hi everyone, .. one of the Sambas fails to authenticate users. I have four virtually identical Samba systems which are configured as AD members. All servers seem fine, I can $ net ads lookup | status | dn | user | testjoin .. and so on. But, problem is that all servers except one can successfully: smbclient -L $(hostname) -UDOM\\user here that one server fails: SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE That one server was the only one which was initially configured as local Samba to IPA domain. But I $ net conf drop and I force config backend = file I'm guessing it's somewhere id database/registry of Samba that prevents successful users authentication/verification. Would you suggest how to troubleshoot it? Without wiping samba/configuration clean. Version 4.2.10 I have full access to win AD DC (which I'm not very fluent at) if that helps. many thanks for any help L.
Rowland Penny
2016-Sep-13 11:04 UTC
[Samba] samba as ADS member(s) - virtually identical yet..
On Tue, 13 Sep 2016 11:37:39 +0100 lejeczek via samba <samba at lists.samba.org> wrote:> hi everyone, > > .. one of the Sambas fails to authenticate users. > > I have four virtually identical Samba systems which are > configured as AD members. > All servers seem fine, I can > $ net ads lookup | status | dn | user | testjoin .. and so on. > > But, problem is that all servers except one can successfully: > > smbclient -L $(hostname) -UDOM\\user > > here that one server fails: > SPNEGO login failed: Logon failure > session setup failed: NT_STATUS_LOGON_FAILURE > > That one server was the only one which was initially > configured as local Samba to IPA domain. > But I > $ net conf drop > and I force config backend = file > > I'm guessing it's somewhere id database/registry of Samba > that prevents successful users authentication/verification. > > Would you suggest how to troubleshoot it? Without wiping > samba/configuration clean. > Version 4.2.10 > I have full access to win AD DC (which I'm not very fluent > at) if that helps. > > many thanks for any help > L. > >If only one domain member is giving problems, it is likely to be a problem with that computer. You could start by comparing the conf files on the non working computer with a working computer. It might help if you give us a bit more info, what OS ? post your conf files, we might spot something. Rowland
no conf files are the the culprit I'm afraid, not that easy. I programmatically compared all relevant config files, they only differ where they have to, exclude shares and only differences are: dedicated keytab file netbios name One peculiarity I spotted is when I rejoin that Samba system: DNS Update for rider.private.domain.local failed: ERROR_DNS_GSS_ERROR DNS update failed: NT_STATUS_UNSUCCESSFUL Than again a "but" - all four servers are in the same DNS domain, and name resolution seems to work ok, from AD DC point of view - it resolves Samba systems names - and from Samba's, all Samba's get to AD via DNS. Again - everything seems to be fine except for that smbclient on that one server fails. Guest can list the shares - but a user with password fails. Even AD DC itself sees & lists that Samba's shares - and if on Samba I disable guest auth method - that DC authenticates with user+pass fine, apparently! Version 4.2.10 @ centos 7.2 and AD is Win 2021R2. thanks L. On 13/09/16 12:04, Rowland Penny via samba wrote:> On Tue, 13 Sep 2016 11:37:39 +0100 > lejeczek via samba <samba at lists.samba.org> wrote: > >> hi everyone, >> >> .. one of the Sambas fails to authenticate users. >> >> I have four virtually identical Samba systems which are >> configured as AD members. >> All servers seem fine, I can >> $ net ads lookup | status | dn | user | testjoin .. and so on. >> >> But, problem is that all servers except one can successfully: >> >> smbclient -L $(hostname) -UDOM\\user >> >> here that one server fails: >> SPNEGO login failed: Logon failure >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> That one server was the only one which was initially >> configured as local Samba to IPA domain. >> But I >> $ net conf drop >> and I force config backend = file >> >> I'm guessing it's somewhere id database/registry of Samba >> that prevents successful users authentication/verification. >> >> Would you suggest how to troubleshoot it? Without wiping >> samba/configuration clean. >> Version 4.2.10 >> I have full access to win AD DC (which I'm not very fluent >> at) if that helps. >> >> many thanks for any help >> L. >> >> > If only one domain member is giving problems, it is likely to be a > problem with that computer. > You could start by comparing the conf files on the non working computer > with a working computer. > > It might help if you give us a bit more info, what OS ? > post your conf files, we might spot something. > > Rowland >
On 13-9-2016 12:37, lejeczek via samba wrote:> hi everyone, > > .. one of the Sambas fails to authenticate users. > > I have four virtually identical Samba systems which are configured as AD > members. > All servers seem fine, I canTime synchronization perhaps? MJ
Seemingly Similar Threads
- samba as ADS member(s) - virtually identical yet..
- Failed to issue the StartTLS instruction - yet ldap ssl = no is set
- 3.6.23-25.el6_7 and 4.2.10 and "Domain Admins" are/not Admins?
- Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?
- Failed to issue the StartTLS instruction - yet ldap ssl = no is set