Hello,
I have a CentOS 7 system configured as a samba server using ADS
security. I am able to get users to login from PC's that are part of
the AD domain but users coming from systems that are not part of the
AD domain are not able to access the smb shares. Here is more
information about the enviornment and issue:
--
# rpm -qa | grep -i samba
samba-client-4.6.2-12.el7_4.x86_64
samba-4.6.2-12.el7_4.x86_64
samba-common-libs-4.6.2-12.el7_4.x86_64
samba-winbind-4.6.2-12.el7_4.x86_64
samba-winbind-modules-4.6.2-12.el7_4.x86_64
samba-libs-4.6.2-12.el7_4.x86_64
samba-common-4.6.2-12.el7_4.noarch
samba-common-tools-4.6.2-12.el7_4.x86_64
samba-client-libs-4.6.2-12.el7_4.x86_64
[global]
security = ADS
realm = DOMAIN_FQDN
workgroup = DOMAINX
netbios name = systemx
auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
kerberos method = secrets and keytab
map untrusted to domain = Yes
server signing = auto
client ntlmv2 auth = yes
client use spnego = yes
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
idmap cache time = 0
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
syslog = 0
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
[data]
comment = Local data
path = /opt/test/data/
valid users = userx
public = no
writeable = yes
browseable = yes
smb error:
[2018/09/14 10:42:45.698030, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2018/09/14 10:42:45.722429, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] len1=24 len2=238
[2018/09/14 10:42:45.722532, 3] ../source3/param/loadparm.c:3823(lp_load_ex)
lp_load_ex: refreshing parameters
[2018/09/14 10:42:45.722647, 3] ../source3/param/loadparm.c:542(init_globals)
Initialising global parameters
[2018/09/14 10:42:45.722800, 3] ../source3/param/loadparm.c:2752(lp_do_section)
Processing section "[global]"
[2018/09/14 10:42:45.723210, 1]
../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
WARNING: The "syslog" option is deprecated
[2018/09/14 10:42:45.723258, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[topspin-data]"
[2018/09/14 10:42:45.723438, 3] ../source3/param/loadparm.c:1592(lp_add_ipc)
adding IPC service
[2018/09/14 10:42:45.724249, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
[2018/09/14 10:42:45.724310, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[user1]@[USER1-2VFVH5-2]
[2018/09/14 10:42:45.725035, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.743503, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 10.36.241.108
[2018/09/14 10:42:50.743611, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.750094, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.759071, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys3.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.762487, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys1.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.769100, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys2.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.774346, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.782810, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.790827, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.790878, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.790959, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.790984, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.791018, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.791042, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.793014, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.793741, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.799803, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.802540, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.802591, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.802657, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.802680, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.802765, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.802825, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.805115, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.805771, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.818209, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.821149, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.821200, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.821251, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.821271, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.821289, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.821331, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.823274, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.823505, 0]
../source3/auth/auth_domain.c:185(domain_client_validate)
domain_client_validate: Domain password server not available.
[2018/09/14 10:42:50.823540, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.823584, 2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.823705,
3]../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at
../source3/smbd/smb2_sesssetup.c:134
[2018/09/14 10:42:50.861167, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2018/09/14 10:42:50.885503, 3]
../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] len1=24 len2=238
[2018/09/14 10:42:50.885583, 3] ../source3/param/loadparm.c:3823(lp_load_ex)
lp_load_ex: refreshing parameters
[2018/09/14 10:42:50.885702, 3] ../source3/param/loadparm.c:542(init_globals)
Initialising global parameters
[2018/09/14 10:42:50.885879, 3] ../source3/param/loadparm.c:2752(lp_do_section)
Processing section "[global]"
[2018/09/14 10:42:50.886268, 1]
../lib/param/loadparm.c:1770(lpcfg_do_global_parameter)
WARNING: The "syslog" option is deprecated
[2018/09/14 10:42:50.886336, 2] ../source3/param/loadparm.c:2769(lp_do_section)
Processing section "[topspin-data]"
[2018/09/14 10:42:50.886510, 3] ../source3/param/loadparm.c:1592(lp_add_ipc)
adding IPC service
[2018/09/14 10:42:50.886815, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface
[2018/09/14 10:42:50.886848, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[user1]@[USER1-2VFVH5-2]
[2018/09/14 10:42:50.887490, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.889618, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 10.36.241.108
[2018/09/14 10:42:50.889708, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.896439, 3] ../source3/libsmb/namequery.c:3160(get_dc_list)
get_dc_list: preferred server list: ", *"
[2018/09/14 10:42:50.909971, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys1.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.913371, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys2.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.914733, 3]
../lib/util/util_net.c:256(interpret_string_addr_internal)
interpret_string_addr_internal: getaddrinfo failed for name
sys3.domain.xx.com (flags 0) [Name or service not known]
[2018/09/14 10:42:50.919404, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.925657, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.928222, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.928275, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.928395, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.928427, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.928448, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.928468, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.930364, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.930986, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.936178, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.938455, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.938501, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.938546, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.938563, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.938579, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.938652, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.940613, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.941187, 3]
../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 10.36.241.108 at port 445
[2018/09/14 10:42:50.946423, 3]
../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
[2018/09/14 10:42:50.949509, 3]
../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2018/09/14 10:42:50.949562, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2018/09/14 10:42:50.949613, 3]
../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2018/09/14 10:42:50.949633, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.949651, 3]
../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2018/09/14 10:42:50.949671, 3]
../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2018/09/14 10:42:50.951526, 3]
../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego)
SPNEGO login failed: The request is not supported.
[2018/09/14 10:42:50.951723, 0]
../source3/auth/auth_domain.c:185(domain_client_validate)
domain_client_validate: Domain password server not available.
[2018/09/14 10:42:50.951757, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [user1] -> [user1]
FAILED with error NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.951786, 2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NOT_SUPPORTED
[2018/09/14 10:42:50.951864, 3]
../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_NOT_SUPPORTED] || at
../source3/smbd/smb2_sesssetup.c:134
--
Any help with this would be greatly appreciated!
Thanks
On Fri, 14 Sep 2018 14:58:20 -0700 Jagga Soorma via samba <samba at lists.samba.org> wrote:> Hello, > > I have a CentOS 7 system configured as a samba server using ADS > security. I am able to get users to login from PC's that are part of > the AD domain but users coming from systems that are not part of the > AD domain are not able to access the smb shares. Here is more > information about the enviornment and issue: > > -- > # rpm -qa | grep -i samba > samba-client-4.6.2-12.el7_4.x86_64 > samba-4.6.2-12.el7_4.x86_64 > samba-common-libs-4.6.2-12.el7_4.x86_64 > samba-winbind-4.6.2-12.el7_4.x86_64 > samba-winbind-modules-4.6.2-12.el7_4.x86_64 > samba-libs-4.6.2-12.el7_4.x86_64 > samba-common-4.6.2-12.el7_4.noarch > samba-common-tools-4.6.2-12.el7_4.x86_64 > samba-client-libs-4.6.2-12.el7_4.x86_64 > > [global] > security = ADS > realm = DOMAIN_FQDN > workgroup = DOMAINX > netbios name = systemx > auth methods = guest, sam, winbind, ntdomain > machine password timeout = 0 > passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb > kerberos method = secrets and keytab > map untrusted to domain = Yes > server signing = auto > client ntlmv2 auth = yes > client use spnego = yes > template shell = /bin/bash > winbind use default domain = Yes > winbind enum users = No > winbind enum groups = No > winbind nested groups = Yes > idmap cache time = 0 > idmap config * : backend = tdb > idmap config * : range = 1000 - 200000000 > idmap config * : base_tdb = 0 > enable core files = false > syslog = 0 > log file = /var/log/samba/log.%m > log level = 3 > max log size = 50 > > [data] > comment = Local data > path = /opt/test/data/ > valid users = userx > public = no > writeable = yes > browseable = yes > > smb error: > > [2018/09/14 10:42:45.698030, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62888215 > [2018/09/14 10:42:45.722429, 3] > ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) > Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] > len1=24 len2=238 [2018/09/14 10:42:45.722532, > 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex: > refreshing parameters [2018/09/14 10:42:45.722647, > 3] ../source3/param/loadparm.c:542(init_globals) Initialising global > parameters [2018/09/14 10:42:45.722800, > 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section > "[global]" [2018/09/14 10:42:45.723210, 1] > ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter) > WARNING: The "syslog" option is deprecated > [2018/09/14 10:42:45.723258, > 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section > "[topspin-data]" [2018/09/14 10:42:45.723438, > 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service > [2018/09/14 10:42:45.724249, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface > [2018/09/14 10:42:45.724310, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: > [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:45.725035, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.743503, > 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted > LDAP server 10.36.241.108 [2018/09/14 10:42:50.743611, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.750094, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.759071, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys3.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.762487, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys1.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.769100, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys2.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.774346, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.782810, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.790827, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.790878, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.790959, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.790984, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.791018, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.791042, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.793014, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.793741, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.799803, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.802540, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.802591, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.802657, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.802680, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.802765, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.802825, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.805115, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.805771, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.818209, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.821149, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.821200, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.821251, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.821271, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.821289, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.821331, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.823274, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.823505, 0] > ../source3/auth/auth_domain.c:185(domain_client_validate) > domain_client_validate: Domain password server not available. > [2018/09/14 10:42:50.823540, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [user1] -> [user1] > FAILED with error NT_STATUS_NOT_SUPPORTED > [2018/09/14 10:42:50.823584, 2] > ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_NOT_SUPPORTED > [2018/09/14 10:42:50.823705, > 3]../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_NOT_SUPPORTED] || at > ../source3/smbd/smb2_sesssetup.c:134 > [2018/09/14 10:42:50.861167, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62888215 > [2018/09/14 10:42:50.885503, 3] > ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth) > Got user=[user1] domain=[DOMAIN] workstation=[USER1-2VFVH5-2] > len1=24 len2=238 [2018/09/14 10:42:50.885583, > 3] ../source3/param/loadparm.c:3823(lp_load_ex) lp_load_ex: > refreshing parameters [2018/09/14 10:42:50.885702, > 3] ../source3/param/loadparm.c:542(init_globals) Initialising global > parameters [2018/09/14 10:42:50.885879, > 3] ../source3/param/loadparm.c:2752(lp_do_section) Processing section > "[global]" [2018/09/14 10:42:50.886268, 1] > ../lib/param/loadparm.c:1770(lpcfg_do_global_parameter) > WARNING: The "syslog" option is deprecated > [2018/09/14 10:42:50.886336, > 2] ../source3/param/loadparm.c:2769(lp_do_section) Processing section > "[topspin-data]" [2018/09/14 10:42:50.886510, > 3] ../source3/param/loadparm.c:1592(lp_add_ipc) adding IPC service > [2018/09/14 10:42:50.886815, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[user1]@[USER1-2VFVH5-2] with the new password interface > [2018/09/14 10:42:50.886848, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: > [DOMAIN]\[user1]@[USER1-2VFVH5-2] [2018/09/14 10:42:50.887490, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.889618, > 3] ../source3/libads/ldap.c:618(ads_connect) Successfully contacted > LDAP server 10.36.241.108 [2018/09/14 10:42:50.889708, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.896439, > 3] ../source3/libsmb/namequery.c:3160(get_dc_list) get_dc_list: > preferred server list: ", *" [2018/09/14 10:42:50.909971, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys1.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.913371, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys2.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.914733, 3] > ../lib/util/util_net.c:256(interpret_string_addr_internal) > interpret_string_addr_internal: getaddrinfo failed for name > sys3.domain.xx.com (flags 0) [Name or service not known] > [2018/09/14 10:42:50.919404, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.925657, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.928222, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.928275, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.928395, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.928427, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.928448, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.928468, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.930364, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.930986, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.936178, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.938455, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.938501, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.938546, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.938563, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.938579, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.938652, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.940613, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.941187, 3] > ../source3/lib/util_sock.c:515(open_socket_out_send) > Connecting to 10.36.241.108 at port 445 > [2018/09/14 10:42:50.946423, 3] > ../source3/libsmb/cliconnect.c:271(cli_session_creds_prepare_krb5) > got OID=1.3.6.1.4.1.311.2.2.30 > got OID=1.2.840.48018.1.2.2 > [2018/09/14 10:42:50.949509, 3] > ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge) > Got challenge flags: > [2018/09/14 10:42:50.949562, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62898215 > [2018/09/14 10:42:50.949613, 3] > ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge) > NTLMSSP: Set final flags: > [2018/09/14 10:42:50.949633, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.949651, 3] > ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) > NTLMSSP Sign/Seal - Initialising with flags: > [2018/09/14 10:42:50.949671, 3] > ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0x62008a15 > [2018/09/14 10:42:50.951526, 3] > ../source3/libsmb/cliconnect.c:1670(cli_session_setup_creds_done_spnego) > SPNEGO login failed: The request is not supported. > [2018/09/14 10:42:50.951723, 0] > ../source3/auth/auth_domain.c:185(domain_client_validate) > domain_client_validate: Domain password server not available. > [2018/09/14 10:42:50.951757, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [user1] -> [user1] > FAILED with error NT_STATUS_NOT_SUPPORTED > [2018/09/14 10:42:50.951786, 2] > ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_NOT_SUPPORTED > [2018/09/14 10:42:50.951864, 3] > ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_NOT_SUPPORTED] || at > ../source3/smbd/smb2_sesssetup.c:134 > -- > > Any help with this would be greatly appreciated! > > Thanks >Are you also using sssd ? If so, go and contact the sssd-users mailing list, it isn't a Samba problem. If you are not using sssd, then go and read this Samba wikipage, the smb.conf is not set up correctly: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Rowland
On Fri, 2018-09-14 at 14:58 -0700, Jagga Soorma via samba wrote:> Hello, > > I have a CentOS 7 system configured as a samba server using ADS > security. I am able to get users to login from PC's that are part of > the AD domain but users coming from systems that are not part of the > AD domain are not able to access the smb shares. Here is more > information about the enviornment and issue:You are running Samba as a member of an AD domain, but not not running winbindd, so each smbd needs to contact the DC to check the password. We removed that code from later Samba versions as it was not reliable. In this case it seems that either SMB1 or something about the NTLMSSP mode we chose is being used by Samba is disabled on the server. Your in-domain users are being accepted because we can decrypt the kerberos ticket, presumably by the keytab that you somehow provided. Rowland is guessing you are using sssd to provide that, is that correct? In any case, I suggest joining the domain and using winbindd. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Apparently Analagous Threads
- Samba file server 4.4.4 - trust relationship
- get access denied on samba AD share
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD
- Errors "Domain password server not available" and "SPNEGO login failed: The request is not supported"
- Problem with SPNEGO on full trust 2016 DC <> Samba 4.10.7 AD