Bob Tanner
2017-Apr-21 23:44 UTC
[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
Environment =========================================================================ubuntu 16.04 samba 4.3.11+dfsg-0ubuntu0.16.04.6 sssd 1.13.4-1ubuntu1.2 Windows Server 2008 R2 At site1 the above works. My ubuntu server running samba+sssd can authenticate to the Windows Server 2008 R2 for services like ssh and samba. At site2 the same setup as site1 I can authenticate with services like ssh but samba authentication fails with NT_STATUS_NO_LOGON_SERVERS, and/or NT_STATUS_ACCESS_DENIED errors. smb.conf =========================================================================[global] workgroup = CORP realm = CORP.CELADONSYSTEMS.COM preferred master = no wins server = 10.77.14.249 server string = samba-2 security = ADS encrypt passwords = true obey pam restrictions = yes kerberos method = secrets and keytab logging = file at 5 log file = /var/log/samba/%m.log log level = 5 max xmit = 16384 # NO roaming profiles http://melecio.org/node/5 logon path logon home logon script = %U.bat idmap config CORP : backend = ad idmap uid = 600-20000 idmap gid = 600-20000 template shell = /bin/bash template homedir = /var/samba/users/%U client signing = yes client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 load printers = no sssd.conf =========================================================================[nss] filter_groups = root filter_users = root reconnection_retries = 3 # debug_level = 7 [pam] reconnection_retries = 3 # debug_level = 7 [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, pac config_file_version = 2 domains = CORP.CELADONSYSTEMS.COM debug_level = 7 [domain/CORP.CELADONSYSTEMS.COM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true debug_level = 7 # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /var/samba/users/%u # Uncomment if the client machine hostname doesn't match the computer object on the DC. ad_hostname = samba-2 # Uncomment if DNS SRV resolution is not working ad_server = dc-1.corp.celadonsystems.com # Uncomment if the AD domain is named differently than the Samba domain ad_domain = CORP.CELADONSYSTEMS.COM # Enumeration is discouraged for performance reasons. # enumerate = true =========================================================================$ smbclient -d3 //samba-2/users -U test lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface eth0 ip=10.77.14.251 bcast=10.77.14.255 netmask=255.255.255.0 Client started (version 4.3.11-Ubuntu). Enter test's password: tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20> resolve_lmhosts: Attempting lmhosts lookup for name samba-2<0x20> resolve_wins: using WINS server 10.77.14.249 and tag '*' resolve_hosts: Attempting host lookup for name samba-2<0x20> Connecting to 10.77.14.251 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178 at please_ignore GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 SPNEGO login failed: No logon servers session setup failed: NT_STATUS_NO_LOGON_SERVERS /var/log/samba/10.77.14.251.log =========================================================================https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3 <https://gist.github.com/basictheprogram/50565b96d435f37fbba17ad75ccb56c3> /var/log/sssd/sssd_CORP.CELADONSYSTEMS.COM.log =========================================================================https://gist.github.com/basictheprogram/76d5051b6113f4d9f5731ad8a1216349 -- Bob Tanner <tanner at real-time.com> | Phone : 952-943-8700 http://www.real-time.com, Linux, OSX, VMware, Windows | Fax : 952-943-8500 Key fingerprint = 9906 320A 8BB6 64AD 96A7 7785 CBFB 10BF 568B F98C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 266 bytes Desc: Message signed with OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20170421/b88011ec/signature.sig>
Rowland Penny
2017-Apr-22 07:06 UTC
[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
On Fri, 21 Apr 2017 23:44:26 +0000 Bob Tanner via samba <samba at lists.samba.org> wrote:> Environment > =========================================================================> ubuntu 16.04 > samba 4.3.11+dfsg-0ubuntu0.16.04.6 > sssd 1.13.4-1ubuntu1.2 > Windows Server 2008 R2 > > At site1 the above works. My ubuntu server running samba+sssd can > authenticate to the Windows Server 2008 R2 for services like ssh and > samba. > > At site2 the same setup as site1 I can authenticate with services > like ssh but samba authentication fails with > NT_STATUS_NO_LOGON_SERVERS, and/or NT_STATUS_ACCESS_DENIED errors. >If all the default settings and settings that shouldn't be there because you are using sssd are removed, your [global] part should look like this: [global] workgroup = CORP realm = CORP.CELADONSYSTEMS.COM server string = samba-2 security = ADS kerberos method = secrets and keytab logging = file at 5 log file = /var/log/samba/%m.log log level = 5 max xmit = 16384 logon script = %U.bat restrict anonymous = 2 load printers = no If winbind is installed and running, stop it and remove it, even if it isn't running, remove it. You may have to re-install sssd, winbind and sssd interfere with each other. Now go and ask your question on the sssd-users mailing list, this has nothing to do with Samba. If you want to use winbind instead of sssd, remove sssd and then read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
Bob Tanner
2017-Apr-23 21:59 UTC
[Samba] samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
> Now go and ask your question on the sssd-users mailing list, this > has nothing to do with Samba.Thank you for the response. Why do you say this has nothing to do with samba? The samba logs indicate the problem is with samba. The sssd logs show everything working except for samba. I changed my smb.conf to default setting and setting that should not be there (as explained in your previous email) but that did not resolve anything. When max debug on for sssd I do not see samba even using sssd for authentication information. Maybe a permissions problem on the AD DC? Although I can auth via ssh? [2017/04/23 16:38:33.202569, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine DC-1.CORP.CELADONSYSTEMS.COM. Error was : NT_STATUS_ACCESS_DENIED. Can you recommend web links on confirming permissions are appropriate on the AD DC? Maybe switching back to winbind is the right choice? Setting up sssd is just a lot easier. -- Bob Tanner <tanner at real-time.com> | Phone : 952-943-8700 http://www.real-time.com, Linux, OSX, VMware, Windows | Fax : 952-943-8500 Key fingerprint = 9906 320A 8BB6 64AD 96A7 7785 CBFB 10BF 568B F98C -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 266 bytes Desc: Message signed with OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20170423/61674a1a/signature.sig>
Maybe Matching Threads
- samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
- samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
- samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
- samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED
- Bootstraping for groups and subgroups and joing with other table