Hi and thanks for your time First of all, I cleaned up the krb5.conf according to the samba wiki and after that I can connect with smbclient using the three part style of the credentials file, i.e username=me password=thesecret domain=domain.example.com but mount.cifs still says STATUS_NO_LOGON_SERVERS> Is the 'linux box' joined to the domain ? If not, why not ?It is joined to the domain.> Lets start by you posting the smb.conf from all three machines (hint: > post the output from 'samba-tool testparm --suppress-prompt' on the DC > and 'testparm -s' on the others)Here are the outputs you asked for. some info anonymized. AD DC: root at doc:~# samba-tool testparm --suppress-prompt INFO 2021-08-11 17:18:37,355 pid:3345 /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf INFO 2021-08-11 17:18:37,355 pid:3345 /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #97: Loaded services file OK. # Global parameters [global] dns forwarder = 1.2.3.4 netbios name = DOC realm = THEDOMAIN.EXAMPLE.COM server role = active directory domain controller workgroup = THEDOMAIN idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/thedomain.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Fileserver: root at sneezy:~# testparm -s Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] log file = /var/log/samba/%m.log realm = THEDOMAIN.EXAMPLE.COM security = ADS username map = /etc/samba/user.map winbind use default domain = Yes workgroup = THEDOMAIN idmap config thedomain: range = 10000-999999 idmap config thedomain: backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb map acl inherit = Yes vfs objects = acl_xattr [Data] path = /var/mntsamba/samba/Data/ read only = No The 'linux-box' that no longer mounts shares (I wasn't aware that mount.cifs uses the smb.conf so it is basicly default debian conf) root at pluto:~# testparm -s Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_STANDALONE # Global parameters [global] log file = /var/log/samba/log.%m logging = file map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u server role = standalone server unix password sync = Yes usershare allow guests = Yes workgroup = THEDOMAIN idmap config * : backend = tdb create mask = 0700 directory mask = 0700 valid users = %S cheers Mark
On 11/08/2021 17:01, Mark Amundsen via samba wrote:> > Hi and thanks for your time > > > First of all, I cleaned up the krb5.conf according to the samba wiki and after that I can connect with smbclient using the three part style of the credentials file, i.e > username=me > password=thesecret > domain=domain.example.com > > but mount.cifs still says STATUS_NO_LOGON_SERVERS > > > >> Is the 'linux box' joined to the domain ? If not, why not ? > It is joined to the domain. > > >> Lets start by you posting the smb.conf from all three machines (hint: >> post the output from 'samba-tool testparm --suppress-prompt' on the DC >> and 'testparm -s' on the others) > > Here are the outputs you asked for. some info anonymized. > > AD DC: > root at doc:~# samba-tool testparm --suppress-prompt > INFO 2021-08-11 17:18:37,355 pid:3345 /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf > INFO 2021-08-11 17:18:37,355 pid:3345 /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #97: Loaded services file OK. > # Global parameters > [global] > dns forwarder = 1.2.3.4 > netbios name = DOC > realm = THEDOMAIN.EXAMPLE.COM > server role = active directory domain controller > workgroup = THEDOMAIN > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/thedomain.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > Fileserver: > root at sneezy:~# testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > log file = /var/log/samba/%m.log > realm = THEDOMAIN.EXAMPLE.COM > security = ADS > username map = /etc/samba/user.map > winbind use default domain = Yes > workgroup = THEDOMAIN > idmap config thedomain: range = 10000-999999 > idmap config thedomain: backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > map acl inherit = Yes > vfs objects = acl_xattr > > > [Data] > path = /var/mntsamba/samba/Data/ > read only = No > > > The 'linux-box' that no longer mounts shares (I wasn't aware that mount.cifs uses the smb.conf so it is basicly default debian conf) > root at pluto:~# testparm -s > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Server role: ROLE_STANDALONE > # Global parameters > [global] > log file = /var/log/samba/log.%m > logging = file > map to guest = Bad User > max log size = 1000 > obey pam restrictions = Yes > pam password change = Yes > panic action = /usr/share/samba/panic-action %d > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > server role = standalone server > unix password sync = Yes > usershare allow guests = Yes > workgroup = THEDOMAIN > idmap config * : backend = tdb > create mask = 0700 > directory mask = 0700 > valid users = %S > > > > cheers > Mark >Do you need to specify vers=3.0 in the mount.cifs command? I know that broke it for me after an upgrade a few years ago on the Pi.
On Wed, 2021-08-11 at 18:01 +0200, Mark Amundsen via samba wrote:> Hi and thanks for your time > > > First of all, I cleaned up the krb5.conf according to the samba wiki > and after that I can connect with smbclient using the three part > style of the credentials file, i.e > username=me > password=thesecret > domain=domain.example.com > > but mount.cifs still says STATUS_NO_LOGON_SERVERS > > > > > Is the 'linux box' joined to the domain ? If not, why not ? > It is joined to the domain. > > > > Lets start by you posting the smb.conf from all three machines > > (hint: > > post the output from 'samba-tool testparm --suppress-prompt' on the > > DC > > and 'testparm -s' on the others) > > Here are the outputs you asked for. some info anonymized. > > AD DC: > root at doc:~# samba-tool testparm --suppress-prompt > INFO 2021-08-11 17:18:37,355 pid:3345 > /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py > #96: Loaded smb config files from /etc/samba/smb.conf > INFO 2021-08-11 17:18:37,355 pid:3345 > /usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py > #97: Loaded services file OK. > # Global parameters > [global] > dns forwarder = 1.2.3.4 > netbios name = DOC > realm = THEDOMAIN.EXAMPLE.COM > server role = active directory domain controller > workgroup = THEDOMAIN > idmap_ldb:use rfc2307 = yes > > [netlogon] > path > /usr/local/samba/var/locks/sysvol/thedomain.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > Fileserver: > root at sneezy:~# testparm -s > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Weak crypto is allowed > > Server role: ROLE_DOMAIN_MEMBER > > # Global parameters > [global] > log file = /var/log/samba/%m.log > realm = THEDOMAIN.EXAMPLE.COM > security = ADS > username map = /etc/samba/user.map > winbind use default domain = Yes > workgroup = THEDOMAIN > idmap config thedomain: range = 10000-999999 > idmap config thedomain: backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > map acl inherit = Yes > vfs objects = acl_xattr > > > [Data] > path = /var/mntsamba/samba/Data/ > read only = No > > > The 'linux-box' that no longer mounts shares (I wasn't aware that > mount.cifs uses the smb.conf so it is basicly default debian conf) > root at pluto:~# testparm -s > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Load smb config files from /etc/samba/smb.conf > Loaded services file OK. > Server role: ROLE_STANDALONE > # Global parameters > [global] > log file = /var/log/samba/log.%m > logging = file > map to guest = Bad User > max log size = 1000 > obey pam restrictions = Yes > pam password change = Yes > panic action = /usr/share/samba/panic-action %d > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > server role = standalone server > unix password sync = Yes > usershare allow guests = Yes > workgroup = THEDOMAIN > idmap config * : backend = tdb > create mask = 0700 > directory mask = 0700 > valid users = %S > > > > cheers > Mark >OK, the two machines running 4.14.6 use SMBv2 as a minimum, your standalone server uses SMBv1 as a minimum, so you may have to add 'vers=2' to your mount command. Your three machines are using the same workgroup name, but the standalone server will have a different SID than the other two, can I suggest you join the standalone server to the domain, it makes more sense. I would only use a standalone server in a workgroup or ad-hoc setup. Rowland