Nope. Do I need to? For now I only want to authenticate Windows boxes. *nix boxes later. Thanks. 2015-10-04 14:11 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 04/10/15 17:43, Norberto Bensa wrote: >> >> Hello, >> >> I've followed two or three articles on how to configure samba 4 as a >> member server. One of these articles is from the samba wiki: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> The server joins, but it cannot authenticate users. I don't care about >> nss, winbind, etc. unless it is REALLY necessary. All I want is to use >> this server as a file server for workstations while the AD server >> (also running on samba) acts as an authentication server only. >> >> On the client: >> >> $ smbclient -L //samba -U zoolook >> >> where samba is the ad server and zoolook is a domain user. This works. >> >> $ smbclient -L //servidor -U zoolook >> >> where servidor is the file server. This doesn't work and gives >> NT_STATUS_LOGON_FAILURE >> >> >> I've increased log level >> >> $ smbclient -d 3 -L //servidor -U zoolook >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> Processing section "[global]" >> added interface eth0 ip=10.0.3.251 bcast=10.0.3.255 netmask=255.255.255.0 >> Client started (version 4.3.0). >> Enter zoolook's password: >> tdb(/usr/local/samba/var/cache/gencache.tdb): tdb_open_ex: could not >> open file /usr/local/samba/var/cache/gencache.tdb: Permiso denegado >> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> >> resolve_lmhosts: Attempting lmhosts lookup for name servidor<0x20> >> resolve_wins: WINS server resolution selected and no WINS servers listed. >> resolve_hosts: Attempting host lookup for name servidor<0x20> >> Connecting to 10.0.3.251 at port 445 >> Doing spnego session setup (blob length=96) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.3.6.1.4.1.311.2.2.10 >> got principal=not_defined_in_RFC4178 at please_ignore >> Got challenge flags: >> Got NTLMSSP neg_flags=0x60898215 >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x60088215 >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x60088215 >> SPNEGO login failed: Logon failure >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> In the ad server I ran /usr/local/samba/sbin/samba in interactive mode >> with -d3 and I get: >> >> schannel_fetch_session_key_tdb: restored schannel info key >> SECRETS/SCHANNEL/SERVIDOR >> auth_check_password_send: Checking password for unmapped user >> [ENEABE]\[zoolook]@[\\SERVIDOR] >> auth_check_password_send: mapped user is: [ENEABE]\[zoolook]@[\\SERVIDOR] >> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' >> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] >> >> >> Windows machines also joined and authenticate againts the ad server >> (samba) but cannot access the file server (servidor). >> >> Samba is 4.3.0 in both ad and member servers. Self compiled using >> instructions from the wiki. >> >> >> This is the smb.conf of the file server (member server): >> >> [global] >> netbios name = SERVIDOR >> workgroup = ENEABE >> security = ADS >> realm = ENEABE.COM.AR >> encrypt passwords = yes >> >> idmap config *:backend = tdb >> idmap config *:range = 70001-80000 >> idmap config ENEABE:backend = ad >> idmap config ENEABE:schema_mode = rfc2307 >> idmap config ENEABE:range = 3000000-4000000 > > > Have you added uidNumber attributes to users object in AD and a gidNumber to > Domain Users ? > > Rowland > >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> >> >> BTW, anonymous logins work: >> >> $ smbclient -L //servidor -U% >> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] >> >> Sharename Type Comment >> --------- ---- ------- >> IPC$ IPC IPC Service (Samba 4.3.0) >> Domain=[ENEABE] OS=[Windows 6.1] Server=[Samba 4.3.0] >> >> Server Comment >> --------- ------- >> >> Workgroup Master >> --------- ------- >> >> >> What am I doing wrong? >> >> Thanks! >> Norberto >> >> -- To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 04/10/15 19:02, Norberto Bensa wrote:> Nope. Do I need to?Yep!> > For now I only want to authenticate Windows boxes. *nix boxes later.If you only want to authenticate windows users then you do not need uidNumber & gidNumber attributes, but once you want the windows users to login to the samba server, your windows users also need to be Unix users. If you use the winbind 'ad' backend, then you need to use the attributes, if you don't want to use the attributes, you could use the 'rid' backend. Rowland> > Thanks. > > 2015-10-04 14:11 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>: >> Have you added uidNumber attributes to users object in AD and a >> gidNumber to Domain Users ? Rowland
2015-10-04 15:58 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 04/10/15 19:02, Norberto Bensa wrote: >> >> For now I only want to authenticate Windows boxes. *nix boxes later. > > > If you only want to authenticate windows users then you do not need > uidNumber & gidNumber attributes, but once you want the windows users to > login to the samba server, your windows users also need to be Unix users. If > you use the winbind 'ad' backend, then you need to use the attributes, if > you don't want to use the attributes, you could use the 'rid' backend.I switched to rid and of course, now I can access the shares. Thanks Rowland. I'll have to do some serious reading on these backends. Regards, Norberto