samba - Jul 2015 - Migration Samba3 -> Samba4: Accessing domain member server is not working

Hi ...

When trying to migrate from samba3 to samba 4.2.2 I am facing a severe 
problem that bugs me for hours now. I cannot get a samba 4.2.2 
fileserver to work with a samba 4.2.2 PDC as a domain member.

My scenario:
Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
We can't move to AD right now so I wanted to move to the current 4.2.2
at least to do this step but to still keep NT-4 style domains.

Yesterday I migrated one PDC in a certain network to samba 4.2.2.
After some tweaking of smb.conf it works now. And I believe without
any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
Also printing and joining machines to the domain works as before. So far 
so good.

Here is the smb.conf of the PDC:
[global]
         unix charset = UTF-8
         workgroup = MYDOM
         server string = domaincontroller
         passdb backend = ldapsam:"ldap://localhost"
         log file = /usr/local/samba/var/log.%m
         max log size = 500
         large readwrite = No
         name resolve order = host bcast
         time server = Yes
         add machine script = 
/usr/local/samba/bin/createSambaMachineAccount.php "%u"
         logon script = logonscripts/%U/logon.bat
         logon path = \\%N\profiles\%U
         logon home          domain logons = Yes
         os level = 66
         preferred master = Yes
         domain master = Yes
         dns proxy = No
         ldap admin dn = cn=Directory Manager
         ldap group suffix = ou=groups
         ldap idmap suffix = ou=idmap,ou=samba
         ldap machine suffix = ou=computers,ou=samba
         ldap passwd sync = yes
         ldap suffix = dc=MYDOM,dc=com
         ldap user suffix = ou=people
         idmap config * : range          idmap config * : backend = tdb
         create mask = 0755
         hide dot files = No
         map hidden = Yes
         csc policy = disable
         strict locking = No

So I did setup a test machine with samba 4.2.2 as fileserver. Working as 
domain member. Here is the smb.conf of the fileserver machine:
[global]
    unix charset = UTF-8
    workgroup = MYDOM
    server string = Fileserver
    security = DOMAIN
    log level = 2
    log file = /usr/local/samba/var/log.%m
    max log size = 500
    name resolve order = host bcast
    unix extensions = No
    hide dot files = No
    csc policy = disable
    strict locking = No
    wide links = Yes

[testshare]
    comment = test
    path = /testshare
    read only = No
    inherit permissions = Yes

I joined the machine (osuse-test) to the network using this call. I 
tried a couple of other but this is the only one that produced a join:

osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland
No realm has been specified! Do you really want to join an Active 
Directory server?
Enter roland's password:
No realm has been specified! Do you really want to join an Active 
Directory server?
Using short domain name -- MYDOM
Joined 'OSUSE-TEST' to domain 'MYDOM'

When I try to access osuse-test by trying to open \\osuse-test from 
windows 7 after few seconds windows presents me a panel with a locking 
error.

On osuse-test I see these errors in the log file for the win7 client:
[2015/07/03 17:23:30.718802,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:30.892601,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_ACCESS_DENIED.
[2015/07/03 17:23:30.893802,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.893837,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.939343,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.110024,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.111246,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.111278,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.131118,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.296986,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.298164,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.298195,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.318922,  2] 
../source3/param/loadparm.c:2614(lp_do_section)
   Processing section "[testshare]"
[2015/07/03 17:23:31.485074,  0] 
../source3/auth/auth_domain.c:302(domain_client_validate)
   domain_client_validate: unable to validate password for user roland 
in domain MYDOM to Domain controller PDCHOST. Error was 
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.486119,  2] 
../source3/auth/auth.c:315(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [roland] -> [roland] 
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.486162,  2] 
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED

So there seems to be an auth error with the user. The user is fully 
working and correct. Passwords are correct.

Has anyone any clue whats going on here?

Thanks for your help,

Roland

On 03/07/15 16:31, Roland Schwingel wrote:
> Hi ...
>
> When trying to migrate from samba3 to samba 4.2.2 I am facing a severe 
> problem that bugs me for hours now. I cannot get a samba 4.2.2 
> fileserver to work with a samba 4.2.2 PDC as a domain member.
>
> My scenario:
> Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
> We can't move to AD right now so I wanted to move to the current 4.2.2
> at least to do this step but to still keep NT-4 style domains.
>
> Yesterday I migrated one PDC in a certain network to samba 4.2.2.
> After some tweaking of smb.conf it works now. And I believe without
> any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
> Also printing and joining machines to the domain works as before. So 
> far so good.
>
> Here is the smb.conf of the PDC:
> [global]
>         unix charset = UTF-8
>         workgroup = MYDOM
>         server string = domaincontroller
>         passdb backend = ldapsam:"ldap://localhost"
>         log file = /usr/local/samba/var/log.%m
>         max log size = 500
>         large readwrite = No
>         name resolve order = host bcast
>         time server = Yes
>         add machine script = 
> /usr/local/samba/bin/createSambaMachineAccount.php "%u"
>         logon script = logonscripts/%U/logon.bat
>         logon path = \\%N\profiles\%U
>         logon home >         domain logons = Yes
>         os level = 66
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         ldap admin dn = cn=Directory Manager
>         ldap group suffix = ou=groups
>         ldap idmap suffix = ou=idmap,ou=samba
>         ldap machine suffix = ou=computers,ou=samba
>         ldap passwd sync = yes
>         ldap suffix = dc=MYDOM,dc=com
>         ldap user suffix = ou=people
>         idmap config * : range >         idmap config * : backend = tdb
>         create mask = 0755
>         hide dot files = No
>         map hidden = Yes
>         csc policy = disable
>         strict locking = No
>
> So I did setup a test machine with samba 4.2.2 as fileserver. Working 
> as domain member. Here is the smb.conf of the fileserver machine:
> [global]
>    unix charset = UTF-8
>    workgroup = MYDOM
>    server string = Fileserver
>    security = DOMAIN
>    log level = 2
>    log file = /usr/local/samba/var/log.%m
>    max log size = 500
>    name resolve order = host bcast
>    unix extensions = No
>    hide dot files = No
>    csc policy = disable
>    strict locking = No
>    wide links = Yes
>
> [testshare]
>    comment = test
>    path = /testshare
>    read only = No
>    inherit permissions = Yes
>
> I joined the machine (osuse-test) to the network using this call. I 
> tried a couple of other but this is the only one that produced a join:
>
> osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST 
> -Uroland
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Enter roland's password:
> No realm has been specified! Do you really want to join an Active 
> Directory server?
> Using short domain name -- MYDOM
> Joined 'OSUSE-TEST' to domain 'MYDOM'
>
> When I try to access osuse-test by trying to open \\osuse-test from 
> windows 7 after few seconds windows presents me a panel with a locking 
> error.
>
> On osuse-test I see these errors in the log file for the win7 client:
> [2015/07/03 17:23:30.718802,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:30.892601,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_ACCESS_DENIED.
> [2015/07/03 17:23:30.893802,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_ACCESS_DENIED
> [2015/07/03 17:23:30.893837,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_ACCESS_DENIED
> [2015/07/03 17:23:30.939343,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.110024,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.111246,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.111278,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.131118,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.296986,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.298164,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.298195,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.318922,  2] 
> ../source3/param/loadparm.c:2614(lp_do_section)
>   Processing section "[testshare]"
> [2015/07/03 17:23:31.485074,  0] 
> ../source3/auth/auth_domain.c:302(domain_client_validate)
>   domain_client_validate: unable to validate password for user roland 
> in domain MYDOM to Domain controller PDCHOST. Error was 
> NT_STATUS_LOCK_NOT_GRANTED.
> [2015/07/03 17:23:31.486119,  2] 
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
>   check_ntlm_password:  Authentication for user [roland] -> [roland] 
> FAILED with error NT_STATUS_LOCK_NOT_GRANTED
> [2015/07/03 17:23:31.486162,  2] 
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
>   SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
>
> So there seems to be an auth error with the user. The user is fully 
> working and correct. Passwords are correct.
>
> Has anyone any clue whats going on here?
>
> Thanks for your help,
>
> Roland
Hi, there was some changes made when 4.2.0 came out, these changes may 
be your problem, see here:

https://www.samba.org/samba/history/samba-4.2.0.html

Under the heading:  Winbindd/Netlogon improvements

Rowland

If the Rowland Penny's recommendations don't work, the logs seem similar
to a problem I was having.

https://bugzilla.samba.org/show_bug.cgi?id=10991#c9 Run the command
listed and suddenly ldap and kerberos start.

May be the answer to your problem.

Trever


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150703/cedc8f1b/attachment.pgp>