Holger Hecht
2015-Apr-24 07:31 UTC
[Samba] Centos7 Samba 4.1.12 -> Centos 5.11 Samba 3.5.2 = Rejecting auth request
Dear Sirs/Madams, I have the following problem, for which the internet does not have a solution yet: I am trying to have a Centos7 server with Samba 4.1.12 authenticate his users (security=domain) with a DC samba version 3.5.2 on a Centos5.11 machine (which has an LDAP Backend). This works for other servers (OpenSuse 13.2 with samba 4.1.17) and for a bunch of Windows7 clients. I can join the domain with net rpc join, which seems to work on client side but the log of the DC already shows the error rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client DENG machine account DENG$ I created the machine account on the DC with a LAM web interface. The connection with the machine worked already before, I do not know what happened, maybe an update for samba on the machines lead to this. I did not change any configuration files, so the configuration worked already. But after the error occured I deleted the machine account and created a new one. Is there a way to renew the credentials that fail to check? What are the credentials anyway? Is there maybe a new encryption taking place which the old DC does not know? I am really stuck. Thanks in advance, Holger testparm on the client rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[homes]" Processing section "[xxx1]" Processing section "[xxx2]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = Test server string = Samba Server Version %v interfaces = lo, eth0, 127.0.0.1 security = DOMAIN log file = /var/log/samba/log.%m max log size = 50 load printers = No wins server = some IP idmap config * : backend = tdb hosts allow = 127.0.0.1, outside IP
Ty! Boyack
2015-Apr-24 16:41 UTC
[Samba] Centos7 Samba 4.1.12 -> Centos 5.11 Samba 3.5.2 = Rejecting auth request
Hi Holger, I'm no expert here, but this sounds like an issue I just worked on. In my situation, I could mount the shares IF the client had a kerberos ticket or was a client that was joined to the AD domain. But if I tried to mount a share with a client that was sending a username/password pair then I would get a similar behavior you are seeing -- the domain controller would refuse to authenticate the client session. One difference is that I have windows domain controllers, not the Samba DCs you are using, but the error sounds very similar. The way I was testing this was by using smbclient on a linux box as my test client. A password session like this: smbclient //server.name/share -U DOMAIN\\user would ask for a password and then fail with unclear error messages. But a kerberos session like this: kinit user at DOMAIN.FULLY.QUALIFIED <asks for a password> smbclient //server.name/share -U DOMAIN\\user -k kdestroy would work just fine. Would you mind testing that to see if you see the same behavior? If that is the case, then I'm betting that we're seeing the same problem. It seems that patches added to the CentOS package for schannel support may interfere with password authentication. I have CentOS7 packages for samba-4.1.12 that I recompiled without the schannel patches, or I also have samba-4.1.17 packages if you want to give them a try (I am using the 4.1.17 packages). I have not run them through any testing other than use on our live servers, and they are working fine here. -Ty On 04/24/2015 01:31 AM, Holger Hecht wrote:> Dear Sirs/Madams, > > I have the following problem, for which the internet does not have a solution > yet: > I am trying to have a Centos7 server with Samba 4.1.12 authenticate his users > (security=domain) with a DC samba version 3.5.2 on a Centos5.11 machine (which > has an LDAP Backend). This works for other servers (OpenSuse 13.2 with samba > 4.1.17) and for a bunch of Windows7 clients. I can join the domain with net > rpc join, which seems to work on client side but the log of the DC already > shows the error > > rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client DENG machine account DENG$ > > I created the machine account on the DC with a LAM web interface. > > The connection with the machine worked already before, I do not know what > happened, maybe an update for samba on the machines lead to this. I did not > change any configuration files, so the configuration worked already. But after > the error occured I deleted the machine account and created a new one. > > Is there a way to renew the credentials that fail to check? What are the > credentials anyway? Is there maybe a new encryption taking place which the old > DC does not know? > > I am really stuck. > > Thanks in advance, > > Holger > > > testparm on the client > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[homes]" > Processing section "[xxx1]" > Processing section "[xxx2]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] > workgroup = Test > server string = Samba Server Version %v > interfaces = lo, eth0, 127.0.0.1 > security = DOMAIN > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > wins server = some IP > idmap config * : backend = tdb > hosts allow = 127.0.0.1, outside IP >-- -===========================- Ty Boyack NREL Senior IT Engineer Ty.Boyack at colostate.edu (970) 491-1186 -===========================-
Maybe Matching Threads
- [PATCH v2] i2c: virtio: add a virtio i2c frontend driver
- [PATCH v2] i2c: virtio: add a virtio i2c frontend driver
- [PATCH v2] i2c: virtio: add a virtio i2c frontend driver
- [PATCH v2] i2c: virtio: add a virtio i2c frontend driver
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages