Roland Schwingel
2015-Jul-03 15:31 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Hi ... When trying to migrate from samba3 to samba 4.2.2 I am facing a severe problem that bugs me for hours now. I cannot get a samba 4.2.2 fileserver to work with a samba 4.2.2 PDC as a domain member. My scenario: Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend. We can't move to AD right now so I wanted to move to the current 4.2.2 at least to do this step but to still keep NT-4 style domains. Yesterday I migrated one PDC in a certain network to samba 4.2.2. After some tweaking of smb.conf it works now. And I believe without any trouble. Login/logout from Win2003,Win7,8.1 etc work fine. Also printing and joining machines to the domain works as before. So far so good. Here is the smb.conf of the PDC: [global] unix charset = UTF-8 workgroup = MYDOM server string = domaincontroller passdb backend = ldapsam:"ldap://localhost" log file = /usr/local/samba/var/log.%m max log size = 500 large readwrite = No name resolve order = host bcast time server = Yes add machine script = /usr/local/samba/bin/createSambaMachineAccount.php "%u" logon script = logonscripts/%U/logon.bat logon path = \\%N\profiles\%U logon home domain logons = Yes os level = 66 preferred master = Yes domain master = Yes dns proxy = No ldap admin dn = cn=Directory Manager ldap group suffix = ou=groups ldap idmap suffix = ou=idmap,ou=samba ldap machine suffix = ou=computers,ou=samba ldap passwd sync = yes ldap suffix = dc=MYDOM,dc=com ldap user suffix = ou=people idmap config * : range idmap config * : backend = tdb create mask = 0755 hide dot files = No map hidden = Yes csc policy = disable strict locking = No So I did setup a test machine with samba 4.2.2 as fileserver. Working as domain member. Here is the smb.conf of the fileserver machine: [global] unix charset = UTF-8 workgroup = MYDOM server string = Fileserver security = DOMAIN log level = 2 log file = /usr/local/samba/var/log.%m max log size = 500 name resolve order = host bcast unix extensions = No hide dot files = No csc policy = disable strict locking = No wide links = Yes [testshare] comment = test path = /testshare read only = No inherit permissions = Yes I joined the machine (osuse-test) to the network using this call. I tried a couple of other but this is the only one that produced a join: osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland No realm has been specified! Do you really want to join an Active Directory server? Enter roland's password: No realm has been specified! Do you really want to join an Active Directory server? Using short domain name -- MYDOM Joined 'OSUSE-TEST' to domain 'MYDOM' When I try to access osuse-test by trying to open \\osuse-test from windows 7 after few seconds windows presents me a panel with a locking error. On osuse-test I see these errors in the log file for the win7 client: [2015/07/03 17:23:30.718802, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/03 17:23:30.892601, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_ACCESS_DENIED. [2015/07/03 17:23:30.893802, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_ACCESS_DENIED [2015/07/03 17:23:30.893837, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_ACCESS_DENIED [2015/07/03 17:23:30.939343, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/03 17:23:31.110024, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/07/03 17:23:31.111246, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/07/03 17:23:31.111278, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED [2015/07/03 17:23:31.131118, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/03 17:23:31.296986, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/07/03 17:23:31.298164, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/07/03 17:23:31.298195, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED [2015/07/03 17:23:31.318922, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/03 17:23:31.485074, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/07/03 17:23:31.486119, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/07/03 17:23:31.486162, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED So there seems to be an auth error with the user. The user is fully working and correct. Passwords are correct. Has anyone any clue whats going on here? Thanks for your help, Roland
Rowland Penny
2015-Jul-03 16:36 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
On 03/07/15 16:31, Roland Schwingel wrote:> Hi ... > > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe > problem that bugs me for hours now. I cannot get a samba 4.2.2 > fileserver to work with a samba 4.2.2 PDC as a domain member. > > My scenario: > Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend. > We can't move to AD right now so I wanted to move to the current 4.2.2 > at least to do this step but to still keep NT-4 style domains. > > Yesterday I migrated one PDC in a certain network to samba 4.2.2. > After some tweaking of smb.conf it works now. And I believe without > any trouble. Login/logout from Win2003,Win7,8.1 etc work fine. > Also printing and joining machines to the domain works as before. So > far so good. > > Here is the smb.conf of the PDC: > [global] > unix charset = UTF-8 > workgroup = MYDOM > server string = domaincontroller > passdb backend = ldapsam:"ldap://localhost" > log file = /usr/local/samba/var/log.%m > max log size = 500 > large readwrite = No > name resolve order = host bcast > time server = Yes > add machine script = > /usr/local/samba/bin/createSambaMachineAccount.php "%u" > logon script = logonscripts/%U/logon.bat > logon path = \\%N\profiles\%U > logon home > domain logons = Yes > os level = 66 > preferred master = Yes > domain master = Yes > dns proxy = No > ldap admin dn = cn=Directory Manager > ldap group suffix = ou=groups > ldap idmap suffix = ou=idmap,ou=samba > ldap machine suffix = ou=computers,ou=samba > ldap passwd sync = yes > ldap suffix = dc=MYDOM,dc=com > ldap user suffix = ou=people > idmap config * : range > idmap config * : backend = tdb > create mask = 0755 > hide dot files = No > map hidden = Yes > csc policy = disable > strict locking = No > > So I did setup a test machine with samba 4.2.2 as fileserver. Working > as domain member. Here is the smb.conf of the fileserver machine: > [global] > unix charset = UTF-8 > workgroup = MYDOM > server string = Fileserver > security = DOMAIN > log level = 2 > log file = /usr/local/samba/var/log.%m > max log size = 500 > name resolve order = host bcast > unix extensions = No > hide dot files = No > csc policy = disable > strict locking = No > wide links = Yes > > [testshare] > comment = test > path = /testshare > read only = No > inherit permissions = Yes > > I joined the machine (osuse-test) to the network using this call. I > tried a couple of other but this is the only one that produced a join: > > osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST > -Uroland > No realm has been specified! Do you really want to join an Active > Directory server? > Enter roland's password: > No realm has been specified! Do you really want to join an Active > Directory server? > Using short domain name -- MYDOM > Joined 'OSUSE-TEST' to domain 'MYDOM' > > When I try to access osuse-test by trying to open \\osuse-test from > windows 7 after few seconds windows presents me a panel with a locking > error. > > On osuse-test I see these errors in the log file for the win7 client: > [2015/07/03 17:23:30.718802, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[testshare]" > [2015/07/03 17:23:30.892601, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_ACCESS_DENIED. > [2015/07/03 17:23:30.893802, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [roland] -> [roland] > FAILED with error NT_STATUS_ACCESS_DENIED > [2015/07/03 17:23:30.893837, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_ACCESS_DENIED > [2015/07/03 17:23:30.939343, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[testshare]" > [2015/07/03 17:23:31.110024, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > [2015/07/03 17:23:31.111246, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [roland] -> [roland] > FAILED with error NT_STATUS_LOCK_NOT_GRANTED > [2015/07/03 17:23:31.111278, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED > [2015/07/03 17:23:31.131118, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[testshare]" > [2015/07/03 17:23:31.296986, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > [2015/07/03 17:23:31.298164, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [roland] -> [roland] > FAILED with error NT_STATUS_LOCK_NOT_GRANTED > [2015/07/03 17:23:31.298195, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED > [2015/07/03 17:23:31.318922, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[testshare]" > [2015/07/03 17:23:31.485074, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > [2015/07/03 17:23:31.486119, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [roland] -> [roland] > FAILED with error NT_STATUS_LOCK_NOT_GRANTED > [2015/07/03 17:23:31.486162, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED > > So there seems to be an auth error with the user. The user is fully > working and correct. Passwords are correct. > > Has anyone any clue whats going on here? > > Thanks for your help, > > RolandHi, there was some changes made when 4.2.0 came out, these changes may be your problem, see here: https://www.samba.org/samba/history/samba-4.2.0.html Under the heading: Winbindd/Netlogon improvements Rowland
Trever L. Adams
2015-Jul-03 18:54 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
If the Rowland Penny's recommendations don't work, the logs seem similar to a problem I was having. https://bugzilla.samba.org/show_bug.cgi?id=10991#c9 Run the command listed and suddenly ldap and kerberos start. May be the answer to your problem. Trever -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150703/cedc8f1b/attachment.pgp>
Reasonably Related Threads
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Samba 4.1 as member server, problems doing password authentication using CentOS/RedHat 7 packages