Vitaly Karasik
2017-Apr-04 11:31 UTC
[Samba] Samba file sharing with AD authentication doesn't work on some boxes
I have a few RHEL7 boxes, all of them are members in MS Win domain using SSSD. All of these linuxes run Samba for file sharing with the same config. Usually it works nice, but from time to time users cannot map Samba folders, with the following message in the log: [2017/03/07 14:58:27.050493, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED. [2017/03/07 14:58:27.050756, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate: Domain password server not available. "From time to time" - i.e., sometimes certain Samba box is broken for a long time, sometime some box is stopping to work for some time. Unfortunately, I cannot blame MS Win admins because in the same time some Samba boxes are OK when others are broken. Any ideas? My Samba is samba-4.4.4-12.el7_3.x86_64, config is security = ADS passdb backend = tdbsam realm = EXAMPLE.LOCAL password server = x.x.x.x y.y.y.y Any ideas? Thank you, Vitaly
amit kumar
2017-Apr-04 13:37 UTC
[Samba] Samba file sharing with AD authentication doesn't work on some boxes
Hello, Try configure samba-servers with kerberos authentication from AD. Thanks On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:> I have a few RHEL7 boxes, all of them are members in MS Win domain using > SSSD. All of these linuxes run Samba for file sharing with the same config. > Usually it works nice, but from time to time users cannot map Samba > folders, with the following message in the log: > > > [2017/03/07 14:58:27.050493, 0] > ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) > > connect_to_domain_password_server: unable to open the domain client > session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED. > > [2017/03/07 14:58:27.050756, 0] > ../source3/auth/auth_domain.c:184(domain_client_validate) > > domain_client_validate: Domain password server not available. > > > "From time to time" - i.e., sometimes certain Samba box is broken for a > long time, sometime some box is stopping to work for some time. > > Unfortunately, I cannot blame MS Win admins because in the same time some > Samba boxes are OK when others are broken. Any ideas? > > > My Samba is samba-4.4.4-12.el7_3.x86_64, config is > > > security = ADS > > passdb backend = tdbsam > > realm = EXAMPLE.LOCAL > > password server = x.x.x.x y.y.y.y > > > Any ideas? > > > Thank you, > > Vitaly-- Thanks Amit Kumar There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it.
amit kumar
2017-Apr-04 13:38 UTC
[Samba] Samba file sharing with AD authentication doesn't work on some boxes
Hello, Try configure samba-servers with kerberos authentication from AD. Thanks On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote:> I have a few RHEL7 boxes, all of them are members in MS Win domain using > SSSD. All of these linuxes run Samba for file sharing with the same config. > Usually it works nice, but from time to time users cannot map Samba > folders, with the following message in the log: > > > [2017/03/07 14:58:27.050493, 0] > ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) > > connect_to_domain_password_server: unable to open the domain client > session to machine DC03.example.LOCAL. Error was : NT_STATUS_ACCESS_DENIED. > > [2017/03/07 14:58:27.050756, 0] > ../source3/auth/auth_domain.c:184(domain_client_validate) > > domain_client_validate: Domain password server not available. > > > "From time to time" - i.e., sometimes certain Samba box is broken for a > long time, sometime some box is stopping to work for some time. > > Unfortunately, I cannot blame MS Win admins because in the same time some > Samba boxes are OK when others are broken. Any ideas? > > > My Samba is samba-4.4.4-12.el7_3.x86_64, config is > > > security = ADS > > passdb backend = tdbsam > > realm = EXAMPLE.LOCAL > > password server = x.x.x.x y.y.y.y > > > Any ideas? > > > Thank you, > > Vitaly-- Thanks Amit Kumar There are three ways to get something done: (1) Do it yourself. (2) Hire someone to do it for you. (3) Forbid your kids to do it.
L.P.H. van Belle
2017-Apr-04 14:20 UTC
[Samba] Samba file sharing with AD authentication doesn't work on some boxes
Hello, I suggest you start reading here: https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server and if you want to use winbind and not sssd. read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Now i dont use sssd and there is an other mailing list for sssd, ( sssd is not related to samba (yet) but my guesses are.. - your keytab is expiring and not refreshed. - Time out of sync between the servers. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens amit kumar via > samba > Verzonden: dinsdag 4 april 2017 15:38 > Aan: me at vitalykarasik.com > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba file sharing with AD authentication doesn't > work on some boxes > > Hello, > > Try configure samba-servers with kerberos authentication from AD. > > Thanks > > > On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote: > > I have a few RHEL7 boxes, all of them are members in MS Win domain using > > SSSD. All of these linuxes run Samba for file sharing with the same > config. > > Usually it works nice, but from time to time users cannot map Samba > > folders, with the following message in the log: > > > > > > [2017/03/07 14:58:27.050493, 0] > > ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) > > > > connect_to_domain_password_server: unable to open the domain client > > session to machine DC03.example.LOCAL. Error was : > NT_STATUS_ACCESS_DENIED. > > > > [2017/03/07 14:58:27.050756, 0] > > ../source3/auth/auth_domain.c:184(domain_client_validate) > > > > domain_client_validate: Domain password server not available. > > > > > > "From time to time" - i.e., sometimes certain Samba box is broken for a > > long time, sometime some box is stopping to work for some time. > > > > Unfortunately, I cannot blame MS Win admins because in the same time > some > > Samba boxes are OK when others are broken. Any ideas? > > > > > > My Samba is samba-4.4.4-12.el7_3.x86_64, config is > > > > > > security = ADS > > > > passdb backend = tdbsam > > > > realm = EXAMPLE.LOCAL > > > > password server = x.x.x.x y.y.y.y > > > > > > Any ideas? > > > > > > Thank you, > > > > Vitaly > > -- > Thanks > Amit Kumar > There are three ways to get something done: > (1) Do it yourself. > (2) Hire someone to do it for you. > (3) Forbid your kids to do it. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Vitaly Karasik
2017-Apr-04 14:54 UTC
[Samba] Samba file sharing with AD authentication doesn't work on some boxes
Thank you both! Probably I'm missing something, but doesn't the fact that we're able to use AD users for Linux logins indicate that SSSD stuff is OK, and there is something wrong on Samba level? Vitaly On Tue, Apr 4, 2017 at 5:20 PM, L.P.H. van Belle via samba < samba at lists.samba.org> wrote:> Hello, > > I suggest you start reading here: > https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server > > and if you want to use winbind and not sssd. > read : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_ > Domain_Member > > Now i dont use sssd and there is an other mailing list for sssd, ( sssd is > not related to samba (yet) but my guesses are.. > > - your keytab is expiring and not refreshed. > - Time out of sync between the servers. > > > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens amit kumar via > > samba > > Verzonden: dinsdag 4 april 2017 15:38 > > Aan: me at vitalykarasik.com > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba file sharing with AD authentication doesn't > > work on some boxes > > > > Hello, > > > > Try configure samba-servers with kerberos authentication from AD. > > > > Thanks > > > > > > On 04/04/2017 05:01 PM, Vitaly Karasik via samba wrote: > > > I have a few RHEL7 boxes, all of them are members in MS Win domain > using > > > SSSD. All of these linuxes run Samba for file sharing with the same > > config. > > > Usually it works nice, but from time to time users cannot map Samba > > > folders, with the following message in the log: > > > > > > > > > [2017/03/07 14:58:27.050493, 0] > > > ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) > > > > > > connect_to_domain_password_server: unable to open the domain client > > > session to machine DC03.example.LOCAL. Error was : > > NT_STATUS_ACCESS_DENIED. > > > > > > [2017/03/07 14:58:27.050756, 0] > > > ../source3/auth/auth_domain.c:184(domain_client_validate) > > > > > > domain_client_validate: Domain password server not available. > > > > > > > > > "From time to time" - i.e., sometimes certain Samba box is broken for a > > > long time, sometime some box is stopping to work for some time. > > > > > > Unfortunately, I cannot blame MS Win admins because in the same time > > some > > > Samba boxes are OK when others are broken. Any ideas? > > > > > > > > > My Samba is samba-4.4.4-12.el7_3.x86_64, config is > > > > > > > > > security = ADS > > > > > > passdb backend = tdbsam > > > > > > realm = EXAMPLE.LOCAL > > > > > > password server = x.x.x.x y.y.y.y > > > > > > > > > Any ideas? > > > > > > > > > Thank you, > > > > > > Vitaly > > > > -- > > Thanks > > Amit Kumar > > There are three ways to get something done: > > (1) Do it yourself. > > (2) Hire someone to do it for you. > > (3) Forbid your kids to do it. > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- Samba file sharing with AD authentication doesn't work on some boxes
- SAMBA 3 and Windows2000 mixed mode trust
- Winbind + ADS small issues
- Samba 3.0.21b is not able to connect to password server
- trust relationship between this workstation and the primary domain failed