samba - Nov 2015 - session setup failed: NT_STATUS_LOGON_FAILURE

2015-11-04 17:11 GMT+08:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 04/11/15 06:24, Roger Wu wrote:
>
>> Hi, Rowland,
>>
>> Thanks for your advise. I've been updated the version to 4.2.5, the
rpm
>> query is as below,
>> but it still didn't work.
>>
>> [root at testcad16 samba]# rpm -qa | grep samba
>> sernet-samba-4.2.5-19.el6.x86_64
>> sernet-samba-libs-4.2.5-19.el6.x86_64
>> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
>> sernet-samba-client-4.2.5-19.el6.x86_64
>> sernet-samba-common-4.2.5-19.el6.x86_64
>>
>> [root at testcad16 samba]# netstat -tulnp| grep mbd
>> tcp        0      0 0.0.0.0:445 <http://0.0.0.0:445>   0.0.0.0:*
>>            LISTEN      27139/smbd
>> tcp        0      0 0.0.0.0:139 <http://0.0.0.0:139>   0.0.0.0:*
>>            LISTEN      27139/smbd
>> tcp        0      0 :::445                      :::*
>> LISTEN      27139/smbd
>> tcp        0      0 :::139                      :::*
>> LISTEN      27139/smbd
>> udp        0      0 172.26.87.255:137 <http://172.26.87.255:137>
>>  0.0.0.0:*                               27094/nmbd
>> udp        0      0 172.26.85.211:137 <http://172.26.85.211:137>
>>  0.0.0.0:*                               27094/nmbd
>> udp        0      0 0.0.0.0:137 <http://0.0.0.0:137>   0.0.0.0:*
>>                        27094/nmbd
>> udp        0      0 172.26.87.255:138 <http://172.26.87.255:138>
>>  0.0.0.0:*                               27094/nmbd
>> udp        0      0 172.26.85.211:138 <http://172.26.85.211:138>
>>  0.0.0.0:*                               27094/nmbd
>> udp        0      0 0.0.0.0:138 <http://0.0.0.0:138>   0.0.0.0:*
>>                        27094/nmbd
>>
>>
>> [root at testcad16 samba]# smbclient -d 3 -L //testcad16
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
>> Processing section "[global]"
>> added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
>> netmask=255.255.248.0
>> Client started (version 4.2.5-SerNet-RedHat-19.el6).
>> Enter root's password:
>> Connecting to 172.26.85.211 at port 445
>> session setup failed: NT_STATUS_LOGON_FAILURE
>> My smb.conf setting is as followed,
>>
>> # Global parameters
>> [global]
>>         workgroup = TESTSMB
>>         server string = Samba Server Version %v
>>         netbios name = testcad16
>>         security = USER
>> passdb backend = tdbsam
>>         encrypt passwords = No
>>         client NTLMv2 auth = No
>>         client lanman auth = Yes
>>         client plaintext auth = Yes
>>         dns proxy = No
>>         idmap config * : backend = tdb
>>         hosts allow = 127. 172.26.
>>         cups options = raw
>>
>>
>> [homes]
>>         comment = Home Directories
>>         read only = No
>>         browseable = No
>>
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/spool/samba
>>         printable = Yes
>>         print ok = Yes
>>         browseable = No
>>
>>
>>
>>
> OK, you seem to be trying to set up a standalone server, you do realise
> that you will need to create your users on this as well as on the windows
> machines.
>
yes, but I hope samba can use NIS authentication instead of using it's own
database.
Do I need to use smbpasswd to create user accounts again? It's against what
I need...

>
> You might as well remove these lines, they are the defaults:
>
>         security = USER
>         passdb backend = tdbsam
>
Don't I need to set the security level?
>
> You might as well remove this line, it isn't needed on a standalone
server:
>
>         idmap config * : backend = tdb
>
I didn't  set these parameters. They are reported by testparm command.
Where can I remove that?
>
> and you don't need to run the winbindd deamon.
>
> You really should remove these lines, you are trying to make windows do
> something with passwords it really doesn't want to do:
>
>         encrypt passwords = No
>         client NTLMv2 auth = No
>         client lanman auth = Yes
>         client plaintext auth = Yes
>
> Rowland
>
I searched some articles on the internet said I need to set above lines for
the samba server and
plaintextpasswords = 1 for windows due to different encrypted methods
between windows and workstation.
I added those lines and It seems worked for samba old version (3.6.23) .
How come it wind up irrelevant for 4.2.5 version?
Don't I need to set anything for this issue?

I've been removed most of these lines you suggested, which means I nearly
set nothing.
but it still didn't work and I got the same message.

[root at testcad16 samba]# smbclient -L //testcad16
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE


Here is my smb.conf setting.

[root at testcad16 samba]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = SMBTEST
        server string = Samba Server Version %v
        idmap config * : backend = tdb
        hosts allow = 127. 172.26.
        cups options = raw


[homes]
        comment = Home Directories
        read only = No
        browseable = No


[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No


Regards,
Roger

>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 04/11/15 10:28, Roger Wu wrote:
>
>
>
>     OK, you seem to be trying to set up a standalone server, you do
>     realise that you will need to create your users on this as well as
>     on the windows machines.
>
>
> yes, but I hope samba can use NIS authentication instead of using it's 
> own database.
> Do I need to use smbpasswd to create user accounts again? It's against 
> what I need...
Well, as I don't know what you what, I can only advise on what I see, 
and I see you trying to setup a standalone server.
>
>     You might as well remove these lines, they are the defaults:
>
>             security = USER
>             passdb backend = tdbsam
>
>
> Don't I need to set the security level?
You don't need them because they are the *default* settings.
>
>     You might as well remove this line, it isn't needed on a
>     standalone server:
>
>             idmap config * : backend = tdb
>
> I didn't  set these parameters. They are reported by testparm command.
Don't post a smb.conf from testparm without saying so, this is probably 
why you are getting the other two lines above, testparm shows *all* 
lines in smb.conf, the ones you added *and* the default ones.
> Where can I remove that?
>
>
>     and you don't need to run the winbindd deamon.
>
>     You really should remove these lines, you are trying to make
>     windows do something with passwords it really doesn't want to do:
>
>             encrypt passwords = No
>             client NTLMv2 auth = No
>             client lanman auth = Yes
>             client plaintext auth = Yes
>
>     Rowland
>
> I searched some articles on the internet said I need to set above 
> lines for the samba server and
> plaintextpasswords = 1 for windows due to different encrypted methods 
> between windows and workstation.
> I added those lines and It seems worked for samba old version (3.6.23) 
> . How come it wind up irrelevant for 4.2.5 version?
> Don't I need to set anything for this issue?
> I've been removed most of these lines you suggested, which means I 
> nearly set nothing.
> but it still didn't work and I got the same message.
>
> [root at testcad16 samba]# smbclient -L //testcad16
> Enter root's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> Here is my smb.conf setting.
>
> [root at testcad16 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[printers]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = SMBTEST
>         server string = Samba Server Version %v
>         idmap config * : backend = tdb
>         hosts allow = 127. 172.26.
>         cups options = raw
>
>
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
>
>
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         browseable = No
>
>
> Regards,
> Roger
>
I think you are going to have to tell us just what you are trying to 
achieve. Also if your windows machines are part of a domain.

Rowland

Once again:
Samba always comes with its own users database.

You have Samba so you have Samba users in addition of systems users. You
have to use smbpasswd -a username. And telling that, I'm not asking you
anything, I'm telling you what you have to do to solve your issue.

2015-11-04 11:28 GMT+01:00 Roger Wu <wu1004 at gmail.com>:
> 2015-11-04 17:11 GMT+08:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
>
> > On 04/11/15 06:24, Roger Wu wrote:
> >
> >> Hi, Rowland,
> >>
> >> Thanks for your advise. I've been updated the version to
4.2.5, the rpm
> >> query is as below,
> >> but it still didn't work.
> >>
> >> [root at testcad16 samba]# rpm -qa | grep samba
> >> sernet-samba-4.2.5-19.el6.x86_64
> >> sernet-samba-libs-4.2.5-19.el6.x86_64
> >> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
> >> sernet-samba-client-4.2.5-19.el6.x86_64
> >> sernet-samba-common-4.2.5-19.el6.x86_64
> >>
> >> [root at testcad16 samba]# netstat -tulnp| grep mbd
> >> tcp        0      0 0.0.0.0:445 <http://0.0.0.0:445>  
0.0.0.0:*
> >>            LISTEN      27139/smbd
> >> tcp        0      0 0.0.0.0:139 <http://0.0.0.0:139>  
0.0.0.0:*
> >>            LISTEN      27139/smbd
> >> tcp        0      0 :::445                      :::*
> >> LISTEN      27139/smbd
> >> tcp        0      0 :::139                      :::*
> >> LISTEN      27139/smbd
> >> udp        0      0 172.26.87.255:137
<http://172.26.87.255:137>
> >>  0.0.0.0:*                               27094/nmbd
> >> udp        0      0 172.26.85.211:137
<http://172.26.85.211:137>
> >>  0.0.0.0:*                               27094/nmbd
> >> udp        0      0 0.0.0.0:137 <http://0.0.0.0:137>  
0.0.0.0:*
> >>                        27094/nmbd
> >> udp        0      0 172.26.87.255:138
<http://172.26.87.255:138>
> >>  0.0.0.0:*                               27094/nmbd
> >> udp        0      0 172.26.85.211:138
<http://172.26.85.211:138>
> >>  0.0.0.0:*                               27094/nmbd
> >> udp        0      0 0.0.0.0:138 <http://0.0.0.0:138>  
0.0.0.0:*
> >>                        27094/nmbd
> >>
> >>
> >> [root at testcad16 samba]# smbclient -d 3 -L //testcad16
> >> lp_load_ex: refreshing parameters
> >> Initialising global parameters
> >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> >> Processing section "[global]"
> >> added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
> >> netmask=255.255.248.0
> >> Client started (version 4.2.5-SerNet-RedHat-19.el6).
> >> Enter root's password:
> >> Connecting to 172.26.85.211 at port 445
> >> session setup failed: NT_STATUS_LOGON_FAILURE
> >> My smb.conf setting is as followed,
> >>
> >> # Global parameters
> >> [global]
> >>         workgroup = TESTSMB
> >>         server string = Samba Server Version %v
> >>         netbios name = testcad16
> >>         security = USER
> >> passdb backend = tdbsam
> >>         encrypt passwords = No
> >>         client NTLMv2 auth = No
> >>         client lanman auth = Yes
> >>         client plaintext auth = Yes
> >>         dns proxy = No
> >>         idmap config * : backend = tdb
> >>         hosts allow = 127. 172.26.
> >>         cups options = raw
> >>
> >>
> >> [homes]
> >>         comment = Home Directories
> >>         read only = No
> >>         browseable = No
> >>
> >>
> >> [printers]
> >>         comment = All Printers
> >>         path = /var/spool/samba
> >>         printable = Yes
> >>         print ok = Yes
> >>         browseable = No
> >>
> >>
> >>
> >>
> > OK, you seem to be trying to set up a standalone server, you do
realise
> > that you will need to create your users on this as well as on the
windows
> > machines.
> >
>
> yes, but I hope samba can use NIS authentication instead of using it's
own
> database.
> Do I need to use smbpasswd to create user accounts again? It's against
what
> I need...
>
>
> >
> > You might as well remove these lines, they are the defaults:
> >
> >         security = USER
> >         passdb backend = tdbsam
> >
>
> Don't I need to set the security level?
>
> >
> > You might as well remove this line, it isn't needed on a
standalone
> server:
> >
> >         idmap config * : backend = tdb
> >
>
> I didn't  set these parameters. They are reported by testparm command.
> Where can I remove that?
>
> >
> > and you don't need to run the winbindd deamon.
> >
> > You really should remove these lines, you are trying to make windows
do
> > something with passwords it really doesn't want to do:
> >
> >         encrypt passwords = No
> >         client NTLMv2 auth = No
> >         client lanman auth = Yes
> >         client plaintext auth = Yes
> >
> > Rowland
> >
>
> I searched some articles on the internet said I need to set above lines for
> the samba server and
> plaintextpasswords = 1 for windows due to different encrypted methods
> between windows and workstation.
> I added those lines and It seems worked for samba old version (3.6.23) .
> How come it wind up irrelevant for 4.2.5 version?
> Don't I need to set anything for this issue?
>
> I've been removed most of these lines you suggested, which means I
nearly
> set nothing.
> but it still didn't work and I got the same message.
>
> [root at testcad16 samba]# smbclient -L //testcad16
> Enter root's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
> Here is my smb.conf setting.
>
> [root at testcad16 samba]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[printers]"
> Loaded services file OK.
> Server role: ROLE_STANDALONE
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = SMBTEST
>         server string = Samba Server Version %v
>         idmap config * : backend = tdb
>         hosts allow = 127. 172.26.
>         cups options = raw
>
>
> [homes]
>         comment = Home Directories
>         read only = No
>         browseable = No
>
>
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         print ok = Yes
>         browseable = No
>
>
> Regards,
> Roger
>
>
> >
>
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

NIS users are system users. The fact they come from NIS, AD, /etc/passwd or
the moon don't change anything. They are system users.
He needs Samba users now...

2015-11-04 11:41 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 04/11/15 10:28, Roger Wu wrote:
>
>>
>>
>>
>>     OK, you seem to be trying to set up a standalone server, you do
>>     realise that you will need to create your users on this as well as
>>     on the windows machines.
>>
>>
>> yes, but I hope samba can use NIS authentication instead of using
it's
>> own database.
>> Do I need to use smbpasswd to create user accounts again? It's
against
>> what I need...
>>
>
> Well, as I don't know what you what, I can only advise on what I see,
and
> I see you trying to setup a standalone server.
>
>
>>     You might as well remove these lines, they are the defaults:
>>
>>             security = USER
>>             passdb backend = tdbsam
>>
>>
>> Don't I need to set the security level?
>>
>
> You don't need them because they are the *default* settings.
>
>
>>     You might as well remove this line, it isn't needed on a
>>     standalone server:
>>
>>             idmap config * : backend = tdb
>>
>> I didn't  set these parameters. They are reported by testparm
command.
>>
>
> Don't post a smb.conf from testparm without saying so, this is probably
> why you are getting the other two lines above, testparm shows *all* lines
> in smb.conf, the ones you added *and* the default ones.
>
>
> Where can I remove that?
>>
>>
>>     and you don't need to run the winbindd deamon.
>>
>>     You really should remove these lines, you are trying to make
>>     windows do something with passwords it really doesn't want to
do:
>>
>>             encrypt passwords = No
>>             client NTLMv2 auth = No
>>             client lanman auth = Yes
>>             client plaintext auth = Yes
>>
>>     Rowland
>>
>> I searched some articles on the internet said I need to set above lines
>> for the samba server and
>> plaintextpasswords = 1 for windows due to different encrypted methods
>> between windows and workstation.
>> I added those lines and It seems worked for samba old version (3.6.23)
.
>> How come it wind up irrelevant for 4.2.5 version?
>> Don't I need to set anything for this issue?
>> I've been removed most of these lines you suggested, which means I
nearly
>> set nothing.
>> but it still didn't work and I got the same message.
>>
>> [root at testcad16 samba]# smbclient -L //testcad16
>> Enter root's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>> Here is my smb.conf setting.
>>
>> [root at testcad16 samba]# testparm
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Loaded services file OK.
>> Server role: ROLE_STANDALONE
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>         workgroup = SMBTEST
>>         server string = Samba Server Version %v
>>         idmap config * : backend = tdb
>>         hosts allow = 127. 172.26.
>>         cups options = raw
>>
>>
>> [homes]
>>         comment = Home Directories
>>         read only = No
>>         browseable = No
>>
>>
>> [printers]
>>         comment = All Printers
>>         path = /var/spool/samba
>>         printable = Yes
>>         print ok = Yes
>>         browseable = No
>>
>>
>> Regards,
>> Roger
>>
>>
> I think you are going to have to tell us just what you are trying to
> achieve. Also if your windows machines are part of a domain.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 04/11/15 10:44, mathias dufresne wrote:
> Once again: Samba always comes  with its own users database.
Not always, if you are running Samba as a domain member, then the main 
user database is stored on a DC, although they will be cached locally. 
If however as the OP seems to be doing, you are running samba as a 
Standalone server, you need to have a local database that is totally 
separate from any other user database, this is known as running as a 
WORKGROUP and it gets terribly messy after about 10 users.

The OP needs to explain just what his requirements are.

>
 >
 > You have Samba so you have Samba users in addition of systems users.
 > You have to use smbpasswd -a username. And telling that, I'm not
 > asking you anything, I'm telling you what you have to do to solve
 > your issue.
 >
 >

Yes, in a workgroup, you have to have system users and Samba users.

Rowland

2015-11-04 18:41 GMT+08:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 04/11/15 10:28, Roger Wu wrote:
>
>>
>>
>>
>>     OK, you seem to be trying to set up a standalone server, you do
>>     realise that you will need to create your users on this as well as
>>     on the windows machines.
>>
>>
>> yes, but I hope samba can use NIS authentication instead of using
it's
>> own database.
>> Do I need to use smbpasswd to create user accounts again? It's
against
>> what I need...
>>
>
> Well, as I don't know what you what, I can only advise on what I see,
and
> I see you trying to setup a standalone server.
>
>
>>     You might as well remove these lines, they are the defaults:
>>
>>             security = USER
>>             passdb backend = tdbsam
>>
>>
>> Don't I need to set the security level?
>>
>
> You don't need them because they are the *default* settings.
>
>
>>     You might as well remove this line, it isn't needed on a
>>     standalone server:
>>
>>             idmap config * : backend = tdb
>>
>> I didn't  set these parameters. They are reported by testparm
command.
>>
>
> Don't post a smb.conf from testparm without saying so, this is probably
> why you are getting the other two lines above, testparm shows *all* lines
> in smb.conf, the ones you added *and* the default ones.
>
>>
>>
> I think you are going to have to tell us just what you are trying to
> achieve. Also if your windows machines are part of a domain.
>
> Rowland
>
> Please pardon me for poor English. I tried to describe what I want as
clear as I can.
My goal is to make our users can access their own workstation account and
personal files from windows XP/7.
So, it seems to me that if I can setup a samba server and let users login
from windows using NIS authentication,
that would be perfect, then I don't need to create smb accounts again.
The only thing a user needs to do is to explore the link such as
\\testcad16\<user_account>, then one can access his own
workstation account and files.

In such case, how should I do to achieve my goal?
I've been tried many samba versions, and each version seems to have mild
difference while setting smb.conf.
some parameters work and some don't for one version, but maybe stands in
opposite for another.
I am kind of confused which parameters are what I need.

Here is my smb.conf (not from testparm), I removed comments and disabled
lines.
I did remove those lines you suggested,

[global]
        workgroup = SMBTEST
        server string = Samba Server Version %v
        netbios name = testcad16
        hosts allow = 127. 172.26.
        dns proxy = no

        load printers = yes
        cups options = raw

[homes]
        comment = Home Directories
        browseable = no
        writable = yes
;       valid users = %S
;       valid users = MYDOMAIN\%S

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        guest ok = no
        writable = no
        printable = yes

and I tried some test as below

[root at testcad16 samba]# /etc/init.d/sernet-samba-smbd start
Starting SAMBA smbd :                                      [  OK  ]
[root at testcad16 samba]# /etc/init.d/sernet-samba-nmbd start
Starting SAMBA nmbd :                                      [  OK  ]
[root at testcad16 samba]# service sernet-samba-smbd status
Checking for SAMBA smbd :                                  [  OK  ]
[root at testcad16 samba]# service sernet-samba-nmbd status
Checking for SAMBA nmbd :                                  [  OK  ]
[root at testcad16 samba]# smbclient -L //testcad16
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

[root at testcad16 samba]# smbclient -d3 -L //testcad16
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
netmask=255.255.248.0
Client started (version 4.2.5-SerNet-RedHat-19.el6).
Enter root's password:
Connecting to 172.26.85.211 at port 445
Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178 at please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x608a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE



Regards,
Roger







>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>