samba - Jan 2017 - Can't setup shares on domain member server samba4

I have a new CentOS 7 installation which I joined to my domain using 'realm
join mydomain.com'.  That worked great.  I can get a ticket with 'kinit
administrator at mydomain.com'.

 

But my samba shares don't work.  In fact, when I browse (from windows 7
domain member) to the host (lserver), it just times out.  Similarly, when I
try from another Linux server:

 

smbclient //lserver/test -U administrator at ocg.ca

Enter administrator at ocg.ca's password: 

session setup failed: NT_STATUS_NO_LOGON_SERVERS

 

I've gone in circles adding nmb, windbind, changing smb.conf options, etc.
After 3 days I'm pulling my hair out.  My exact same configuration works
fine on Centos 6.    I've included some output from a samba log showing the
smbclient failure.

 

I would appreciate any help!  Not sure where to go next.  (domain name
disguised below FYI)

 

------------------smb log for attempts
above-----------------------------------

[2017/01/23 14:11:21.441423,  0, pid=19581, effective(0, 0), real(0, 0),
class=auth]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)

  connect_to_domain_password_server: unable to open the domain client
session to machine DC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.

[2017/01/23 14:11:21.441541,  0, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth_domain.c:184(domain_client_validate)

  domain_client_validate: Domain password server not available.

[2017/01/23 14:11:21.441575,  5, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)

  check_ntlm_password: winbind authentication for user [administrator]
FAILED with error NT_STATUS_NO_LOGON_SERVERS

[2017/01/23 14:11:21.441588,  2, pid=19581, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS

[2017/01/23 14:11:21.441598,  5, pid=19581, effective(0, 0), real(0, 0)]
../source3/auth/auth_ntlmssp.c:188(auth3_check_password)

  Checking NTLMSSP password for MYDOMAIN\administrator failed:
NT_STATUS_NO_LOGON_SERVERS

[2017/01/23 14:11:21.441614,  5, pid=19581, effective(0, 0), real(0, 0)]
../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)

  ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for
MYDOMAIN\administrator failed: NT_STATUS_NO_LOGON_SERVERS

[2017/01/23 14:11:21.441626,  2, pid=19581, effective(0, 0), real(0, 0)]
../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)

  SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS

------------------------------smb.conf--------------------------------------
---

[global]

        password server = 172.31.254.31

        security = ads

        idmap uid = 16777216-33554431

        idmap gid = 16777216-33554431

        winbind offline logon = true

        workgroup = MYDOMAIN

        realm = mydomain.com

        hosts allow = 127. 172.31.

 

        server string = Linux Server

        log file = /var/log/samba/%m.log

        max log size = 50

        log level = 10

        unix extensions = no

        wide links = yes

        load printers = No

        cups options = raw

        printcap name = /dev/null

        encrypt passwords = yes

        passdb backend = tdbsam

        guest ok = yes

        guest account = nobody

        wins support = yes

        wins server = 172.31.243.31

        kerberos method = secrets and keytab

 

[test]

        comment = Root of filesystem

        path = /test

        valid users = @"domain
admins"@mydomain.com,"myuser"@mydomain.com,root

 

 

-------------------------------krb5.conf-----------------------------

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

default_realm = MYDOMAIN.COM

ticket_lifetime = 24h

forwardable = yes

 

[realms]

MYDOMAIN.COM = {

  kdc = dc.MYDOMAIN.COM

  master_kdc = dc.MYDOMAIN.COM

  admin_server = dc.MYDOMAIN.COM

  default_domain = MYDOMAIN.COM

}

 

[domain_realm]

.MYDOMAIN.COM = MYDOMAIN.COM

MYDOMAIN.COM = MYDOMAIN.COM

On Mon, 23 Jan 2017 14:16:35 -0500
Telium Technical Support via samba <samba at lists.samba.org> wrote:
> I have a new CentOS 7 installation which I joined to my domain using
> 'realm join mydomain.com'.  That worked great.  I can get a ticket
> with 'kinit administrator at mydomain.com'.
Is sssd running ?
> 
> But my samba shares don't work.  In fact, when I browse (from windows
> 7 domain member) to the host (lserver), it just times out.
> Similarly, when I try from another Linux server:
> 
> smbclient //lserver/test -U administrator at ocg.ca
> Enter administrator at ocg.ca's password: 
> session setup failed: NT_STATUS_NO_LOGON_SERVERS
> 
> I've gone in circles adding nmb, windbind, changing smb.conf options,
> etc. After 3 days I'm pulling my hair out.  My exact same
> configuration works fine on Centos 6.    I've included some output
> from a samba log showing the smbclient failure.
> 
Try setting up smb.conf the recommended way, you are using deprecated
lines, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

On Mon, 23 Jan 2017 16:22:46 -0500
"Telium Technical Support" <support at telium.ca> wrote:
> And YES sssd service is running
> 
Then that is your problem, you cannot setup authentication in smb.conf
for sssd, sssd has its own conf file and you need to set up
authentication there, see the sssd documentation for how to do this.

You will also need to remove winbind and any winbind authentication
lines in smb.conf. You cannot use sssd AND winbind on a Unix domain
member, sssd has its own winbind lib. 

Rowland