Hello, I've followed two or three articles on how to configure samba 4 as a member server. One of these articles is from the samba wiki: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server The server joins, but it cannot authenticate users. I don't care about nss, winbind, etc. unless it is REALLY necessary. All I want is to use this server as a file server for workstations while the AD server (also running on samba) acts as an authentication server only. On the client: $ smbclient -L //samba -U zoolook where samba is the ad server and zoolook is a domain user. This works. $ smbclient -L //servidor -U zoolook where servidor is the file server. This doesn't work and gives NT_STATUS_LOGON_FAILURE I've increased log level $ smbclient -d 3 -L //servidor -U zoolook lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0 Client started (version 4.3.0). Enter zoolook's password: tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name servidor<0x20> Connecting to 10.0.3.251 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE In the ad server I ran /usr/local/samba/sbin/samba in interactive mode with -d3 and I get: schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/SERVIDOR auth_check_password_send: Checking password for unmapped user [ENEABE]\[zoolook]@[\\SERVIDOR] auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR] Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] Windows machines also joined and authenticate againts the ad server (samba) but cannot access the file server (servidor). Samba is 4.3.0 in both ad and member servers. Self compiled using instructions from the wiki. This is the smb.conf of the file server (member server): [global] netbios name = SERVIDOR workgroup = ENEABE security = ADS realm = ENEABE.COM.AR encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-80000 idmap config ENEABE:backend = ad idmap config ENEABE:schema_mode = rfc2307 idmap config ENEABE:range = 3000000-4000000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes BTW, anonymous logins work: $ smbclient -L //servidor -U% Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.3.0) Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] Server Comment --------- ------- Workgroup Master --------- ------- What am I doing wrong? Thanks! Norberto
On 04/10/15 17:43, Norberto Bensa wrote:> Hello, > > I've followed two or three articles on how to configure samba 4 as a > member server. One of these articles is from the samba wiki: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > The server joins, but it cannot authenticate users. I don't care about > nss, winbind, etc. unless it is REALLY necessary. All I want is to use > this server as a file server for workstations while the AD server > (also running on samba) acts as an authentication server only. > > On the client: > > $ smbclient -L //samba -U zoolook > > where samba is the ad server and zoolook is a domain user. This works. > > $ smbclient -L //servidor -U zoolook > > where servidor is the file server. This doesn't work and gives > NT_STATUS_LOGON_FAILURE > > > I've increased log level > > $ smbclient -d 3 -L //servidor -U zoolook > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[global]" > added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0 > Client started (version 4.3.0). > Enter zoolook's password: > tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not > open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado > resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> > resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> > resolve_wins: WINS server resolution selected and no WINS servers listed. > resolve_hosts: Attempting host lookup for name servidor<0x20> > Connecting to 10.0.3.251 at port 445 > Doing spnego session setup (blob length=96) > got OID=1.2.840.48018.1.2.2 > got OID=1.2.840.113554.1.2.2 > got OID=1.3.6.1.4.1.311.2.2.10 > got principal=not_defined_in_RFC4178 at please_ignore > Got challenge flags: > Got NTLMSSP neg_flags=0x60898215 > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x60088215 > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > > > In the ad server I ran /usr/local/samba/sbin/samba in interactive mode > with -d3 and I get: > > schannel_fetch_session_key_tdb: restored schannel info key > SECRETS/SCHANNEL/SERVIDOR > auth_check_password_send: Checking password for unmapped user > [ENEABE]\[zoolook]@[\\SERVIDOR] > auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR] > Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' > single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] > > > Windows machines also joined and authenticate againts the ad server > (samba) but cannot access the file server (servidor). > > Samba is 4.3.0 in both ad and member servers. Self compiled using > instructions from the wiki. > > > This is the smb.conf of the file server (member server): > > [global] > netbios name = SERVIDOR > workgroup = ENEABE > security = ADS > realm = ENEABE.COM.AR > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > idmap config ENEABE:backend = ad > idmap config ENEABE:schema_mode = rfc2307 > idmap config ENEABE:range = 3000000-4000000Have you added uidNumber attributes to users object in AD and a gidNumber to Domain Users ? Rowland> > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > > > BTW, anonymous logins work: > > $ smbclient -L //servidor -U% > Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] > > Sharename Type Comment > --------- ---- ------- > IPC$ IPC IPC Service (Samba 4.3.0) > Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > > What am I doing wrong? > > Thanks! > Norberto > > -- To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Nope. Do I need to? For now I only want to authenticate Windows boxes. *nix boxes later. Thanks. 2015-10-04 14:11 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 04/10/15 17:43, Norberto Bensa wrote: >> >> Hello, >> >> I've followed two or three articles on how to configure samba 4 as a >> member server. One of these articles is from the samba wiki: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> The server joins, but it cannot authenticate users. I don't care about >> nss, winbind, etc. unless it is REALLY necessary. All I want is to use >> this server as a file server for workstations while the AD server >> (also running on samba) acts as an authentication server only. >> >> On the client: >> >> $ smbclient -L //samba -U zoolook >> >> where samba is the ad server and zoolook is a domain user. This works. >> >> $ smbclient -L //servidor -U zoolook >> >> where servidor is the file server. This doesn't work and gives >> NT_STATUS_LOGON_FAILURE >> >> >> I've increased log level >> >> $ smbclient -d 3 -L //servidor -U zoolook >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> Processing section "[global]" >> added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0 >> Client started (version 4.3.0). >> Enter zoolook's password: >> tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not >> open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado >> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> >> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> >> resolve_wins: WINS server resolution selected and no WINS servers listed. >> resolve_hosts: Attempting host lookup for name servidor<0x20> >> Connecting to 10.0.3.251 at port 445 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> SPNEGO login failed: Logon failure >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> In the ad server I ran /usr/local/samba/sbin/samba in interactive mode >> with -d3 and I get: >> >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/SERVIDOR >> auth_check_password_send: Checking password for unmapped user >> [ENEABE]\[zoolook]@[\\SERVIDOR] >> auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR] >> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' >> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] >> >> >> Windows machines also joined and authenticate againts the ad server >> (samba) but cannot access the file server (servidor). >> >> Samba is 4.3.0 in both ad and member servers. Self compiled using >> instructions from the wiki. >> >> >> This is the smb.conf of the file server (member server): >> >> [global] >> netbios name = SERVIDOR >> workgroup = ENEABE >> security = ADS >> realm = ENEABE.COM.AR >> encrypt passwords = yes >> >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> idmap config ENEABE:backend = ad >> idmap config ENEABE:schema_mode = rfc2307 >> idmap config ENEABE:range = 3000000-4000000 > > > Have you added uidNumber attributes to users object in AD and a gidNumber to > Domain Users ? > > Rowland > >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> >> >> BTW, anonymous logins work: >> >> $ smbclient -L //servidor -U% >> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] >> >> Sharename Type Comment >> --------- ---- ------- >> IPC$ IPC IPC Service (Samba 4.3.0) >> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> >> >> What am I doing wrong? >> >> Thanks! >> Norberto >> >> -- To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba