On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote:> Hi Andrew! > > I am not 100% sure that the password is correct. I was told that it > was changed to the one I am testing. But, when I try the old > password, I get a different error message (NT_STATUS_INVALID_SID). I > will attached the output.Then it is the old password, and you have other issues you need to sort out. Again, the server-side log will show more about what is wrong, but look up the error message, it typically means your primary group ID is mapped incorrectly in idmap.> I added the 'ntlm auth = yes' to the smb.conf. How would I change the client?The client uses the smb.conf on the host it runs on. But the above suggests that the issue was just a wrong password.> The version of Samba that we are running is 4.7.1, which is the latest version that is available in the yum repository.OK, I must have mis-read that. Sorry, Andrew Bartlett> Thanks. > > [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > auth_audit: 10 > auth_json_audit: 10 > kerberos: 10 > drs_repl: 10 > Processing section "[global]" > doing parameter security = user > doing parameter ldap user suffix = ou=people > doing parameter ldap group suffix = ou=groups > doing parameter ldap ssl = off > doing parameter ldap passwd sync = yes > doing parameter ldap delete dn = no > doing parameter workgroup = example.com > doing parameter server string = "Samba Drives" > doing parameter netbios name = SMBServer > doing parameter log file = /var/log/samba/log.%m > doing parameter log level = 5 > doing parameter max log size = 50 > doing parameter ldap suffix = "o=EXAMPLE" > doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE" > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com > doing parameter ntlm auth = yes > pm_process() returned Yes > lp_servicenumber: couldn't find homes > added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 netmask=255.255.255.0 > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 netmask=255.255.255.0 > Netbios name list:- > my_netbios_names[0]="SMBServer" > Client started (version 4.7.1). > Opening cache file at /var/lib/samba/gencache.tdb > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past) > sitename_fetch: No stored sitename for realm '' > internal_resolve_name: looking up localhost#20 (sitename (null)) > name localhost#20 found. > remove_duplicate_addrs2: looking for duplicate address/port pairs > Connecting to 127.0.0.1 at port 445 > Socket options: > SO_KEEPALIVE = 0 > SO_REUSEADDR = 0 > SO_BROADCAST = 0 > TCP_NODELAY = 1 > TCP_KEEPCNT = 9 > TCP_KEEPIDLE = 7200 > TCP_KEEPINTVL = 75 > IPTOS_LOWDELAY = 0 > IPTOS_THROUGHPUT = 0 > SO_REUSEPORT = 0 > SO_SNDBUF = 2626560 > SO_RCVBUF = 1061296 > SO_SNDLOWAT = 1 > SO_RCVLOWAT = 1 > SO_SNDTIMEO = 0 > SO_RCVTIMEO = 0 > TCP_QUICKACK = 1 > TCP_DEFER_ACCEPT = 0 > session request ok > negotiated dialect[SMB3_11] against server[localhost] > got OID=1.3.6.1.4.1.311.2.2.10 > Enter EXAMPLE.COM\johndoe's password: > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'spnego' registered > GENSEC backend 'schannel' registered > GENSEC backend 'naclrpc_as_system' registered > GENSEC backend 'sasl-EXTERNAL' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'ntlmssp_resume_ccache' registered > GENSEC backend 'http_basic' registered > GENSEC backend 'http_ntlm' registered > Starting GENSEC mechanism spnego > Starting GENSEC submechanism ntlmssp > negotiate: struct NEGOTIATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmNegotiate (1) > NegotiateFlags : 0x62088215 (1644724757) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 1: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > WorkstationLen : 0x0000 (0) > WorkstationMaxLen : 0x0000 (0) > Workstation : * > Workstation : '' > Version: struct ntlmssp_VERSION > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 (6) > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 (1) > ProductBuild : 0x0000 (0) > Reserved: ARRAY(3) > [0] : 0x00 (0) > [1] : 0x00 (0) > [2] : 0x00 (0) > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > Got challenge flags: > Got NTLMSSP neg_flags=0x628a8215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_TARGET_TYPE_SERVER > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_TARGET_INFO > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > short string '', sent with NULL termination despite NOTERM flag in IDL > NTLMSSP: Set final flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > NTLMSSP Sign/Seal - Initialising with flags: > Got NTLMSSP neg_flags=0x62088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > NTLMSSP_NEGOTIATE_VERSION > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > SPNEGO login failed: Indicates the SID structure is not valid. > session setup failed: NT_STATUS_INVALID_SID > > > On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> wrote: > > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote: > > > Hi Andrew! > > > > > > I included it in one response, but may have not done a Reply All. Am resending it. > > > > > > Thanks. > > > > It is reading the hashes, so it looks like it is working. Dumb > > question, but are you really sure the password is right? > > > > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) > > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to > > rule that out. > > > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be > > something else we have fixed. > > > > Thanks, > > > > Andrew Bartlett > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Hi Andrew! Really appreciate the clarification and help. Understood about the password. I have attached the log.127.0.0.1 with the "correct" password being used. I do see entries in that log for the Primary Group of 0. Not sure where I would need to make the change. Any guidance would be really appreciated. Have been fighting this for the last 3 weeks. :-( Thanks. On Tue, Oct 16, 2018 at 8:36 PM Andrew Bartlett <abartlet at samba.org> wrote:> On Tue, 2018-10-16 at 20:20 -0700, Emil Henry wrote: > > Hi Andrew! > > > > I am not 100% sure that the password is correct. I was told that it > > was changed to the one I am testing. But, when I try the old > > password, I get a different error message (NT_STATUS_INVALID_SID). I > > will attached the output. > > Then it is the old password, and you have other issues you need to sort > out. > > Again, the server-side log will show more about what is wrong, but look > up the error message, it typically means your primary group ID is > mapped incorrectly in idmap. > > > I added the 'ntlm auth = yes' to the smb.conf. How would I change the > client? > > The client uses the smb.conf on the host it runs on. But the above > suggests that the issue was just a wrong password. > > > The version of Samba that we are running is 4.7.1, which is the latest > version that is available in the yum repository. > > OK, I must have mis-read that. > > Sorry, > > Andrew Bartlett > > > Thanks. > > > > [root at SMBServer ~]# smbclient //localhost/share -U johndoe -d 10 > > INFO: Current debug levels: > > all: 10 > > tdb: 10 > > printdrivers: 10 > > lanman: 10 > > smb: 10 > > rpc_parse: 10 > > rpc_srv: 10 > > rpc_cli: 10 > > passdb: 10 > > sam: 10 > > auth: 10 > > winbind: 10 > > vfs: 10 > > idmap: 10 > > quota: 10 > > acls: 10 > > locking: 10 > > msdfs: 10 > > dmapi: 10 > > registry: 10 > > scavenger: 10 > > dns: 10 > > ldb: 10 > > tevent: 10 > > auth_audit: 10 > > auth_json_audit: 10 > > kerberos: 10 > > drs_repl: 10 > > lp_load_ex: refreshing parameters > > Initialising global parameters > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > > INFO: Current debug levels: > > all: 10 > > tdb: 10 > > printdrivers: 10 > > lanman: 10 > > smb: 10 > > rpc_parse: 10 > > rpc_srv: 10 > > rpc_cli: 10 > > passdb: 10 > > sam: 10 > > auth: 10 > > winbind: 10 > > vfs: 10 > > idmap: 10 > > quota: 10 > > acls: 10 > > locking: 10 > > msdfs: 10 > > dmapi: 10 > > registry: 10 > > scavenger: 10 > > dns: 10 > > ldb: 10 > > tevent: 10 > > auth_audit: 10 > > auth_json_audit: 10 > > kerberos: 10 > > drs_repl: 10 > > Processing section "[global]" > > doing parameter security = user > > doing parameter ldap user suffix = ou=people > > doing parameter ldap group suffix = ou=groups > > doing parameter ldap ssl = off > > doing parameter ldap passwd sync = yes > > doing parameter ldap delete dn = no > > doing parameter workgroup = example.com > > doing parameter server string = "Samba Drives" > > doing parameter netbios name = SMBServer > > doing parameter log file = /var/log/samba/log.%m > > doing parameter log level = 5 > > doing parameter max log size = 50 > > doing parameter ldap suffix = "o=EXAMPLE" > > doing parameter ldap admin dn = "cn=PUser,ou=Proxies,ou=Auth,o=EXAMPLE" > > doing parameter passdb backend = ldapsam:ldap://ldapserver.example.com > > doing parameter ntlm auth = yes > > pm_process() returned Yes > > lp_servicenumber: couldn't find homes > > added interface enp7s0f1 ip=192.168.2.122 bcast=192.168.2.255 > netmask=255.255.255.0 > > added interface virbr0 ip=192.168.122.1 bcast=192.168.122.255 > netmask=255.255.255.0 > > Netbios name list:- > > my_netbios_names[0]="SMBServer" > > Client started (version 4.7.1). > > Opening cache file at /var/lib/samba/gencache.tdb > > Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb > > Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Wed Dec > 31 04:00:00 PM 1969 PST] (-1539746033 seconds in the past) > > sitename_fetch: No stored sitename for realm '' > > internal_resolve_name: looking up localhost#20 (sitename (null)) > > name localhost#20 found. > > remove_duplicate_addrs2: looking for duplicate address/port pairs > > Connecting to 127.0.0.1 at port 445 > > Socket options: > > SO_KEEPALIVE = 0 > > SO_REUSEADDR = 0 > > SO_BROADCAST = 0 > > TCP_NODELAY = 1 > > TCP_KEEPCNT = 9 > > TCP_KEEPIDLE = 7200 > > TCP_KEEPINTVL = 75 > > IPTOS_LOWDELAY = 0 > > IPTOS_THROUGHPUT = 0 > > SO_REUSEPORT = 0 > > SO_SNDBUF = 2626560 > > SO_RCVBUF = 1061296 > > SO_SNDLOWAT = 1 > > SO_RCVLOWAT = 1 > > SO_SNDTIMEO = 0 > > SO_RCVTIMEO = 0 > > TCP_QUICKACK = 1 > > TCP_DEFER_ACCEPT = 0 > > session request ok > > negotiated dialect[SMB3_11] against server[localhost] > > got OID=1.3.6.1.4.1.311.2.2.10 > > Enter EXAMPLE.COM\johndoe's password: > > GENSEC backend 'gssapi_spnego' registered > > GENSEC backend 'gssapi_krb5' registered > > GENSEC backend 'gssapi_krb5_sasl' registered > > GENSEC backend 'spnego' registered > > GENSEC backend 'schannel' registered > > GENSEC backend 'naclrpc_as_system' registered > > GENSEC backend 'sasl-EXTERNAL' registered > > GENSEC backend 'ntlmssp' registered > > GENSEC backend 'ntlmssp_resume_ccache' registered > > GENSEC backend 'http_basic' registered > > GENSEC backend 'http_ntlm' registered > > Starting GENSEC mechanism spnego > > Starting GENSEC submechanism ntlmssp > > negotiate: struct NEGOTIATE_MESSAGE > > Signature : 'NTLMSSP' > > MessageType : NtLmNegotiate (1) > > NegotiateFlags : 0x62088215 (1644724757) > > 1: NTLMSSP_NEGOTIATE_UNICODE > > 0: NTLMSSP_NEGOTIATE_OEM > > 1: NTLMSSP_REQUEST_TARGET > > 1: NTLMSSP_NEGOTIATE_SIGN > > 0: NTLMSSP_NEGOTIATE_SEAL > > 0: NTLMSSP_NEGOTIATE_DATAGRAM > > 0: NTLMSSP_NEGOTIATE_LM_KEY > > 0: NTLMSSP_NEGOTIATE_NETWARE > > 1: NTLMSSP_NEGOTIATE_NTLM > > 0: NTLMSSP_NEGOTIATE_NT_ONLY > > 0: NTLMSSP_ANONYMOUS > > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > 0: NTLMSSP_TARGET_TYPE_DOMAIN > > 0: NTLMSSP_TARGET_TYPE_SERVER > > 0: NTLMSSP_TARGET_TYPE_SHARE > > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > 0: NTLMSSP_NEGOTIATE_IDENTIFY > > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > > 1: NTLMSSP_NEGOTIATE_VERSION > > 1: NTLMSSP_NEGOTIATE_128 > > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > > 0: NTLMSSP_NEGOTIATE_56 > > DomainNameLen : 0x0000 (0) > > DomainNameMaxLen : 0x0000 (0) > > DomainName : * > > DomainName : '' > > WorkstationLen : 0x0000 (0) > > WorkstationMaxLen : 0x0000 (0) > > Workstation : * > > Workstation : '' > > Version: struct ntlmssp_VERSION > > ProductMajorVersion : NTLMSSP_WINDOWS_MAJOR_VERSION_6 > (6) > > ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_1 > (1) > > ProductBuild : 0x0000 (0) > > Reserved: ARRAY(3) > > [0] : 0x00 (0) > > [1] : 0x00 (0) > > [2] : 0x00 (0) > > NTLMRevisionCurrent : NTLMSSP_REVISION_W2K3 (15) > > Got challenge flags: > > Got NTLMSSP neg_flags=0x628a8215 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_TARGET_TYPE_SERVER > > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > NTLMSSP_NEGOTIATE_TARGET_INFO > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > short string '', sent with NULL termination despite NOTERM flag in IDL > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x62088215 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x62088215 > > NTLMSSP_NEGOTIATE_UNICODE > > NTLMSSP_REQUEST_TARGET > > NTLMSSP_NEGOTIATE_SIGN > > NTLMSSP_NEGOTIATE_NTLM > > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > > NTLMSSP_NEGOTIATE_VERSION > > NTLMSSP_NEGOTIATE_128 > > NTLMSSP_NEGOTIATE_KEY_EXCH > > SPNEGO login failed: Indicates the SID structure is not valid. > > session setup failed: NT_STATUS_INVALID_SID > > > > > > On Tue, Oct 16, 2018 at 5:39 PM Andrew Bartlett <abartlet at samba.org> > wrote: > > > On Tue, 2018-10-16 at 15:18 -0700, Emil Henry wrote: > > > > Hi Andrew! > > > > > > > > I included it in one response, but may have not done a Reply All. Am > resending it. > > > > > > > > Thanks. > > > > > > It is reading the hashes, so it looks like it is working. Dumb > > > question, but are you really sure the password is right? > > > > > > Otherwise, it might be some very odd NTLMv2 thing. Try (on the client) > > > 'client ntlmv2 auth = no' and 'ntlm auth = yes' (on the server) just to > > > rule that out. > > > > > > Also please try with Samba 4.9, Samba 4.1 is very old and there may be > > > something else we have fixed. > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > > > > -- > Andrew Bartlett > https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Development and Support, Catalyst IT > https://catalyst.net.nz/services/samba > > > > >
On Tue, 16 Oct 2018 20:49:06 -0700 Emil Henry <hbcsc153 at gmail.com> wrote:> Hi Andrew! > > Really appreciate the clarification and help. Understood about the > password. I have attached the log.127.0.0.1 with the "correct" > password being used. I do see entries in that log for the Primary > Group of 0. Not sure where I would need to make the change. Any > guidance would be really appreciated. Have been fighting this for the > last 3 weeks. :-( >Hi Andrew, if it walks like a duck and quacks like a duck, it very probably is a duck ;-) Even though testparm says it is a 'standalone server', it seems to be acting like a PDC: [2018/10/16 20:13:57.961606, 5] ../source3/lib/username.c:159(Get_Pwnam_internals) Get_Pwnam_internals did find user [johndoe]! [2018/10/16 20:13:57.961629, 1] ../source3/auth/server_info.c:415(SamInfo3_handle_sids) The primary group domain sid(S-1-5-21-923346016-1987626460-2483480028-513) does not match the domain sid(S-1-5-21-3818469484-4016774546-4239961019) for johndoe(S-1-5-21-3818469484-4016774546-4239961019-108752) [2018/10/16 20:13:57.961672, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2018/10/16 20:13:57.961694, 0] ../source3/auth/check_samsec.c:493(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INVALID_SID' [2018/10/16 20:13:57.961867, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: sam_ignoredomain authentication for user [johndoe] FAILED with error NT_STATUS_INVALID_SID, authoritative=1 [2018/10/16 20:13:57.961890, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [johndoe] -> [johndoe] FAILED with error NT_STATUS_INVALID_SID, authoritative=1 The user 'johndoe' seems to be rejected because it has the wrong SID. Are the other machines in a Domain or workgroup ? Rowland
On Wed, 17 Oct 2018 06:12:44 -0700 Emil Henry <hbcsc153 at gmail.com> wrote:> Hi Rowland! > > All the Windows machines are part of a domain. How would I fix the SID > issue without breaking the existing Samba v3 install (someone elses > Samba server)? >The obvious thing to do would be to turn the standalone server into a Unix domain member and join this to the domain, this way you wouldn't need the ldap server. But you might use the ldap for something else, such as a mailserver. Rowland
Hi Rowland, We need to work with the LDAP server, as we need the UNIX info for the NFS servers. Thanks. On Wed, Oct 17, 2018 at 6:26 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 17 Oct 2018 06:12:44 -0700 > Emil Henry <hbcsc153 at gmail.com> wrote: > > > Hi Rowland! > > > > All the Windows machines are part of a domain. How would I fix the SID > > issue without breaking the existing Samba v3 install (someone elses > > Samba server)? > > > > The obvious thing to do would be to turn the standalone server into a > Unix domain member and join this to the domain, this way you wouldn't > need the ldap server. > But you might use the ldap for something else, such as a mailserver. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >