Telium Technical Support
2017-Jan-23 19:16 UTC
[Samba] Can't setup shares on domain member server samba4
I have a new CentOS 7 installation which I joined to my domain using 'realm
join mydomain.com'. That worked great. I can get a ticket with 'kinit
administrator at mydomain.com'.
But my samba shares don't work. In fact, when I browse (from windows 7
domain member) to the host (lserver), it just times out. Similarly, when I
try from another Linux server:
smbclient //lserver/test -U administrator at ocg.ca
Enter administrator at ocg.ca's password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
I've gone in circles adding nmb, windbind, changing smb.conf options, etc.
After 3 days I'm pulling my hair out. My exact same configuration works
fine on Centos 6. I've included some output from a samba log showing the
smbclient failure.
I would appreciate any help! Not sure where to go next. (domain name
disguised below FYI)
------------------smb log for attempts
above-----------------------------------
[2017/01/23 14:11:21.441423, 0, pid=19581, effective(0, 0), real(0, 0),
class=auth]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client
session to machine DC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2017/01/23 14:11:21.441541, 0, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/01/23 14:11:21.441575, 5, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
check_ntlm_password: winbind authentication for user [administrator]
FAILED with error NT_STATUS_NO_LOGON_SERVERS
[2017/01/23 14:11:21.441588, 2, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS
[2017/01/23 14:11:21.441598, 5, pid=19581, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:188(auth3_check_password)
Checking NTLMSSP password for MYDOMAIN\administrator failed:
NT_STATUS_NO_LOGON_SERVERS
[2017/01/23 14:11:21.441614, 5, pid=19581, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)
../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for
MYDOMAIN\administrator failed: NT_STATUS_NO_LOGON_SERVERS
[2017/01/23 14:11:21.441626, 2, pid=19581, effective(0, 0), real(0, 0)]
../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
------------------------------smb.conf--------------------------------------
---
[global]
password server = 172.31.254.31
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind offline logon = true
workgroup = MYDOMAIN
realm = mydomain.com
hosts allow = 127. 172.31.
server string = Linux Server
log file = /var/log/samba/%m.log
max log size = 50
log level = 10
unix extensions = no
wide links = yes
load printers = No
cups options = raw
printcap name = /dev/null
encrypt passwords = yes
passdb backend = tdbsam
guest ok = yes
guest account = nobody
wins support = yes
wins server = 172.31.243.31
kerberos method = secrets and keytab
[test]
comment = Root of filesystem
path = /test
valid users = @"domain
admins"@mydomain.com,"myuser"@mydomain.com,root
-------------------------------krb5.conf-----------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = dc.MYDOMAIN.COM
master_kdc = dc.MYDOMAIN.COM
admin_server = dc.MYDOMAIN.COM
default_domain = MYDOMAIN.COM
}
[domain_realm]
.MYDOMAIN.COM = MYDOMAIN.COM
MYDOMAIN.COM = MYDOMAIN.COM
Rowland Penny
2017-Jan-23 20:23 UTC
[Samba] Can't setup shares on domain member server samba4
On Mon, 23 Jan 2017 14:16:35 -0500 Telium Technical Support via samba <samba at lists.samba.org> wrote:> I have a new CentOS 7 installation which I joined to my domain using > 'realm join mydomain.com'. That worked great. I can get a ticket > with 'kinit administrator at mydomain.com'.Is sssd running ?> > But my samba shares don't work. In fact, when I browse (from windows > 7 domain member) to the host (lserver), it just times out. > Similarly, when I try from another Linux server: > > smbclient //lserver/test -U administrator at ocg.ca > Enter administrator at ocg.ca's password: > session setup failed: NT_STATUS_NO_LOGON_SERVERS > > I've gone in circles adding nmb, windbind, changing smb.conf options, > etc. After 3 days I'm pulling my hair out. My exact same > configuration works fine on Centos 6. I've included some output > from a samba log showing the smbclient failure. >Try setting up smb.conf the recommended way, you are using deprecated lines, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Rowland Penny
2017-Jan-23 22:34 UTC
[Samba] Can't setup shares on domain member server samba4
On Mon, 23 Jan 2017 16:22:46 -0500 "Telium Technical Support" <support at telium.ca> wrote:> And YES sssd service is running >Then that is your problem, you cannot setup authentication in smb.conf for sssd, sssd has its own conf file and you need to set up authentication there, see the sssd documentation for how to do this. You will also need to remove winbind and any winbind authentication lines in smb.conf. You cannot use sssd AND winbind on a Unix domain member, sssd has its own winbind lib. Rowland