samba - Apr 2017 - samba, sssd, Active Directory, NT_STATUS_NO_LOGON_SERVERS, NT_STATUS_ACCESS_DENIED

> Now go and ask your question on the sssd-users mailing list, this
> has nothing to do with Samba.

Thank you for the response.

Why do you say this has nothing to do with samba?

The samba logs indicate the problem is with samba.
The sssd logs show everything working except for samba.

I changed my smb.conf to default setting and setting that should not be there
(as explained in your previous email) but that did not resolve anything.

When max debug on for sssd I do not see samba even using sssd for authentication
information.

Maybe a permissions problem on the AD DC? Although I can auth via ssh?

[2017/04/23 16:38:33.202569,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to
machine DC-1.CORP.CELADONSYSTEMS.COM. Error was : NT_STATUS_ACCESS_DENIED.

Can you recommend web links on confirming permissions are appropriate on the AD
DC?

Maybe switching back to winbind is the right choice? Setting up sssd is just a
lot easier.

--
Bob Tanner <tanner at real-time.com>                                 |
Phone : 952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax      : 952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7  7785 CBFB 10BF 568B F98C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170423/61674a1a/signature.sig>

What exactly are you trying to accomplish?  Based on the smb.conf that you
posted, it looks like you only want to be able to authenticate using the
active directory server (i.e. I don't see any shares).  If you are only
authenticating to an M$ AD server, sssd is all that you need.  Samba
doesn't even need to be installed on your machine.

I think Rowland's recommendation of asking on the sssd list (or switching
to winbind) is your best bet.

Hope that helps.

Mike E.



On Apr 23, 2017 6:00 PM, "Bob Tanner via samba" <samba at
lists.samba.org>
wrote:
> Now go and ask your question on the sssd-users mailing list, this
> has nothing to do with Samba.

Thank you for the response.

Why do you say this has nothing to do with samba?

The samba logs indicate the problem is with samba.
The sssd logs show everything working except for samba.

I changed my smb.conf to default setting and setting that should not be
there (as explained in your previous email) but that did not resolve
anything.

When max debug on for sssd I do not see samba even using sssd for
authentication information.

Maybe a permissions problem on the AD DC? Although I can auth via ssh?

[2017/04/23 16:38:33.202569,  0]
../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session
to machine DC-1.CORP.CELADONSYSTEMS.COM. Error was :
NT_STATUS_ACCESS_DENIED.

Can you recommend web links on confirming permissions are appropriate on
the AD DC?

Maybe switching back to winbind is the right choice? Setting up sssd is
just a lot easier.

--
Bob Tanner <tanner at real-time.com>                                 |
Phone :
952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax      :
952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7  7785 CBFB 10BF 568B F98C


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

> On Apr 23, 2017, at 10:15 PM, Data Control Systems - Mike Elkevizth
<mike at datacontrolsystems.com> wrote:
> 
> What exactly are you trying to accomplish?  Based on the smb.conf that you
posted, it looks like you only want to be able to authenticate using the active
directory server (i.e. I don't see any shares).

I did not include the share as I didn’t think it was relevant. Included now.

[global]
    workgroup = CORP
    realm = CORP.CELADONSYSTEMS.COM
    server string = samba-2
    security = ADS
    kerberos method = secrets and keytab

    log file = /var/log/samba/%m.log

    logon script = %U.bat
    load printers = no

[users]
    path = /var/samba/users
    public = no
    printable = no
    browseable = no
    writeable = yes
    hide dot files = yes
    veto files = .*
    force create mode = 0664
    force directory mode = 2775
    wide links = no

--
Bob Tanner <tanner at real-time.com>                                 |
Phone : 952-943-8700
http://www.real-time.com, Linux, OSX, VMware, Windows | Fax      : 952-943-8500
Key fingerprint = 9906 320A 8BB6 64AD 96A7  7785 CBFB 10BF 568B F98C

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 266 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170424/6b210c83/signature.sig>