Hello!
We have Samba v3 (3.5.10) working against an LDAP server, and need to
upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple
configs of the smb.conf (including the old config) without success. Cleaned
up smb.conf is below. Also, included is the output of a smbclient command
on the SMBServer with debug option 10. Hoping that someone can point me in
the right direction.
Thanks
[global]
security = user
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap ssl = off
ldap passwd sync = yes
ldap delete dn = no
workgroup = WORKGROUP
server string = "Samba Drives"
netbios name = SMBServer
log file = /var/log/samba/log.%m
# For debugging enable the log level of 5
log level = 5
max log size = 50
# LDAP Settings
ldap suffix = "o=EXAMPLE"
ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE"
passdb backend = ldapsam:ldap://ldapserver.example.com
[homes]
valid users = %S
read only = No
writeable = yes
browseable = no
create mask = 0600
public = No
comment = %u's Z-Drive
nt acl support = no
inherit permissions = no
hide dot files = yes
directory mask = 0700
force create mode = 0700
valid users = MYDOMAIN\%S
--------------------------------------------------------------------------------------------------
[root at SMBServer samba]# smbclient //localhost/share -U johndoe -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
auth_audit: 10
auth_json_audit: 10
kerberos: 10
drs_repl: 10
Processing section "[global]"
doing parameter security = user
doing parameter ldap user suffix = ou=people
doing parameter ldap group suffix = ou=groups
doing parameter ldap ssl = off
doing parameter ldap passwd sync = yes
doing parameter ldap delete dn = no
doing parameter workgroup = WORKGROUP
doing parameter server string = "A Drives"
doing parameter netbios name = SMBServer
doing parameter log file = /var/log/samba/log.%m
doing parameter log level = 5
doing parameter max log size = 50
doing parameter ldap suffix = "o=EXAMPLE"
doing parameter ldap admin dn = "cn=cecs,ou=Proxies,ou=Auth,o=EXAMPLE"
doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface enp7s0f1 ip=192.168.2.192 bcast=192.168.2.255
netmask=255.255.255.0
added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255
netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SMBServer"
Client started (version 4.7.1).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31
04:00:00 PM 1969 PST] (-1539716622 seconds in the past)
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up localhost#20 (sitename (null))
name localhost#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to 127.0.0.1 at port 445
Socket options:
SO_KEEPALIVE = 0
SO_REUSEADDR = 0
SO_BROADCAST = 0
TCP_NODELAY = 1
TCP_KEEPCNT = 9
TCP_KEEPIDLE = 7200
TCP_KEEPINTVL = 75
IPTOS_LOWDELAY = 0
IPTOS_THROUGHPUT = 0
SO_REUSEPORT = 0
SO_SNDBUF = 2626560
SO_RCVBUF = 1061296
SO_SNDLOWAT = 1
SO_RCVLOWAT = 1
SO_SNDTIMEO = 0
SO_RCVTIMEO = 0
TCP_QUICKACK = 1
TCP_DEFER_ACCEPT = 0
session request ok
negotiated dialect[SMB3_11] against server[localhost]
got OID=1.3.6.1.4.1.311.2.2.10
Enter EXAMPLE.COM\johndoe's password:
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
negotiate: struct NEGOTIATE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmNegotiate (1)
NegotiateFlags : 0x62088215 (1644724757)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
0: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
0: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
0: NTLMSSP_NEGOTIATE_56
DomainNameLen : 0x0000 (0)
DomainNameMaxLen : 0x0000 (0)
DomainName : *
DomainName : ''
WorkstationLen : 0x0000 (0)
WorkstationMaxLen : 0x0000 (0)
Workstation : *
Workstation : ''
Version: struct ntlmssp_VERSION
ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1)
ProductBuild : 0x0000 (0)
Reserved: ARRAY(3)
[0] : 0x00 (0)
[1] : 0x00 (0)
[2] : 0x00 (0)
NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15)
Got challenge flags:
Got NTLMSSP neg_flags=0x628a8215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_TARGET_TYPE_SERVER
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_TARGET_INFO
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
short string '', sent with NULL termination despite NOTERM flag in IDL
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
NTLMSSP_NEGOTIATE_VERSION
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: The attempted logon is invalid. This is either due to
a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
I can not see any ldap call, did you try to tcpdump for ldap packets? Michal út 16. 10. 2018 v 21:14 odesílatel Emil Henry via samba < samba at lists.samba.org> napsal:> Hello! > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > configs of the smb.conf (including the old config) without success. Cleaned > up smb.conf is below. Also, included is the output of a smbclient command > on the SMBServer with debug option 10. Hoping that someone can point me in > the right direction. > > Thanks > > [global] > security = user > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap ssl = off > ldap passwd sync = yes > ldap delete dn = no > workgroup = WORKGROUP > server string = "Samba Drives" > netbios name = SMBServer > log file = /var/log/samba/log.%m > > # For debugging enable the log level of 5 > log level = 5 > max log size = 50 > > # LDAP Settings > ldap suffix = "o=EXAMPLE" > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > passdb backend = ldapsam:ldap://ldapserver.example.com > > [homes] > valid users = %S > read only = No > writeable = yes > browseable = no > create mask = 0600 > public = No > comment = %u's Z-Drive > nt acl support = no > inherit permissions = no > hide dot files = yes > directory mask = 0700 > force create mode = 0700 > valid users = MYDOMAIN\%S > > > -------------------------------------------------------------------------------------------------- > [root at SMBServer samba]# smbclient //localhost/share -U johndoe -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > Processing section "[global]" > doing parameter security = user > doing parameter ldap user suffix = ou=people > doing parameter ldap group suffix = ou=groups > doing parameter ldap ssl = off > doing parameter ldap passwd sync = yes > doing parameter ldap delete dn = no > doing parameter workgroup = WORKGROUP > doing parameter server string = "A Drives" > doing parameter netbios name = SMBServer > doing parameter log file = /var/log/samba/log.%m > doing parameter log level = 5 > doing parameter max log size = 50 > doing parameter ldap suffix = "o=EXAMPLE" > doing parameter ldap admin dn = "cn=cecs,ou=Proxies,ou=Auth,o=EXAMPLE" > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface enp7s0f1 ip=192.168.2.192 bcast=192.168.2.255 > netmask=255.255.255.0 > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 > netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SMBServer" > Client started (version 4.7.1). > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 > 04:00:00 PM 1969 PST] (-1539716622 seconds in the past) > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up localhost#20 (sitename (null)) > name localhost#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 127.0.0.1 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061296 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > negotiated dialect[SMB3_11] against server[localhost] > got OID=1.3.6.1.4.1.311.2.2.10 > Enter EXAMPLE.COM\johndoe's password: > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x628a8215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_SERVER > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > short string '', sent with NULL termination despite NOTERM flag in IDL > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: The attempted logon is invalid. This is either due to > a bad username or authentication information. > session setup failed: NT_STATUS_LOGON_FAILURE > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Michal! I am attaching the log for the smbclient connection. It might have everything you asked for. Thanks! On Tue, Oct 16, 2018 at 12:24 PM Michal <Michal67M at seznam.cz> wrote:> I can not see any ldap call, did you try to tcpdump for ldap packets? > > Michal > > út 16. 10. 2018 v 21:14 odesílatel Emil Henry via samba < > samba at lists.samba.org> napsal: > >> Hello! >> >> We have Samba v3 (3.5.10) working against an LDAP server, and need to >> upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple >> configs of the smb.conf (including the old config) without success. >> Cleaned >> up smb.conf is below. Also, included is the output of a smbclient command >> on the SMBServer with debug option 10. Hoping that someone can point me in >> the right direction. >> >> Thanks >> >> [global] >> security = user >> ldap user suffix = ou=people >> ldap group suffix = ou=groups >> ldap ssl = off >> ldap passwd sync = yes >> ldap delete dn = no >> workgroup = WORKGROUP >> server string = "Samba Drives" >> netbios name = SMBServer >> log file = /var/log/samba/log.%m >> >> # For debugging enable the log level of 5 >> log level = 5 >> max log size = 50 >> >> # LDAP Settings >> ldap suffix = "o=EXAMPLE" >> ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" >> passdb backend = ldapsam:ldap://ldapserver.example.com >> >> [homes] >> valid users = %S >> read only = No >> writeable = yes >> browseable = no >> create mask = 0600 >> public = No >> comment = %u's Z-Drive >> nt acl support = no >> inherit permissions = no >> hide dot files = yes >> directory mask = 0700 >> force create mode = 0700 >> valid users = MYDOMAIN\%S >> >> >> -------------------------------------------------------------------------------------------------- >> [root at SMBServer samba]# smbclient //localhost/share -U johndoe -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> auth_audit: 10 >> auth_json_audit: 10 >> kerberos: 10 >> drs_repl: 10 >> Processing section "[global]" >> doing parameter security = user >> doing parameter ldap user suffix = ou=people >> doing parameter ldap group suffix = ou=groups >> doing parameter ldap ssl = off >> doing parameter ldap passwd sync = yes >> doing parameter ldap delete dn = no >> doing parameter workgroup = WORKGROUP >> doing parameter server string = "A Drives" >> doing parameter netbios name = SMBServer >> doing parameter log file = /var/log/samba/log.%m >> doing parameter log level = 5 >> doing parameter max log size = 50 >> doing parameter ldap suffix = "o=EXAMPLE" >> doing parameter ldap admin dn = "cn=cecs,ou=Proxies,ou=Auth,o=EXAMPLE" >> doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com >> pm_process() returned Yes >> lp_servicenumber: couldn't find homes >> added interface enp7s0f1 ip=192.168.2.192 bcast=192.168.2.255 >> netmask=255.255.255.0 >> added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 >> netmask=255.255.255.0 >> Netbios name list:- >> my_netbios_names[0]="SMBServer" >> Client started (version 4.7.1). >> Opening cache file at /var/lib/samba/gencache.tdb >> Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb >> Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 >> 04:00:00 PM 1969 PST] (-1539716622 seconds in the past) >> sitename_fetch: No stored sitename for realm '' >> internal_resolve_name: looking up localhost#20 (sitename (null)) >> name localhost#20 found. >> remove_duplicate_addrs2: looking for duplicate address/port pairs >> Connecting to 127.0.0.1 at port 445 >> Socket options: >> SO_KEEPALIVE = 0 >> SO_REUSEADDR = 0 >> SO_BROADCAST = 0 >> TCP_NODELAY = 1 >> TCP_KEEPCNT = 9 >> TCP_KEEPIDLE = 7200 >> TCP_KEEPINTVL = 75 >> IPTOS_LOWDELAY = 0 >> IPTOS_THROUGHPUT = 0 >> SO_REUSEPORT = 0 >> SO_SNDBUF = 2626560 >> SO_RCVBUF = 1061296 >> SO_SNDLOWAT = 1 >> SO_RCVLOWAT = 1 >> SO_SNDTIMEO = 0 >> SO_RCVTIMEO = 0 >> TCP_QUICKACK = 1 >> TCP_DEFER_ACCEPT = 0 >> session request ok >> negotiated dialect[SMB3_11] against server[localhost] >> got OID=1.3.6.1.4.1.311.2.2.10 >> Enter EXAMPLE.COM\johndoe's password: >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'spnego' registered >> GENSEC backend 'schannel' registered >> GENSEC backend 'naclrpc_as_system' registered >> GENSEC backend 'sasl-EXTERNAL' registered >> GENSEC backend 'ntlmssp' registered >> GENSEC backend 'ntlmssp_resume_ccache' registered >> GENSEC backend 'http_basic' registered >> GENSEC backend 'http_ntlm' registered >> Starting GENSEC mechanism spnego >> Starting GENSEC submechanism ntlmssp >> negotiate: struct NEGOTIATE_MESSAGE >> Signature : 'NTLMSSP' >> MessageType : NtLmNegotiate (1) >> NegotiateFlags : 0x62088215 (1644724757) >> 1: NTLMSSP_NEGOTIATE_UNICODE >> 0: NTLMSSP_NEGOTIATE_OEM >> 1: NTLMSSP_REQUEST_TARGET >> 1: NTLMSSP_NEGOTIATE_SIGN >> 0: NTLMSSP_NEGOTIATE_SEAL >> 0: NTLMSSP_NEGOTIATE_DATAGRAM >> 0: NTLMSSP_NEGOTIATE_LM_KEY >> 0: NTLMSSP_NEGOTIATE_NETWARE >> 1: NTLMSSP_NEGOTIATE_NTLM >> 0: NTLMSSP_NEGOTIATE_NT_ONLY >> 0: NTLMSSP_ANONYMOUS >> 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED >> 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED >> 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL >> 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> 0: NTLMSSP_TARGET_TYPE_DOMAIN >> 0: NTLMSSP_TARGET_TYPE_SERVER >> 0: NTLMSSP_TARGET_TYPE_SHARE >> 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> 0: NTLMSSP_NEGOTIATE_IDENTIFY >> 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY >> 0: NTLMSSP_NEGOTIATE_TARGET_INFO >> 1: NTLMSSP_NEGOTIATE_VERSION >> 1: NTLMSSP_NEGOTIATE_128 >> 1: NTLMSSP_NEGOTIATE_KEY_EXCH >> 0: NTLMSSP_NEGOTIATE_56 >> DomainNameLen : 0x0000 (0) >> DomainNameMaxLen : 0x0000 (0) >> DomainName : * >> DomainName : '' >> WorkstationLen : 0x0000 (0) >> WorkstationMaxLen : 0x0000 (0) >> Workstation : * >> Workstation : '' >> Version: struct ntlmssp_VERSION >> ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) >> ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) >> ProductBuild : 0x0000 (0) >> Reserved: ARRAY(3) >> [0] : 0x00 (0) >> [1] : 0x00 (0) >> [2] : 0x00 (0) >> NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) >> Got challenge flags: >> Got NTLMSSP neg_flags=0x628a8215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_TARGET_TYPE_SERVER >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_TARGET_INFO >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> short string '', sent with NULL termination despite NOTERM flag in IDL >> NTLMSSP: Set final flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> NTLMSSP Sign/Seal - Initialising with flags: >> Got NTLMSSP neg_flags=0x62088215 >> NTLMSSP_NEGOTIATE_UNICODE >> NTLMSSP_REQUEST_TARGET >> NTLMSSP_NEGOTIATE_SIGN >> NTLMSSP_NEGOTIATE_NTLM >> NTLMSSP_NEGOTIATE_ALWAYS_SIGN >> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY >> NTLMSSP_NEGOTIATE_VERSION >> NTLMSSP_NEGOTIATE_128 >> NTLMSSP_NEGOTIATE_KEY_EXCH >> SPNEGO login failed: The attempted logon is invalid. This is either due to >> a bad username or authentication information. >> session setup failed: NT_STATUS_LOGON_FAILURE >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >
On Tue, 16 Oct 2018 12:13:16 -0700 Emil Henry via samba <samba at lists.samba.org> wrote:> Hello! > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > configs of the smb.conf (including the old config) without success. > Cleaned up smb.conf is below. Also, included is the output of a > smbclient command on the SMBServer with debug option 10. Hoping that > someone can point me in the right direction. > > Thanks > > [global] > security = user > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap ssl = off > ldap passwd sync = yes > ldap delete dn = no > workgroup = WORKGROUP > server string = "Samba Drives" > netbios name = SMBServer > log file = /var/log/samba/log.%m > > # For debugging enable the log level of 5 > log level = 5 > max log size = 50 > > # LDAP Settings > ldap suffix = "o=EXAMPLE" > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > passdb backend = ldapsam:ldap://ldapserver.example.com > > [homes] > valid users = %S > read only = No > writeable = yes > browseable = no > create mask = 0600 > public = No > comment = %u's Z-Drive > nt acl support = no > inherit permissions = no > hide dot files = yes > directory mask = 0700 > force create mode = 0700 > valid users = MYDOMAIN\%S >Hmm, I don't this is going to work: negotiated dialect[SMB3_11] against server[localhost] Try adding: server max protocol = NT1 client max protocol = NT1 To smb.conf Check that Samba can contact the ldap server. Rowland
On Tue, 16 Oct 2018 13:05:39 -0700 Emil Henry <hbcsc153 at gmail.com> wrote:> Hi Rowland! > > That did not work. Yes, that samba server can connect to the LDAP > server. > > What is also interesting is that when I do a "testparm", I do get a > "idmap config * : backend = tdb" in the output, even though I do not > have that entry in the smb.conf. >Don't worry about that it is one of the default settings and will be ignored by your set up. What are you trying to connect from ? Is this client using NTLMv1, this is now turned off by default. The big problem here is that NT4-style domains aren't getting the love they once did and it seems that changes made to make AD work better are having a detrimental affect on them. It also doesn't help that Microsoft (by accident or otherwise) is making similar changes. I can only suggest you upgrade to AD. Rowland
On Tue, 2018-10-16 at 20:55 +0100, Rowland Penny via samba wrote:> On Tue, 16 Oct 2018 12:13:16 -0700 > Emil Henry via samba <samba at lists.samba.org> wrote: > > > Hello! > > > > We have Samba v3 (3.5.10) working against an LDAP server, and need to > > upgrade to Samba v4 (4.7.1), RHEL 7 supports only v4. Tried multiple > > configs of the smb.conf (including the old config) without success. > > Cleaned up smb.conf is below. Also, included is the output of a > > smbclient command on the SMBServer with debug option 10. Hoping that > > someone can point me in the right direction. > > > > Thanks > > > > [global] > > security = user > > ldap user suffix = ou=people > > ldap group suffix = ou=groups > > ldap ssl = off > > ldap passwd sync = yes > > ldap delete dn = no > > workgroup = WORKGROUP > > server string = "Samba Drives" > > netbios name = SMBServer > > log file = /var/log/samba/log.%m > > > > # For debugging enable the log level of 5 > > log level = 5 > > max log size = 50 > > > > # LDAP Settings > > ldap suffix = "o=EXAMPLE" > > ldap admin dn = "cn=PUSer,ou=Proxies,ou=Auth,o=EXAMPLE" > > passdb backend = ldapsam:ldap://ldapserver.example.com > > > > [homes] > > valid users = %S > > read only = No > > writeable = yes > > browseable = no > > create mask = 0600 > > public = No > > comment = %u's Z-Drive > > nt acl support = no > > inherit permissions = no > > hide dot files = yes > > directory mask = 0700 > > force create mode = 0700 > > valid users = MYDOMAIN\%S > > > > Hmm, I don't this is going to work: > > negotiated dialect[SMB3_11] against server[localhost] > > Try adding: > > server max protocol = NT1 > client max protocol = NT1 > > To smb.conf > > Check that Samba can contact the ldap server.G'Day Rowland, The client-side log shows smbclient contacting smbd fine and getting to the session setup, so it isn't the protocol version. Emil, The logs we need are from Samba on the server, not smbclient. The use of LDAP by Samba in this configuration is all 'behind' smbd, not related at all to the smbclient call. eg [smbclient] <- SMB -> [smbd] <- LDAP -> [slapd] The use case here is for Samba as a standalone server using an LDAP server for the passdb. This is a rare configuration, almost all users of this mode have Samba as DC so that multiple Samba servers can share the same LDAP backend (even if that functionality is unused). This is because each server has an internal 'domain' if not a DC, and that has a SID, and each LDAP entry can only have one SID. Do you have multiple servers referring to this backend? Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba