Hi
I have a Red Hat 7.6 server with samba-4.8.3 which report
lookup_name_smbconf failed when running "smbclient -L" from another
console
on the same server. smbclient works fine on an old server running Suse and
samba version 3 and thew the
user.
Any ideas of where to look or what to try?
I got this in the logfile:
# grep "^ " /var/log/samba/log.172.23.10.25
init_oplocks: initializing messages.
Transaction 0 of length 216 (0 toread)
switch message SMBnegprot (pid 25189) conn 0x0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [DOS LANMAN2.1]
Requested protocol [LANMAN2.1]
Requested protocol [Samba]
Requested protocol [NT LANMAN 1.0]
Requested protocol [NT LM 0.12]
Requested protocol [SMB 2.002]
Requested protocol [SMB 2.???]
Selected protocol SMB2_FF
Selected protocol SMB 2.???
Selected protocol SMB3_11
Found account name from PAC: zmir2 [Hans Schou]
Kerberos ticket principal name is [zmir2 at ACME.COM]
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
Processing section "[global]"
Processing section "[homes]"
Processing section "[fiks_filer]"
Processing section "[fikslog-b]"
Processing section "[tmp]"
adding IPC service
lookup_name_smbconf for ACME.DOM\zmir2 at acme.com failed
Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED] || at ../source3/smbd/smb2_sesssetup.c:137
Server exit (NT_STATUS_END_OF_FILE)
smb.conf:
[global]
log level = 3
unix charset = UTF8
dos charset = ISO-8859-1
workgroup = ACME.DOM
realm = ACME.COM
server string = Samba %v paa %L(%h)
security = ads
encrypt passwords = yes
kerberos method = secrets and keytab
password server = srv-addc1.acme.com
winbind use default domain = yes
idmap config ACME.DOM : backend = rid
idmap config ACME.DOM : range = 1000 - 999999
idmap config * : backend = tdb
idmap config * : range = 1000 - 999999
winbind enum users = yes
winbind enum groups = yes
deadtime = 10
winbind cache time = 10
winbind nested groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
ldap idmap suffix = dc=acme,dc=dk
ldap admin dn = sn=Administrator,cn=Users,dc=acme,dc=dk
ldap suffix = dc=acme,dc=dk
log file = /var/log/samba/log.%m
max log size = 100
local master = No
dns proxy = No
wins server = srv-dhcp3.acme.com
include = /etc/samba/smb.conf.%h
printing = cups
cups options = raw
best regards
On Fri, 22 Feb 2019 14:34:49 +0100 Hans Schou via samba <samba at lists.samba.org> wrote:> Hi > > I have a Red Hat 7.6 server with samba-4.8.3 which report > lookup_name_smbconf failed when running "smbclient -L" from another > console on the same server. smbclient works fine on an old server > running Suse and samba version 3 and thew the > user. > > Any ideas of where to look or what to try? > > I got this in the logfile: > > # grep "^ " /var/log/samba/log.172.23.10.25 > init_oplocks: initializing messages. > Transaction 0 of length 216 (0 toread) > switch message SMBnegprot (pid 25189) conn 0x0 > Requested protocol [PC NETWORK PROGRAM 1.0] > Requested protocol [MICROSOFT NETWORKS 1.03] > Requested protocol [MICROSOFT NETWORKS 3.0] > Requested protocol [LANMAN1.0] > Requested protocol [LM1.2X002] > Requested protocol [DOS LANMAN2.1] > Requested protocol [LANMAN2.1] > Requested protocol [Samba] > Requested protocol [NT LANMAN 1.0] > Requested protocol [NT LM 0.12] > Requested protocol [SMB 2.002] > Requested protocol [SMB 2.???] > Selected protocol SMB2_FF > Selected protocol SMB 2.??? > Selected protocol SMB3_11 > Found account name from PAC: zmir2 [Hans Schou] > Kerberos ticket principal name is [zmir2 at ACME.COM] > lp_load_ex: refreshing parameters > Initialising global parameters > Processing section "[global]" > Processing section "[global]" > Processing section "[homes]" > Processing section "[fiks_filer]" > Processing section "[fikslog-b]" > Processing section "[tmp]" > adding IPC service > lookup_name_smbconf for ACME.DOM\zmir2 at acme.com failed > Failed to map kerberos pac to server info (NT_STATUS_NO_SUCH_USER) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_ACCESS_DENIED] || > at ../source3/smbd/smb2_sesssetup.c:137 Server exit > (NT_STATUS_END_OF_FILE) > > smb.conf: > [global] > log level = 3 > unix charset = UTF8 > dos charset = ISO-8859-1 > workgroup = ACME.DOM > realm = ACME.COMYour REALM MUST be the DNS domain in uppercase. Your workgroup CANNOT be the same as your REALM.> server string = Samba %v paa %L(%h) > security = ads > encrypt passwords = yes > kerberos method = secrets and keytabIf you are going to set the above, you also need to add: dedicated keytab file = /etc/krb5.keytab> password server = srv-addc1.acme.comYou should let Samba find the 'password server', so remove the line above.> winbind use default domain = yes > idmap config ACME.DOM : backend = rid > idmap config ACME.DOM : range = 1000 - 999999 > idmap config * : backend = tdb > idmap config * : range = 1000 - 999999You are using the same ranges for both domains, this is not allowed, also you really should start from a different number than '1000' The 'ACME.DOM' should be the workgroup.> winbind enum users = yes > winbind enum groups = yesOnce everything is working okay, remove the two lines above.> deadtime = 10 > winbind cache time = 10 > winbind nested groups = yes > template homedir = /home/%U > template shell = /bin/bash > client use spnego = yes > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > ldap idmap suffix = dc=acme,dc=dk > ldap admin dn = sn=Administrator,cn=Users,dc=acme,dc=dk > ldap suffix = dc=acme,dc=dkRemove the 'ldap' lines they are not used on a Unix domain member and if they are correct, your REALM should be 'ACME.DK'> log file = /var/log/samba/log.%m > max log size = 100 > local master = No > dns proxy = No > wins server = srv-dhcp3.acme.comNo, you don't use wins with active directory.> include = /etc/samba/smb.conf.%hWhat is in '/etc/samba/smb.conf.%h' ? Rowland
On Fri, 22 Feb 2019 at 14:51, Rowland Penny via samba <samba at lists.samba.org> wrote: Its working now with smbclient from Linux without using password. Thanks! On Windows I have to use fqdn but it might be that the search path on Windows is wrong. (the word "search" in resolv.conf - I don't know what that is called on Windows) It was a lot changes to make. I just copied the old smb.conf to the new server but it was obviously not a good idea.> include = /etc/samba/smb.conf.%h > > What is in '/etc/samba/smb.conf.%h' ? >On the old system all servers uses the same smb.conf and then all the uniq shares are defined in smb.conf.<hostname> The content can then be seen with this command # grep -v "#" smb.conf.$(hostname -s) [global] server string = Samba %v paa %L(%h): udvhome [homes] comment = Home Directories browseable = no writable = yes read only = no create mask = 0775 If any interest my smb.conf is now: [global] log level = 3 unix charset = UTF8 dos charset = ISO-8859-1 workgroup = ACME.DOM realm = ACME.COM server string = Samba %v paa %L(%h) security = ads encrypt passwords = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab idmap config ACME.DOM : backend = rid idmap config ACME.DOM : range = 2000 - 3999 idmap config * : backend = tdb idmap config * : range = 4000 - 5999 deadtime = 10 winbind cache time = 10 winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash client use spnego = yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 log file = /var/log/samba/log.%m max log size = 100 local master = No dns proxy = No include = /etc/samba/smb.conf.%h -- Venlig hilsen - best regards