samba - Sep 2016 - samba as ADS member(s) - virtually identical yet..

hi everyone,

.. one of the Sambas fails to authenticate users.

I have four virtually identical Samba systems which are 
configured as AD members.
All servers seem fine, I can
$ net ads lookup | status | dn | user | testjoin .. and so on.

But, problem is that all servers except one can successfully:

smbclient -L $(hostname) -UDOM\\user

here that one server fails:
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE

That one server was the only one which was initially 
configured as local Samba to IPA domain.
But I
$ net conf drop
and I force config backend = file

I'm guessing it's somewhere id database/registry of Samba 
that prevents successful users authentication/verification.

Would you suggest how to troubleshoot it? Without wiping 
samba/configuration clean.
Version 4.2.10
I have full access to win AD DC (which I'm not very fluent 
at) if that helps.

many thanks for any help
L.

On Tue, 13 Sep 2016 11:37:39 +0100
lejeczek via samba <samba at lists.samba.org> wrote:
> hi everyone,
> 
> .. one of the Sambas fails to authenticate users.
> 
> I have four virtually identical Samba systems which are 
> configured as AD members.
> All servers seem fine, I can
> $ net ads lookup | status | dn | user | testjoin .. and so on.
> 
> But, problem is that all servers except one can successfully:
> 
> smbclient -L $(hostname) -UDOM\\user
> 
> here that one server fails:
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> That one server was the only one which was initially 
> configured as local Samba to IPA domain.
> But I
> $ net conf drop
> and I force config backend = file
> 
> I'm guessing it's somewhere id database/registry of Samba 
> that prevents successful users authentication/verification.
> 
> Would you suggest how to troubleshoot it? Without wiping 
> samba/configuration clean.
> Version 4.2.10
> I have full access to win AD DC (which I'm not very fluent 
> at) if that helps.
> 
> many thanks for any help
> L.
> 
> 
If only one domain member is giving problems, it is likely to be a
problem with that computer.
You could start by comparing the conf files on the non working computer
with a working computer.

It might help if you give us a bit more info, what OS ? 
post your conf files, we might spot something.

Rowland

no conf files are the the culprit I'm afraid, not that easy.
I programmatically compared all relevant config files, they 
only differ where they have to, exclude shares and only 
differences are:
dedicated keytab file
netbios name

One peculiarity I spotted is when I rejoin that Samba system:

DNS Update for rider.private.domain.local failed: 
ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

Than again a "but" - all four servers are in the same DNS 
domain, and name resolution seems to work ok, from AD DC 
point of view - it resolves Samba systems names - and from 
Samba's, all Samba's get to AD via DNS. Again - everything 
seems to be fine except for that smbclient on that one 
server fails. Guest can list the shares - but a user with 
password fails.
Even AD DC itself sees & lists that Samba's shares - and if 
on Samba I disable guest auth method - that DC authenticates 
with user+pass fine, apparently!

Version 4.2.10 @ centos 7.2 and AD is Win 2021R2.

thanks
L.



On 13/09/16 12:04, Rowland Penny via samba wrote:
> On Tue, 13 Sep 2016 11:37:39 +0100
> lejeczek via samba <samba at lists.samba.org> wrote:
>
>> hi everyone,
>>
>> .. one of the Sambas fails to authenticate users.
>>
>> I have four virtually identical Samba systems which are
>> configured as AD members.
>> All servers seem fine, I can
>> $ net ads lookup | status | dn | user | testjoin .. and so on.
>>
>> But, problem is that all servers except one can successfully:
>>
>> smbclient -L $(hostname) -UDOM\\user
>>
>> here that one server fails:
>> SPNEGO login failed: Logon failure
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> That one server was the only one which was initially
>> configured as local Samba to IPA domain.
>> But I
>> $ net conf drop
>> and I force config backend = file
>>
>> I'm guessing it's somewhere id database/registry of Samba
>> that prevents successful users authentication/verification.
>>
>> Would you suggest how to troubleshoot it? Without wiping
>> samba/configuration clean.
>> Version 4.2.10
>> I have full access to win AD DC (which I'm not very fluent
>> at) if that helps.
>>
>> many thanks for any help
>> L.
>>
>>
> If only one domain member is giving problems, it is likely to be a
> problem with that computer.
> You could start by comparing the conf files on the non working computer
> with a working computer.
>
> It might help if you give us a bit more info, what OS ?
> post your conf files, we might spot something.
>
> Rowland
>

On 13-9-2016 12:37, lejeczek via samba wrote:
> hi everyone,
>
> .. one of the Sambas fails to authenticate users.
>
> I have four virtually identical Samba systems which are configured as AD
> members.
> All servers seem fine, I can
Time synchronization perhaps?

MJ