I have an NT domain on Debian Stretch. It's been upgraded numerous
times, but has been running for almost a decade. Since upgrading from
4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot
connect to shares. Prior to upgrading, I found the changes mentioned
for 4.2 regarding NT domains and applied them. Even so, I still cannot
connect to network shares nor print to network printers.
smb.conf for DC
[global]
workgroup = DOMAIN.COM
server string = Samba PDC
map to guest = Bad User
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z"
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = No
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins host bcast
time server = Yes
deadtime = 15
load printers = No
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
shutdown script = /sbin/shutdown -h now
abort shutdown script = /sbin/shutdown -c
logon script = %U.bat
logon path = ""
logon drive = U:
logon home = \\am1100\users\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=admin,dc=domain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
require strong key = No
allow nt4 crypto = Yes
idmap config * : backend = tdb
admin users = root dale "@Domain Admins"
hosts allow = 192.168.0. 127.
ea support = Yes
veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
map archive = No
map readonly = no
store dos attributes = Yes
member server smb.conf
[global]
workgroup = DOMAIN.COM
server string = Samba File Server
server role = member server
security = DOMAIN
allow trusted domains = No
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y"
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
map untrusted to domain = Yes
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = wins host bcast
client signing = No
server signing = No
deadtime = 15
printcap cache time = 300
printcap name = cups
wins server = 192.168.0.y
ldap admin dn = cn=admin,dc=domain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
require strong key = No
allow nt4 crypto = Yes
admin users = root dale "@Domain Admins"
hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
ea support = Yes
veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
map archive = No
map readonly = no
store dos attributes = Yes
Connecting to the DC from a Win7 system, I get this:
[2016/03/10 18:06:08.234861, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
[2016/03/10 18:57:24.235719, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
[2016/03/10 19:55:30.516145, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/10 19:55:56.746553, 0]
../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
../source3/rpc_server/srv_pipe.c:443:
auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND
[2016/03/10 19:55:56.886317, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [MASTER$] -> [MASTER$]
-> [master$] succeeded
[2016/03/10 19:55:56.915982, 2]
../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [dale] -> [dale] ->
[dale] succeeded
Connecting to the DC from a linux desktop, I get this:
[2016/03/23 20:56:45.371682, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2016/03/23 21:06:56.306813, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
[2016/03/23 21:06:56.306829, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read
error = NT_STATUS_CONNECTION_RESET.
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/23 21:06:56.307205, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read
error = NT_STATUS_CONNECTION_RESET.
[2016/03/23 21:06:56.311944, 1]
../source3/smbd/process.c:554(receive_smb_talloc)
receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read
error = NT_STATUS_CONNECTION_RESET.
Connecting to the file server from Win7:
[2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOMAIN.COM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [dale]
[2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed:
WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
Check auth for: [dale]
[2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
[2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [dale] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [dale] -> [dale] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
Connecting to the file server from linux system:
[2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain)
wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:62(make_user_info)
attempting to make a user_info for ABORT (ABORT)
[2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:70(make_user_info)
making strings for ABORT's user_info struct
[2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:108(make_user_info)
making blobs for ABORT's user_info struct
[2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_info.c:159(make_user_info)
made a user_info for ABORT (ABORT)
[2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface
[2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015]
[2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
challenge is:
[2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
check_samstrict_security: DOMAIN.COM is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed:
WBC_ERR_WINBIND_NOT_AVAILABLE
[2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security)
Check auth for: [ABORT]
[2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security)
check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
[2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [ABORT] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [ABORT] -> [ABORT]
FAILED with error NT_STATUS_NO_LOGON_SERVERS
The winbind error messages are correct, as I use nss_ldap/pam_ldap for
authentication, and that works. getent retrieves all ldap users and
groups on both DC and member. I can successfully ssh into either the DC
or member. Oddly, I can access a share on the DC from the Win7 system,
but no other shares.
Can anyone spot what I've missed in the upgrade?
Thanks,
Dale
No takers thus far. These are the Samba 4.2 changes to which I
previously referred (https://www.samba.org/samba/history/samba-4.2.0.html) :
For the client side we have the following new options:
"require strong key" (yes by default), "reject md5
servers" (no by
default).
E.g. for Samba 3.0.37 you need "require strong key = no" and
for NT4 DCs you need "require strong key = no" and "client
NTLMv2
auth = no",
On the server side (as domain controller) we have the following new
options:
"allow nt4 crypto" (no by default), "reject md5 client"
(no by
default).
E.g. in order to allow Samba < 3.0.27 or NT4 members to work
you need "allow nt4 crypto = yes"
I believe I have applied them correctly, but have not had any success to
date. All member servers are Debian Jessie or Stretch, and the Windows
systems are all Win7.
Can anyone please advise as to why the clients see no logon server?
Thanks,
Dale
On 03/24/2016 1:34 PM, Dale Schroeder wrote:> I have an NT domain on Debian Stretch. It's been upgraded numerous
> times, but has been running for almost a decade. Since upgrading from
> 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot
> connect to shares. Prior to upgrading, I found the changes mentioned
> for 4.2 regarding NT domains and applied them. Even so, I still
> cannot connect to network shares nor print to network printers.
>
> smb.conf for DC
>
> [global]
> workgroup = DOMAIN.COM
> server string = Samba PDC
> map to guest = Bad User
> passdb backend = ldapsam:"ldap://127.0.0.1
ldap://192.168.0.z"
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> client NTLMv2 auth = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins host bcast
> time server = Yes
> deadtime = 15
> load printers = No
> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
> delete user script = /usr/sbin/smbldap-userdel '%u'
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x
'%u'
> '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> shutdown script = /sbin/shutdown -h now
> abort shutdown script = /sbin/shutdown -c
> logon script = %U.bat
> logon path = ""
> logon drive = U:
> logon home = \\am1100\users\%U
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=admin,dc=domain,dc=com
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap suffix = dc=domain,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users
> panic action = /usr/share/samba/panic-action %d
> require strong key = No
> allow nt4 crypto = Yes
> idmap config * : backend = tdb
> admin users = root dale "@Domain Admins"
> hosts allow = 192.168.0. 127.
> ea support = Yes
> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
> map archive = No
> map readonly = no
> store dos attributes = Yes
>
> member server smb.conf
>
> [global]
> workgroup = DOMAIN.COM
> server string = Samba File Server
> server role = member server
> security = DOMAIN
> allow trusted domains = No
> map to guest = Bad User
> obey pam restrictions = Yes
> passdb backend = ldapsam:"ldap://127.0.0.1
ldap://192.168.0.y"
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n .
> map untrusted to domain = Yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> name resolve order = wins host bcast
> client signing = No
> server signing = No
> deadtime = 15
> printcap cache time = 300
> printcap name = cups
> wins server = 192.168.0.y
> ldap admin dn = cn=admin,dc=domain,dc=com
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap suffix = dc=domain,dc=com
> ldap ssl = no
> ldap user suffix = ou=Users
> panic action = /usr/share/samba/panic-action %d
> require strong key = No
> allow nt4 crypto = Yes
> admin users = root dale "@Domain Admins"
> hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1
> ea support = Yes
> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/
> map archive = No
> map readonly = no
> store dos attributes = Yes
>
> Connecting to the DC from a Win7 system, I get this:
>
> [2016/03/10 18:06:08.234861, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] -> [dale] ->
> [dale] succeeded
> [2016/03/10 18:57:24.235719, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] -> [dale] ->
> [dale] succeeded
> [2016/03/10 19:55:30.516145, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read
> error = NT_STATUS_CONNECTION_RESET.
> [2016/03/10 19:55:56.746553, 0]
> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind)
> ../source3/rpc_server/srv_pipe.c:443:
> auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND
> [2016/03/10 19:55:56.886317, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [MASTER$] -> [MASTER$]
> -> [master$] succeeded
> [2016/03/10 19:55:56.915982, 2]
> ../source3/auth/auth.c:305(auth_check_ntlm_password)
> check_ntlm_password: authentication for user [dale] -> [dale] ->
> [dale] succeeded
>
> Connecting to the DC from a linux desktop, I get this:
>
> [2016/03/23 20:56:45.371682, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [dale] -> [dale]
> FAILED with error NT_STATUS_WRONG_PASSWORD
> [2016/03/23 21:06:56.306813, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> [2016/03/23 21:06:56.306829, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982
> read error = NT_STATUS_CONNECTION_RESET.
> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055
> read error = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.307205, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805
> read error = NT_STATUS_CONNECTION_RESET.
> [2016/03/23 21:06:56.311944, 1]
> ../source3/smbd/process.c:554(receive_smb_talloc)
> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638
> read error = NT_STATUS_CONNECTION_RESET.
>
> Connecting to the file server from Win7:
>
> [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
> check_samstrict_security: DOMAIN.COM is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: sam had nothing to say
> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [dale]
> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
> check_winbind_security: wbcAuthenticateUserEx failed:
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
> Check auth for: [dale]
> [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
> [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [dale] FAILED
> with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [dale] -> [dale]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> Connecting to the file server from linux system:
>
> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain)
> wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/user_info.c:62(make_user_info)
> attempting to make a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/user_info.c:70(make_user_info)
> making strings for ABORT's user_info struct
> [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/user_info.c:108(make_user_info)
> making blobs for ABORT's user_info struct
> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/user_info.c:159(make_user_info)
> made a user_info for ABORT (ABORT)
> [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN.COM]\[ABORT]@[MASTER2015] with the new password interface
> [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015]
> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password)
> check_ntlm_password: auth_context challenge created by random
> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
> challenge is:
> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: guest had nothing to say
> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth)
> check_samstrict_security: DOMAIN.COM is not one of my local names
> (ROLE_DOMAIN_MEMBER)
> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password)
> check_ntlm_password: sam had nothing to say
> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_winbind.c:105(check_winbind_security)
> check_winbind_security: wbcAuthenticateUserEx failed:
> WBC_ERR_WINBIND_NOT_AVAILABLE
> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_domain.c:280(check_ntdomain_security)
> Check auth for: [ABORT]
> [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0,
> 0), class=auth]
> ../source3/auth/auth_domain.c:297(check_ntdomain_security)
> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM
> [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
> check_ntlm_password: winbind authentication for user [ABORT] FAILED
> with error NT_STATUS_NO_LOGON_SERVERS
> [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0,
> 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [ABORT] -> [ABORT]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> The winbind error messages are correct, as I use nss_ldap/pam_ldap for
> authentication, and that works. getent retrieves all ldap users and
> groups on both DC and member. I can successfully ssh into either the
> DC or member. Oddly, I can access a share on the DC from the Win7
> system, but no other shares.
>
> Can anyone spot what I've missed in the upgrade?
>
> Thanks,
> Dale
>
>
>
>
>
>
>
You may have included this in another email however I will ask anyway, did you set DNS to your server in the Linux and Windows clients? Can you check if a Windows Server can join? Can you use DNS management to check the DNS on you samba server? On Mar 28, 2016 2:15 PM, "Dale Schroeder" <dale at briannassaladdressing.com> wrote:> No takers thus far. These are the Samba 4.2 changes to which I previously > referred (https://www.samba.org/samba/history/samba-4.2.0.html) : > > For the client side we have the following new options: > "require strong key" (yes by default), "reject md5 servers" (no by > default). > E.g. for Samba 3.0.37 you need "require strong key = no" and > for NT4 DCs you need "require strong key = no" and "client NTLMv2 auth > = no", > > On the server side (as domain controller) we have the following new > options: > "allow nt4 crypto" (no by default), "reject md5 client" (no by > default). > E.g. in order to allow Samba < 3.0.27 or NT4 members to work > you need "allow nt4 crypto = yes" > > I believe I have applied them correctly, but have not had any success to > date. All member servers are Debian Jessie or Stretch, and the Windows > systems are all Win7. > > Can anyone please advise as to why the clients see no logon server? > > Thanks, > Dale > > > On 03/24/2016 1:34 PM, Dale Schroeder wrote: > >> I have an NT domain on Debian Stretch. It's been upgraded numerous >> times, but has been running for almost a decade. Since upgrading from >> 4.1.17 to 4.3.3 (huge Debian jump), then to 4.3.6, clients cannot connect >> to shares. Prior to upgrading, I found the changes mentioned for 4.2 >> regarding NT domains and applied them. Even so, I still cannot connect to >> network shares nor print to network printers. >> >> smb.conf for DC >> >> [global] >> workgroup = DOMAIN.COM >> server string = Samba PDC >> map to guest = Bad User >> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.z" >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> client NTLMv2 auth = No >> log file = /var/log/samba/log.%m >> max log size = 1000 >> name resolve order = wins host bcast >> time server = Yes >> deadtime = 15 >> load printers = No >> add user script = /usr/sbin/smbldap-useradd -a -m '%u' >> delete user script = /usr/sbin/smbldap-userdel '%u' >> add group script = /usr/sbin/smbldap-groupadd -p '%g' >> delete group script = /usr/sbin/smbldap-groupdel '%g' >> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' >> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' >> '%g' >> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' >> add machine script = /usr/sbin/smbldap-useradd -w '%u' >> shutdown script = /sbin/shutdown -h now >> abort shutdown script = /sbin/shutdown -c >> logon script = %U.bat >> logon path = "" >> logon drive = U: >> logon home = \\am1100\users\%U >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> ldap admin dn = cn=admin,dc=domain,dc=com >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> ldap passwd sync = yes >> ldap suffix = dc=domain,dc=com >> ldap ssl = no >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> require strong key = No >> allow nt4 crypto = Yes >> idmap config * : backend = tdb >> admin users = root dale "@Domain Admins" >> hosts allow = 192.168.0. 127. >> ea support = Yes >> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ >> map archive = No >> map readonly = no >> store dos attributes = Yes >> >> member server smb.conf >> >> [global] >> workgroup = DOMAIN.COM >> server string = Samba File Server >> server role = member server >> security = DOMAIN >> allow trusted domains = No >> map to guest = Bad User >> obey pam restrictions = Yes >> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://192.168.0.y" >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >> *Retype\snew\sUNIX\spassword:* %n\n . >> map untrusted to domain = Yes >> log file = /var/log/samba/log.%m >> max log size = 1000 >> name resolve order = wins host bcast >> client signing = No >> server signing = No >> deadtime = 15 >> printcap cache time = 300 >> printcap name = cups >> wins server = 192.168.0.y >> ldap admin dn = cn=admin,dc=domain,dc=com >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> ldap passwd sync = yes >> ldap suffix = dc=domain,dc=com >> ldap ssl = no >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> require strong key = No >> allow nt4 crypto = Yes >> admin users = root dale "@Domain Admins" >> hosts allow = 192.168.0.0/255.255.255.0 127.0.0.1 >> ea support = Yes >> veto oplock files = /*.doc/*.DOC/*.xls/*.XLS/*.mdb/*.MDB/ >> map archive = No >> map readonly = no >> store dos attributes = Yes >> >> Connecting to the DC from a Win7 system, I get this: >> >> [2016/03/10 18:06:08.234861, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> [2016/03/10 18:57:24.235719, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> [2016/03/10 19:55:30.516145, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.3:49899 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/10 19:55:56.746553, 0] >> ../source3/rpc_server/srv_pipe.c:443(pipe_auth_generic_bind) >> ../source3/rpc_server/srv_pipe.c:443: >> auth_generic_server_authtype_start[68/6] failed: NT_STATUS_NOT_FOUND >> [2016/03/10 19:55:56.886317, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [MASTER$] -> [MASTER$] -> >> [master$] succeeded >> [2016/03/10 19:55:56.915982, 2] >> ../source3/auth/auth.c:305(auth_check_ntlm_password) >> check_ntlm_password: authentication for user [dale] -> [dale] -> >> [dale] succeeded >> >> Connecting to the DC from a linux desktop, I get this: >> >> [2016/03/23 20:56:45.371682, 2] >> ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED >> with error NT_STATUS_WRONG_PASSWORD >> [2016/03/23 21:06:56.306813, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> [2016/03/23 21:06:56.306829, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43982 read >> error = NT_STATUS_CONNECTION_RESET. >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44055 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/23 21:06:56.307205, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:43805 read >> error = NT_STATUS_CONNECTION_RESET. >> [2016/03/23 21:06:56.311944, 1] >> ../source3/smbd/process.c:554(receive_smb_talloc) >> receive_smb_raw_talloc failed for client ipv4:192.168.0.15:44638 read >> error = NT_STATUS_CONNECTION_RESET. >> >> Connecting to the file server from Win7: >> >> [2016/03/23 20:47:16.885244, 6, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) >> check_samstrict_security: DOMAIN.COM is not one of my local names >> (ROLE_DOMAIN_MEMBER) >> [2016/03/23 20:47:16.885281, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: sam had nothing to say >> [2016/03/23 20:47:16.885319, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) >> Check auth for: [dale] >> [2016/03/23 20:47:16.885418, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) >> check_winbind_security: wbcAuthenticateUserEx failed: >> WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/23 20:47:16.885461, 10, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) >> Check auth for: [dale] >> [2016/03/23 20:47:16.885544, 5, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) >> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM >> [2016/03/23 20:47:16.885584, 5, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) >> check_ntlm_password: winbind authentication for user [dale] FAILED with >> error NT_STATUS_NO_LOGON_SERVERS >> [2016/03/23 20:47:16.885646, 2, pid=10907, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [dale] -> [dale] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> >> Connecting to the file server from linux system: >> >> [2016/03/15 19:00:08.751754, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_util.c:1548(is_trusted_domain) >> wb_is_trusted_domain returned error: WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/15 19:00:08.752144, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:62(make_user_info) >> attempting to make a user_info for ABORT (ABORT) >> [2016/03/15 19:00:08.752195, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:70(make_user_info) >> making strings for ABORT's user_info struct >> [2016/03/15 19:00:08.752237, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:108(make_user_info) >> making blobs for ABORT's user_info struct >> [2016/03/15 19:00:08.752274, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/user_info.c:159(make_user_info) >> made a user_info for ABORT (ABORT) >> [2016/03/15 19:00:08.752310, 3, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:178(auth_check_ntlm_password) >> check_ntlm_password: Checking password for unmapped user [DOMAIN.COM]\[ABORT]@[MASTER2015] >> with the new password interface >> [2016/03/15 19:00:08.752350, 3, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:181(auth_check_ntlm_password) >> check_ntlm_password: mapped user is: [DOMAIN.COM]\[ABORT]@[MASTER2015] >> [2016/03/15 19:00:08.752386, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:190(auth_check_ntlm_password) >> check_ntlm_password: auth_context challenge created by random >> [2016/03/15 19:00:08.752442, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) >> challenge is: >> [2016/03/15 19:00:08.752486, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_builtin.c:44(check_guest_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752522, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: guest had nothing to say >> [2016/03/15 19:00:08.752560, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:75(auth_samstrict_auth) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752601, 6, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_sam.c:88(auth_samstrict_auth) >> check_samstrict_security: DOMAIN.COM is not one of my local names >> (ROLE_DOMAIN_MEMBER) >> [2016/03/15 19:00:08.752639, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:233(auth_check_ntlm_password) >> check_ntlm_password: sam had nothing to say >> [2016/03/15 19:00:08.752677, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:50(check_winbind_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752769, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security) >> check_winbind_security: wbcAuthenticateUserEx failed: >> WBC_ERR_WINBIND_NOT_AVAILABLE >> [2016/03/15 19:00:08.752813, 10, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:280(check_ntdomain_security) >> Check auth for: [ABORT] >> [2016/03/15 19:00:08.752898, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth_domain.c:297(check_ntdomain_security) >> check_ntdomain_security: unable to locate a DC for domain DOMAIN.COM >> [2016/03/15 19:00:08.752939, 5, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) >> check_ntlm_password: winbind authentication for user [ABORT] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> [2016/03/15 19:00:08.752997, 2, pid=30212, effective(0, 0), real(0, 0), >> class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) >> check_ntlm_password: Authentication for user [ABORT] -> [ABORT] FAILED >> with error NT_STATUS_NO_LOGON_SERVERS >> >> The winbind error messages are correct, as I use nss_ldap/pam_ldap for >> authentication, and that works. getent retrieves all ldap users and groups >> on both DC and member. I can successfully ssh into either the DC or >> member. Oddly, I can access a share on the DC from the Win7 system, but no >> other shares. >> >> Can anyone spot what I've missed in the upgrade? >> >> Thanks, >> Dale >> >> >> >> >> >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Maybe Matching Threads
- no logon server
- no logon server
- winbind authentication FAILED with error NT_STATUS_NO_SUCH_USER [samba 3.6.12/AD/openindiana(illumos)]
- Request for credential for just one user on one specific machine when using FQDN
- win 10 login - Not enough storage is available to process this command