samba - Apr 2017 - Samba file sharing with AD authentication doesn't work on some boxes

I have a few RHEL7 boxes, all of them are members in MS Win domain using
SSSD. All of these linuxes run Samba for file sharing with the same config.
Usually it works nice, but from time to time users cannot map Samba
folders, with the following message in the log:


[2017/03/07 14:58:27.050493,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)

  connect_to_domain_password_server: unable to open the domain client
session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED.

[2017/03/07 14:58:27.050756,  0]
../source3/auth/auth_domain.c:184(domain_client_validate)

  domain_client_validate: Domain password server not available.


"From time to time" - i.e., sometimes certain Samba box is broken for
a
long time, sometime some box is stopping to work for some time.

Unfortunately, I cannot blame MS Win admins because in the same time some
Samba boxes are OK when others are broken. Any ideas?


My Samba is samba-4.4.4-12.el7_3.x86_64, config is


security = ADS

passdb backend = tdbsam

realm = EXAMPLE.LOCAL

password server = x.x.x.x y.y.y.y


Any ideas?


Thank you,

Vitaly

Hello,

Try configure samba-servers with kerberos authentication from AD.

Thanks


On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:
> I have a few RHEL7 boxes, all of them are members in MS Win domain using
> SSSD. All of these linuxes run Samba for file sharing with the same config.
> Usually it works nice, but from time to time users cannot map Samba
> folders, with the following message in the log:
>
>
> [2017/03/07 14:58:27.050493,  0]
> ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
>
>   connect_to_domain_password_server: unable to open the domain client
> session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED.
>
> [2017/03/07 14:58:27.050756,  0]
> ../source3/auth/auth_domain.c:184(domain_client_validate)
>
>   domain_client_validate: Domain password server not available.
>
>
> "From time to time" - i.e., sometimes certain Samba box is broken
for a
> long time, sometime some box is stopping to work for some time.
>
> Unfortunately, I cannot blame MS Win admins because in the same time some
> Samba boxes are OK when others are broken. Any ideas?
>
>
> My Samba is samba-4.4.4-12.el7_3.x86_64, config is
>
>
> security = ADS
>
> passdb backend = tdbsam
>
> realm = EXAMPLE.LOCAL
>
> password server = x.x.x.x y.y.y.y
>
>
> Any ideas?
>
>
> Thank you,
>
> Vitaly
-- 
Thanks
Amit Kumar
There are three ways to get something done:
  (1) Do it yourself.
  (2) Hire someone to do it for you.
  (3) Forbid your kids to do it.

Hello,

Try configure samba-servers with kerberos authentication from AD.

Thanks


On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:
> I have a few RHEL7 boxes, all of them are members in MS Win domain using
> SSSD. All of these linuxes run Samba for file sharing with the same config.
> Usually it works nice, but from time to time users cannot map Samba
> folders, with the following message in the log:
>
>
> [2017/03/07 14:58:27.050493,  0]
> ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
>
>   connect_to_domain_password_server: unable to open the domain client
> session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED.
>
> [2017/03/07 14:58:27.050756,  0]
> ../source3/auth/auth_domain.c:184(domain_client_validate)
>
>   domain_client_validate: Domain password server not available.
>
>
> "From time to time" - i.e., sometimes certain Samba box is broken
for a
> long time, sometime some box is stopping to work for some time.
>
> Unfortunately, I cannot blame MS Win admins because in the same time some
> Samba boxes are OK when others are broken. Any ideas?
>
>
> My Samba is samba-4.4.4-12.el7_3.x86_64, config is
>
>
> security = ADS
>
> passdb backend = tdbsam
>
> realm = EXAMPLE.LOCAL
>
> password server = x.x.x.x y.y.y.y
>
>
> Any ideas?
>
>
> Thank you,
>
> Vitaly
-- 
Thanks
Amit Kumar
There are three ways to get something done:
  (1) Do it yourself.
  (2) Hire someone to do it for you.
  (3) Forbid your kids to do it.

Hello, 

I suggest you start reading here:
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server 

and if you want to use winbind and not sssd. 
read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

Now i dont use sssd and there is an other mailing list for sssd, ( sssd is not
related to samba (yet) but my guesses are..

- your keytab is expiring and not refreshed. 
- Time out of sync between the servers. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens amit kumar via
> samba
> Verzonden: dinsdag 4 april 2017 15:38
> Aan: me at vitalykarasik.com
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba file sharing with AD authentication
doesn't
> work on some boxes
> 
> Hello,
> 
> Try configure samba-servers with kerberos authentication from AD.
> 
> Thanks
> 
> 
> On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:
> > I have a few RHEL7 boxes, all of them are members in MS Win domain
using
> > SSSD. All of these linuxes run Samba for file sharing with the same
> config.
> > Usually it works nice, but from time to time users cannot map Samba
> > folders, with the following message in the log:
> >
> >
> > [2017/03/07 14:58:27.050493,  0]
> > ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
> >
> >   connect_to_domain_password_server: unable to open the domain client
> > session to machine DC03.example.LOCAL. Error was :
> NT_STATUS_ACCESS_DENIED.
> >
> > [2017/03/07 14:58:27.050756,  0]
> > ../source3/auth/auth_domain.c:184(domain_client_validate)
> >
> >   domain_client_validate: Domain password server not available.
> >
> >
> > "From time to time" - i.e., sometimes certain Samba box is
broken for a
> > long time, sometime some box is stopping to work for some time.
> >
> > Unfortunately, I cannot blame MS Win admins because in the same time
> some
> > Samba boxes are OK when others are broken. Any ideas?
> >
> >
> > My Samba is samba-4.4.4-12.el7_3.x86_64, config is
> >
> >
> > security = ADS
> >
> > passdb backend = tdbsam
> >
> > realm = EXAMPLE.LOCAL
> >
> > password server = x.x.x.x y.y.y.y
> >
> >
> > Any ideas?
> >
> >
> > Thank you,
> >
> > Vitaly
> 
> --
> Thanks
> Amit Kumar
> There are three ways to get something done:
>   (1) Do it yourself.
>   (2) Hire someone to do it for you.
>   (3) Forbid your kids to do it.
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Thank you both!

Probably I'm missing something, but doesn't the fact that we're able
to use
AD users for Linux logins indicate that SSSD stuff is OK, and  there is
something  wrong on Samba level?

Vitaly

On Tue, Apr 4, 2017 at 5:20 PM, L.P.H. van Belle via samba <
samba at lists.samba.org> wrote:
> Hello,
>
> I suggest you start reading here:
> https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server
>
> and if you want to use winbind and not sssd.
> read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_
> Domain_Member
>
> Now i dont use sssd and there is an other mailing list for sssd, ( sssd is
> not related to samba (yet) but my guesses are..
>
> - your keytab is expiring and not refreshed.
> - Time out of sync between the servers.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens amit kumar
via
> > samba
> > Verzonden: dinsdag 4 april 2017 15:38
> > Aan: me at vitalykarasik.com
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Samba file sharing with AD authentication
doesn't
> > work on some boxes
> >
> > Hello,
> >
> > Try configure samba-servers with kerberos authentication from AD.
> >
> > Thanks
> >
> >
> > On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:
> > > I have a few RHEL7 boxes, all of them are members in MS Win
domain
> using
> > > SSSD. All of these linuxes run Samba for file sharing with the
same
> > config.
> > > Usually it works nice, but from time to time users cannot map
Samba
> > > folders, with the following message in the log:
> > >
> > >
> > > [2017/03/07 14:58:27.050493,  0]
> > >
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
> > >
> > >   connect_to_domain_password_server: unable to open the domain
client
> > > session to machine DC03.example.LOCAL. Error was :
> > NT_STATUS_ACCESS_DENIED.
> > >
> > > [2017/03/07 14:58:27.050756,  0]
> > > ../source3/auth/auth_domain.c:184(domain_client_validate)
> > >
> > >   domain_client_validate: Domain password server not available.
> > >
> > >
> > > "From time to time" - i.e., sometimes certain Samba box
is broken for a
> > > long time, sometime some box is stopping to work for some time.
> > >
> > > Unfortunately, I cannot blame MS Win admins because in the same
time
> > some
> > > Samba boxes are OK when others are broken. Any ideas?
> > >
> > >
> > > My Samba is samba-4.4.4-12.el7_3.x86_64, config is
> > >
> > >
> > > security = ADS
> > >
> > > passdb backend = tdbsam
> > >
> > > realm = EXAMPLE.LOCAL
> > >
> > > password server = x.x.x.x y.y.y.y
> > >
> > >
> > > Any ideas?
> > >
> > >
> > > Thank you,
> > >
> > > Vitaly
> >
> > --
> > Thanks
> > Amit Kumar
> > There are three ways to get something done:
> >   (1) Do it yourself.
> >   (2) Hire someone to do it for you.
> >   (3) Forbid your kids to do it.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>