Server Version %v
max log size = 5000
load printers = No
#idmap config * : backend = tdb
#preferred master = no
wins support = no
wins proxy = no
dns proxy = yes
#name resolve order = wins bcast host lmhosts
name resolve order = host lmhosts wins bcast

# Winbind idmap RID settings
#    winbind use default domain = yes
#    allow trusted domains = yes
#    winbind enum users = yes
#    winbind enum groups = yes
#    winbind nested groups = yes
#    idmap config QA : backend = rid
#    idmap config QA : default = yes
#    idmap config QA : range = 100-33554431
#    idmap config * : range = 33554432-67108862
#    idmap config * : backend = tdb
#    printing        = bsd
#    load printers   = no
#    disable spoolss = yes
#    printcap name   = /dev/null
#    log level       = 10
#    log file        = /var/log/samba/samba.log.%m
#    max log size    = 5000
#    debug timestamp = yes
#    oplocks         = 1
#    unix extensions = yes
#    clustering      = 0
#    smb ports       = 445, 139
#    mangled names   = yes
#    default case    = lower
#    case sensitive  = auto
#    preserve case   = yes
#    short preserve case = yes
#    bind interfaces only = yes
#    interfaces = lo bond0:2 eth0:1 eth0:2 eth2 eth3
#    dos filetimes = 1
#    create mask = 777
#    admin users = administrator

[arkc1]
comment = centos samba4 share1
path = /rocket/cifs/cifs1
#public = no
#read only = no
writable = yes
#guest ok = yes
#inherit permissions = 1
#inherit acls = 1
#map acl inherit = 1
#vfs objects = acl_xattr
#acl_xattr:ignore system acls = 1

#valid users = @"autostoradmins at qa.arkivio.com"
#valid users = administrator,auto-stor,arkadmin,Domain Admins,autostoradmins
valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM
#admin users = administrator,auto-stor,arkadmin,Domain
Admins,autostoradmins,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin

[arkc2]
comment = centos samba4 share2
path = /rocket/cifs/cifs2
#public = no
#read only = no
writable = yes
#guest ok = no
#vfs objects = acl_xattr
#acl_xattr:ignore system acls = yes

admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin


please give some advice,thanks

Rowland Penny

2017-Sep-21 11:26 UTC

head link

[Samba] get access denied on samba AD share

On Thu, 21 Sep 2017 09:22:33 +0000
Qiao Xu via samba <samba at lists.samba.org> wrote:
> Hello Sambaers, i can not access my samba shares after upgrade my
> centos to 7.4,samba version was upgraded to 4.6.2
> 
> i joined centos to windows domain by realm command,domain user(format
> as username at doaminname) could login to centos
> 
> could get kerberos ticket by kinit with domain user
> 
> 
> execute net view command at domain windows server get access denied
> 
> 
> C:\>net view \\ark-centos-smb4.qa.arkivio.com
> System error 5 has occurred.
> 
> Access is denied.
> 
> 
> C:\>net view \\192.168.32.26
> System error 5 has occurred.
> 
> Access is denied.
> 
> 
> collected following log while get access denied error with samba
> server ip, i complains can not find the user,and run getent passwd
> domainuser at domainname could finish successfully
> 
> 
> [2017/09/21 00:36:03.319546,
> 3] ../source3/smbd/oplock.c:1322(init_oplocks) init_oplocks:
> initializing messages. [2017/09/21 00:36:03.319707,
> 3] ../source3/smbd/process.c:1957(process_smb) Transaction 0 of
> length 159 (0 toread) [2017/09/21 00:36:03.319744,
> 3] ../source3/smbd/process.c:1538(switch_message) switch message
> SMBnegprot (pid 23703) conn 0x0 [2017/09/21 00:36:03.319767,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.320414,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [PC NETWORK PROGRAM 1.0] [2017/09/21 00:36:03.320441,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LANMAN1.0] [2017/09/21 00:36:03.320454,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [Windows for Workgroups 3.1a] [2017/09/21 00:36:03.320466,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LM1.2X002] [2017/09/21 00:36:03.320482,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [LANMAN2.1] [2017/09/21 00:36:03.320497,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [NT LM 0.12] [2017/09/21 00:36:03.320509,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [SMB 2.002] [2017/09/21 00:36:03.320538,
> 3] ../source3/smbd/negprot.c:603(reply_negprot) Requested protocol
> [SMB 2.???] [2017/09/21 00:36:03.320638,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.320722,
> 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF [2017/09/21 00:36:03.321314,
> 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
../source3/librpc/crypto/gse_krb5.c:229:
> failed to fetch machine password [2017/09/21 00:36:03.321344,
> 3] ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
../source3/librpc/crypto/gse_krb5.c:587:
> Warning! Unable to set mem keytab from secrets! [2017/09/21
> 00:36:03.322377,  3] ../source3/smbd/negprot.c:730(reply_negprot)
> Selected protocol SMB 2.??? [2017/09/21 00:36:03.323207,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.323262,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.323300,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.323326,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.325145,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.325187,
> 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10 [2017/09/21 00:36:03.325448,
> 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
../source3/librpc/crypto/gse_krb5.c:229:
> failed to fetch machine password [2017/09/21 00:36:03.325466,
> 3] ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
../source3/librpc/crypto/gse_krb5.c:587:
> Warning! Unable to set mem keytab from secrets! [2017/09/21
> 00:36:03.327171,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327477,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327498,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327509,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327562,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327754,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0xe2088297 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_NEGOTIATE_OEM
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_LM_KEY
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
>     NTLMSSP_NEGOTIATE_56
> [2017/09/21 00:36:03.327897,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327919,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.327930,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.327951,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328313,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328360,
> 4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) :
> sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.328376,
> 4] ../source3/smbd/uid.c:491(push_conn_ctx) push_conn_ctx(0) :
> conn_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328387,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.328403,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.328478,
> 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) Got
> user=[arkadmin] domain=[QA] workstation=[NWT-VM-ARK8118] len1=24
> len2=350 [2017/09/21 00:36:03.328573,
> 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex:
> refreshing parameters [2017/09/21 00:36:03.328664,
> 3] ../source3/param/loadparm.c:542(init_globals) Initialising global
> parameters [2017/09/21 00:36:03.328773,
> 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section
> "[global]" doing parameter netbios name = ARK-CENTOS-SMB4 doing
> parameter security = ADS doing parameter workgroup = QA.ARKIVIO.COM
>   doing parameter kerberos method = secrets and keytab
>   doing parameter realm = QA.ARKIVIO.COM
>   doing parameter log file = /var/log/samba/%m.log
>   doing parameter log level = 4
>   doing parameter local master = no
>   doing parameter domain master = no
>   doing parameter server string = Samba Server Version %v
>   doing parameter max log size = 5000
>   doing parameter load printers = No
>   doing parameter wins support = no
>   doing parameter wins proxy = no
>   doing parameter dns proxy = yes
>   doing parameter name resolve order = host lmhosts wins bcast
> [2017/09/21 00:36:03.328953,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[arkc1]" doing parameter comment = centos samba4 share1
>   doing parameter path = /rocket/cifs/cifs1
>   doing parameter writable = yes
>   doing parameter guest ok = yes
>   doing parameter valid users > administrator at
qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at
qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM
> doing parameter admin users > administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329055,
> 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section
> "[arkc2]" doing parameter comment = centos samba4 share2 doing
> parameter path = /rocket/cifs/cifs2 doing parameter writable = yes
> doing parameter admin users > administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> doing parameter valid users > administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329149,
> 4] ../source3/param/loadparm.c:3864(lp_load_ex) pm_process() returned
> Yes [2017/09/21 00:36:03.329186,
> 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service
> [2017/09/21 00:36:03.329981,
> 4] ../source3/libsmb/namequery_dc.c:77(ads_dc_name) ads_dc_name:
> domain=QA.ARKIVIO.COM [2017/09/21 00:36:03.331294,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.332043,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.333572,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.333594,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.231:389 192.168.32.230:389
> 2001:21:21:32:743e:17d2:61a4:fdb8:389 [2017/09/21 00:36:03.334552,
> 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted
> LDAP server 192.168.32.231 [2017/09/21 00:36:03.334622,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.334961,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335007,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.335023,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88
> 2001:21:21:32:743e:17d2:61a4:fdb8:88 [2017/09/21 00:36:03.335042,
> 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list:
> preferred server list: ", *" [2017/09/21 00:36:03.335419,
> 4] ../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
> ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335463,
> 4] ../source3/libsmb/namequery.c:3305(get_dc_list) get_dc_list:
> returning 3 ip addresses in an ordered list [2017/09/21
> 00:36:03.335478,  4] ../source3/libsmb/namequery.c:3306(get_dc_list)
> get_dc_list: 192.168.32.230:88 192.168.32.231:88
> 2001:21:21:32:743e:17d2:61a4:fdb8:88 [2017/09/21 00:36:03.336391,
> 4] ../source3/libsmb/namequery_dc.c:151(ads_dc_name) ads_dc_name:
> using server='ARK-QA-DC2.QA.ARKIVIO.COM' IP=192.168.32.231
> [2017/09/21 00:36:03.336496,
> 3] ../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to
> 192.168.32.231 at port 445 [2017/09/21 00:36:03.337733,
> 3] ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
> got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2
> [2017/09/21 00:36:03.338945,
> 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) Got
> challenge flags: [2017/09/21 00:36:03.338973,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2017/09/21
> 00:36:03.339060,
> 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
> NTLMSSP: Set final flags: [2017/09/21 00:36:03.339076,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2017/09/21
> 00:36:03.339112,
> 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP
> Sign/Seal - Initialising with flags: [2017/09/21 00:36:03.339123,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_ANONYMOUS
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339972,
> 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP
> Sign/Seal - Initialising with flags: [2017/09/21 00:36:03.340000,
> 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP
> neg_flags=0x62008a15 NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_ANONYMOUS
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.344582,
> 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password:  Checking password for unmapped user
> [QA]\[arkadmin]@[NWT-VM-ARK8118] with the new password interface
> [2017/09/21 00:36:03.344615,
> 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password:  mapped user is:
> [ARK-CENTOS-SMB4]\[arkadmin]@[NWT-VM-ARK8118] [2017/09/21
> 00:36:03.344650,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/09/21
> 00:36:03.344698,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/09/21
> 00:36:03.344714,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.344768,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.344785,
> 3] ../source3/auth/check_samsec.c:399(check_sam_security)
> check_sam_security: Couldn't find user 'arkadmin' in passdb.
> [2017/09/21 00:36:03.344808,
> 3] ../source3/auth/auth_winbind.c:60(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain
> [ARK-CENTOS-SMB4] was for this SAM. [2017/09/21 00:36:03.344835,
> 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password:  Authentication for user [arkadmin] ->
> [arkadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2017/09/21
> 00:36:03.344858,
> 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2017/09/21
> 00:36:03.344879,  4] ../source3/smbd/sec_ctx.c:217(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2017/09/21
> 00:36:03.344891,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2017/09/21
> 00:36:03.344901,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 1 [2017/09/21 00:36:03.344919,
> 4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx) pop_sec_ctx (0, 0) -
> sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.344949,
> 3] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] ||
> at ../source3/smbd/smb2_sesssetup.c:134 [2017/09/21 00:36:03.345308,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345337,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345351,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345365,
> 4] ../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal) setting sec
> ctx (0, 0) - sec_ctx_stack_ndx = 0 [2017/09/21 00:36:03.345535,
> 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit
> (NT_STATUS_CONNECTION_RESET)
> 
> 
> here is my smb.conf content
> 
> 
> #working since 2017-8-1 with sssd?+ad
> [global]
> netbios name = ARK-CENTOS-SMB4
> security = ADS
> #workgroup = QA
> workgroup = QA.ARKIVIO.COM
> kerberos method = secrets and keytab
> realm = QA.ARKIVIO.COM
> log file = /var/log/samba/%m.log
> log level = 4
> #password server = *
> #passdb backend  = tdbsam
> #template shell  = /bin/bash
> #template homedir = /home/%u
> #winbind separator = +
> local master    = no
> domain master   = no
> #auth methods    = guest sam_ignoredomain winbind
> #guest ok        = no
> server string = Samba Server Version %v
> max log size = 5000
> load printers = No
> #idmap config * : backend = tdb
> #preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> #name resolve order = wins bcast host lmhosts
> name resolve order = host lmhosts wins bcast
> 
> # Winbind idmap RID settings
> #    winbind use default domain = yes
> #    allow trusted domains = yes
> #    winbind enum users = yes
> #    winbind enum groups = yes
> #    winbind nested groups = yes
> #    idmap config QA : backend = rid
> #    idmap config QA : default = yes
> #    idmap config QA : range = 100-33554431
> #    idmap config * : range = 33554432-67108862
> #    idmap config * : backend = tdb
> #    printing        = bsd
> #    load printers   = no
> #    disable spoolss = yes
> #    printcap name   = /dev/null
> #    log level       = 10
> #    log file        = /var/log/samba/samba.log.%m
> #    max log size    = 5000
> #    debug timestamp = yes
> #    oplocks         = 1
> #    unix extensions = yes
> #    clustering      = 0
> #    smb ports       = 445, 139
> #    mangled names   = yes
> #    default case    = lower
> #    case sensitive  = auto
> #    preserve case   = yes
> #    short preserve case = yes
> #    bind interfaces only = yes
> #    interfaces = lo bond0:2 eth0:1 eth0:2 eth2 eth3
> #    dos filetimes = 1
> #    create mask = 777
> #    admin users = administrator
> 
> [arkc1]
> comment = centos samba4 share1
> path = /rocket/cifs/cifs1
> #public = no
> #read only = no
> writable = yes
> #guest ok = yes
> #inherit permissions = 1
> #inherit acls = 1
> #map acl inherit = 1
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = 1
> 
> #valid users = @"autostoradmins at qa.arkivio.com"
> #valid users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins valid users > administrator at
qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin at
qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM
> #admin users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins,QA\arkadmin,QA.ARKIVIO.COM\arkadmin admin users
> > administrator at qa.arkivio.com,auto-stor at qa.arkivio.com,arkadmin
at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> 
> [arkc2]
> comment = centos samba4 share2
> path = /rocket/cifs/cifs2
> #public = no
> #read only = no
> writable = yes
> #guest ok = no
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = yes
> 
> admin users > administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> valid users > administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,@"Domain
> Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> 
> 
> please give some advice,thanks
> 
> 
> 
> 
Okay, seeing as you are using sssd and winbind is not doing the
authentication, I suggest you go and ask on the sssd-users mailing list.

Rowland

Christian Naumer

2017-Sep-21 12:36 UTC

head link

[Samba] get access denied on samba AD share

From:

https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7#head-281c090cc4fbc6bb5c7d4cd82a266fce807e
ee7c

"samba share with sssd authentication is broken. This is being worked on
upstream. A
workaround is to downgrade the samba packages to an earlier version."




Am Donnerstag, den 21.09.2017, 09:22 +0000 schrieb Qiao Xu via
samba:> Hello Sambaers, i can not access my samba shares after upgrade my centos to
7.4,samba
> version was upgraded to 4.6.2
> 
> i joined centos to windows domain by realm command,domain user(format as
username at doaminname
> ) could login to centos
> 
> could get kerberos ticket by kinit with domain user
> 
> 
> execute net view command at domain windows server get access denied
> 
> 
> C:\>net view \\ark-centos-smb4.qa.arkivio.com
> System error 5 has occurred.
> 
> Access is denied.
> 
> 
> C:\>net view \\192.168.32.26
> System error 5 has occurred.
> 
> Access is denied.
> 
> 
> collected following log while get access denied error with samba server ip,
i complains can
> not find the user,and run getent passwd domainuser at domainname could
finish successfully
> 
> 
> [2017/09/21 00:36:03.319546,  3]
../source3/smbd/oplock.c:1322(init_oplocks)
>   init_oplocks: initializing messages.
> [2017/09/21 00:36:03.319707,  3]
../source3/smbd/process.c:1957(process_smb)
>   Transaction 0 of length 159 (0 toread)
> [2017/09/21 00:36:03.319744,  3]
../source3/smbd/process.c:1538(switch_message)
>   switch message SMBnegprot (pid 23703) conn 0x0
> [2017/09/21 00:36:03.319767,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.320414,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [PC NETWORK PROGRAM 1.0]
> [2017/09/21 00:36:03.320441,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [LANMAN1.0]
> [2017/09/21 00:36:03.320454,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [Windows for Workgroups 3.1a]
> [2017/09/21 00:36:03.320466,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [LM1.2X002]
> [2017/09/21 00:36:03.320482,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [LANMAN2.1]
> [2017/09/21 00:36:03.320497,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [NT LM 0.12]
> [2017/09/21 00:36:03.320509,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [SMB 2.002]
> [2017/09/21 00:36:03.320538,  3]
../source3/smbd/negprot.c:603(reply_negprot)
>   Requested protocol [SMB 2.???]
> [2017/09/21 00:36:03.320638,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.320722,  3]
> ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_FF
> [2017/09/21 00:36:03.321314,  2]
> ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
>   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
> [2017/09/21 00:36:03.321344,  3]
> ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem
keytab from secrets!
> [2017/09/21 00:36:03.322377,  3]
../source3/smbd/negprot.c:730(reply_negprot)
>   Selected protocol SMB 2.???
> [2017/09/21 00:36:03.323207,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.323262,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.323300,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.323326,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.325145,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.325187,  3]
> ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
>   Selected protocol SMB2_10
> [2017/09/21 00:36:03.325448,  2]
> ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
>   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
> [2017/09/21 00:36:03.325466,  3]
> ../source3/librpc/crypto/gse_krb5.c:587(gse_krb5_get_server_keytab)
>   ../source3/librpc/crypto/gse_krb5.c:587: Warning! Unable to set mem
keytab from secrets!
> [2017/09/21 00:36:03.327171,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327477,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327498,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327509,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327562,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327754,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0xe2088297
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_NEGOTIATE_OEM
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_LM_KEY
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
>     NTLMSSP_NEGOTIATE_56
> [2017/09/21 00:36:03.327897,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327919,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.327930,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.327951,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328313,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328360,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.328376,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328387,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.328403,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.328478,  3]
> ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
>   Got user=[arkadmin] domain=[QA] workstation=[NWT-VM-ARK8118] len1=24
len2=350
> [2017/09/21 00:36:03.328573,  3]
../source3/param/loadparm.c:3823(lp_load_ex)
>   lp_load_ex: refreshing parameters
> [2017/09/21 00:36:03.328664,  3]
../source3/param/loadparm.c:542(init_globals)
>   Initialising global parameters
> [2017/09/21 00:36:03.328773,  3]
../source3/param/loadparm.c:2752(lp_do_section)
>   Processing section "[global]"
>   doing parameter netbios name = ARK-CENTOS-SMB4
>   doing parameter security = ADS
>   doing parameter workgroup = QA.ARKIVIO.COM
>   doing parameter kerberos method = secrets and keytab
>   doing parameter realm = QA.ARKIVIO.COM
>   doing parameter log file = /var/log/samba/%m.log
>   doing parameter log level = 4
>   doing parameter local master = no
>   doing parameter domain master = no
>   doing parameter server string = Samba Server Version %v
>   doing parameter max log size = 5000
>   doing parameter load printers = No
>   doing parameter wins support = no
>   doing parameter wins proxy = no
>   doing parameter dns proxy = yes
>   doing parameter name resolve order = host lmhosts wins bcast
> [2017/09/21 00:36:03.328953,  2]
../source3/param/loadparm.c:2769(lp_do_section)
>   Processing section "[arkc1]"
>   doing parameter comment = centos samba4 share1
>   doing parameter path = /rocket/cifs/cifs1
>   doing parameter writable = yes
>   doing parameter guest ok = yes
>   doing parameter valid users = administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIV
> IO.COM\AutostorAdmins",arkadmin at QA.ARKIVIO.COM
>   doing parameter admin users = administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin@
> QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329055,  2]
../source3/param/loadparm.c:2769(lp_do_section)
>   Processing section "[arkc2]"
>   doing parameter comment = centos samba4 share2
>   doing parameter path = /rocket/cifs/cifs2
>   doing parameter writable = yes
>   doing parameter admin users = administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at qa.arkivio.com",arkadmin@
> QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
>   doing parameter valid users = administrator at qa.arkivio.com,auto-stor
at qa.arkivio.com,arkadm
> in at qa.arkivio.com,@"Domain Admins at
qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIV
> IO.COM\AutostorAdmins",arkadmin at
QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> [2017/09/21 00:36:03.329149,  4]
../source3/param/loadparm.c:3864(lp_load_ex)
>   pm_process() returned Yes
> [2017/09/21 00:36:03.329186,  3]
../source3/param/loadparm.c:1592(lp_add_ipc)
>   adding IPC service
> [2017/09/21 00:36:03.329981,  4]
../source3/libsmb/namequery_dc.c:77(ads_dc_name)
>   ads_dc_name: domain=QA.ARKIVIO.COM
> [2017/09/21 00:36:03.331294,  3]
../source3/libsmb/namequery.c:3160(get_dc_list)
>   get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.332043,  4]
../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
>   ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.333572,  4]
../source3/libsmb/namequery.c:3305(get_dc_list)
>   get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.333594,  4]
../source3/libsmb/namequery.c:3306(get_dc_list)
>   get_dc_list: 192.168.32.231:389 192.168.32.230:389
2001:21:21:32:743e:17d2:61a4:fdb8:389
> [2017/09/21 00:36:03.334552,  3] ../source3/libads/ldap.c:618(ads_connect)
>   Successfully contacted LDAP server 192.168.32.231
> [2017/09/21 00:36:03.334622,  3]
../source3/libsmb/namequery.c:3160(get_dc_list)
>   get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.334961,  4]
../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
>   ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335007,  4]
../source3/libsmb/namequery.c:3305(get_dc_list)
>   get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.335023,  4]
../source3/libsmb/namequery.c:3306(get_dc_list)
>   get_dc_list: 192.168.32.230:88 192.168.32.231:88
2001:21:21:32:743e:17d2:61a4:fdb8:88
> [2017/09/21 00:36:03.335042,  3]
../source3/libsmb/namequery.c:3160(get_dc_list)
>   get_dc_list: preferred server list: ", *"
> [2017/09/21 00:36:03.335419,  4]
../lib/addns/dnsquery.c:435(ads_dns_lookup_srv)
>   ads_dns_lookup_srv: 2 records returned in the answer section.
> [2017/09/21 00:36:03.335463,  4]
../source3/libsmb/namequery.c:3305(get_dc_list)
>   get_dc_list: returning 3 ip addresses in an ordered list
> [2017/09/21 00:36:03.335478,  4]
../source3/libsmb/namequery.c:3306(get_dc_list)
>   get_dc_list: 192.168.32.230:88 192.168.32.231:88
2001:21:21:32:743e:17d2:61a4:fdb8:88
> [2017/09/21 00:36:03.336391,  4]
../source3/libsmb/namequery_dc.c:151(ads_dc_name)
>   ads_dc_name: using server='ARK-QA-DC2.QA.ARKIVIO.COM'
IP=192.168.32.231
> [2017/09/21 00:36:03.336496,  3]
../source3/lib/util_sock.c:515(open_socket_out_send)
>   Connecting to 192.168.32.231 at port 445
> [2017/09/21 00:36:03.337733,  3]
> ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
>   got OID=1.3.6.1.4.1.311.2.2.30
>   got OID=1.2.840.48018.1.2.2
> [2017/09/21 00:36:03.338945,  3]
> ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
>   Got challenge flags:
> [2017/09/21 00:36:03.338973,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62898215
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_TARGET_TYPE_DOMAIN
>     NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>     NTLMSSP_NEGOTIATE_TARGET_INFO
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339060,  3]
> ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
>   NTLMSSP: Set final flags:
> [2017/09/21 00:36:03.339076,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_ANONYMOUS
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339112,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2017/09/21 00:36:03.339123,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_ANONYMOUS
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.339972,  3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2017/09/21 00:36:03.340000,  3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
>   Got NTLMSSP neg_flags=0x62008a15
>     NTLMSSP_NEGOTIATE_UNICODE
>     NTLMSSP_REQUEST_TARGET
>     NTLMSSP_NEGOTIATE_SIGN
>     NTLMSSP_NEGOTIATE_NTLM
>     NTLMSSP_ANONYMOUS
>     NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>     NTLMSSP_NEGOTIATE_VERSION
>     NTLMSSP_NEGOTIATE_128
>     NTLMSSP_NEGOTIATE_KEY_EXCH
> [2017/09/21 00:36:03.344582,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
>   check_ntlm_password:  Checking password for unmapped user
[QA]\[arkadmin]@[NWT-VM-ARK8118]
> with the new password interface
> [2017/09/21 00:36:03.344615,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
>   check_ntlm_password:  mapped user is:
[ARK-CENTOS-SMB4]\[arkadmin]@[NWT-VM-ARK8118]
> [2017/09/21 00:36:03.344650,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344698,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344714,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344768,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344785,  3]
../source3/auth/check_samsec.c:399(check_sam_security)
>   check_sam_security: Couldn't find user 'arkadmin' in passdb.
> [2017/09/21 00:36:03.344808,  3]
../source3/auth/auth_winbind.c:60(check_winbind_security)
>   check_winbind_security: Not using winbind, requested domain
[ARK-CENTOS-SMB4] was for this
> SAM.
> [2017/09/21 00:36:03.344835,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [arkadmin] -> [arkadmin]
FAILED with error
> NT_STATUS_NO_SUCH_USER
> [2017/09/21 00:36:03.344858,  2]
> ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> [2017/09/21 00:36:03.344879,  4]
../source3/smbd/sec_ctx.c:217(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344891,  4] ../source3/smbd/uid.c:491(push_conn_ctx)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344901,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2017/09/21 00:36:03.344919,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.344949,  3]
> ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
>   smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
> [2017/09/21 00:36:03.345308,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345337,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345351,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345365,  4]
../source3/smbd/sec_ctx.c:321(set_sec_ctx_internal)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2017/09/21 00:36:03.345535,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
> 
> 
> here is my smb.conf content
> 
> 
> #working since 2017-8-1 with sssd?+ad
> [global]
> netbios name = ARK-CENTOS-SMB4
> security = ADS
> #workgroup = QA
> workgroup = QA.ARKIVIO.COM
> kerberos method = secrets and keytab
> realm = QA.ARKIVIO.COM
> log file = /var/log/samba/%m.log
> log level = 4
> #password server = *
> #passdb backend  = tdbsam
> #template shell  = /bin/bash
> #template homedir = /home/%u
> #winbind separator = +
> local master    = no
> domain master   = no
> #auth methods    = guest sam_ignoredomain winbind
> #guest ok        = no
> server string = Samba Server Version %v
> max log size = 5000
> load printers = No
> #idmap config * : backend = tdb
> #preferred master = no
> wins support = no
> wins proxy = no
> dns proxy = yes
> #name resolve order = wins bcast host lmhosts
> name resolve order = host lmhosts wins bcast
> 
> # Winbind idmap RID settings
> #    winbind use default domain = yes
> #    allow trusted domains = yes
> #    winbind enum users = yes
> #    winbind enum groups = yes
> #    winbind nested groups = yes
> #    idmap config QA : backend = rid
> #    idmap config QA : default = yes
> #    idmap config QA : range = 100-33554431
> #    idmap config * : range = 33554432-67108862
> #    idmap config * : backend = tdb
> #    printing        = bsd
> #    load printers   = no
> #    disable spoolss = yes
> #    printcap name   = /dev/null
> #    log level       = 10
> #    log file        = /var/log/samba/samba.log.%m
> #    max log size    = 5000
> #    debug timestamp = yes
> #    oplocks         = 1
> #    unix extensions = yes
> #    clustering      = 0
> #    smb ports       = 445, 139
> #    mangled names   = yes
> #    default case    = lower
> #    case sensitive  = auto
> #    preserve case   = yes
> #    short preserve case = yes
> #    bind interfaces only = yes
> #    interfaces = lo bond0:2 eth0:1 eth0:2 eth2 eth3
> #    dos filetimes = 1
> #    create mask = 777
> #    admin users = administrator
> 
> [arkc1]
> comment = centos samba4 share1
> path = /rocket/cifs/cifs1
> #public = no
> #read only = no
> writable = yes
> #guest ok = yes
> #inherit permissions = 1
> #inherit acls = 1
> #map acl inherit = 1
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = 1
> 
> #valid users = @"autostoradmins at qa.arkivio.com"
> #valid users = administrator,auto-stor,arkadmin,Domain
Admins,autostoradmins
> valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdm
> ins",arkadmin at QA.ARKIVIO.COM
> #admin users = administrator,auto-stor,arkadmin,Domain
> Admins,autostoradmins,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\
> arkadmin,QA.ARKIVIO.COM\arkadmin
> 
> [arkc2]
> comment = centos samba4 share2
> path = /rocket/cifs/cifs2
> #public = no
> #read only = no
> writable = yes
> #guest ok = no
> #vfs objects = acl_xattr
> #acl_xattr:ignore system acls = yes
> 
> admin users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com",arkadmin at QA.ARKIVIO.COM,QA\
> arkadmin,QA.ARKIVIO.COM\arkadmin
> valid users = administrator at qa.arkivio.com,auto-stor at
qa.arkivio.com,arkadmin at qa.arkivio.com,
> @"Domain Admins at qa.arkivio.com",@"AutostorAdmins at
qa.arkivio.com","QA.ARKIVIO.COM\AutostorAdm
> ins",arkadmin at QA.ARKIVIO.COM,QA\arkadmin,QA.ARKIVIO.COM\arkadmin
> 
> 
> please give some advice,thanks
> 
> 
> 
> 
-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

Maybe Matching Threads

Search for more maybe matching threads

samba - Sep 2017 - get access denied on samba AD share

[Samba] get access denied on samba AD share

[Samba] get access denied on samba AD share

[Samba] get access denied on samba AD share

Maybe Matching Threads