samba - Jun 2019 - Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction

OK, At a loss for what to try next.

According to this page, it should be possible to make this work:

   http://www.hexblot.com/blog/centos-7-active-directory-and-samba

However, I can't get AD users to authenticate when I run

   net use * \\cns-cryo-road1\my_share /user:austin\pgoetz

Authenticating via ssh, su, or from the console using the same AD 
UserName is not a problem.

It seems like the relevant smb.conf keys here are:

   security = user|ads
   server role = auto

I've been leaving server-role set at auto (assuming this will do the 
right thing).

When I set security=user and turn up debugging to 10, I see this in the 
log file:

---------------------------------------
[2019/06/14 17:34:58.892367,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:34:58.892385,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
[2019/06/14 17:34:58.892644,  5, pid=5112, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam)
   pdb_getsampwnam (TDB): error fetching database.
    Key: USER_pgoetz
[2019/06/14 17:34:58.892678,  4, pid=5112, effective(0, 0), real(0, 0)] 
../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2019/06/14 17:34:58.892697,  3, pid=5112, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/check_samsec.c:399(check_sam_security)
   check_sam_security: Couldn't find user 'pgoetz' in passdb.
---------------------------------------

Yes, of course.  There is no passdb, this is a domain user.  Further the 
"check_ntlm_password" seems to be indicative of attempting to use
NTLM,
which won't work with AD.  Also, I have netbios turned off:

   disable netbios = yes


OK, so I change to security=ads, but get similar same stuff in the 
resulting log file:

---------------------------------------
[2019/06/14 17:49:17.067591,  3, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password)
   check_ntlm_password:  Checking password for unmapped user 
[austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface
[2019/06/14 17:49:17.067616,  3, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password)
   check_ntlm_password:  mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1]
...
   auth_check_ntlm_password: winbind authentication for user [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184022,  2, pid=5252, effective(0, 0), real(0, 0), 
class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password)
   check_ntlm_password:  Authentication for user [pgoetz] -> [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184060,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 
17:49:17.184047 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] 
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:34782] 
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 17:49:17.184212,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp":
"2019-06-14T17:49:17.184116-0500",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_NO_LOGON_SERVERS", "localAddress":
"ipv4:146.6.73.197:445", "remoteAddress":
"ipv4:128.83.133.100:34782",
"serviceDescription": "SMB2", "authDescription":
null, "clientDomain":
"austin", "clientAccount": "pgoetz",
"workstation": "CNS-VM-PGOETZ1",
"becameAccount": null, "becameDomain": null,
"becameSid": "(NULL SID)",
"mappedAccount": "pgoetz", "mappedDomain":
"austin", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 17:49:17.184275,  5, pid=5252, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
   Checking NTLMSSP password for austin\pgoetz failed: 
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 17:49:17.184302,  5, pid=5252, effective(0, 0), real(0, 0)] 
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
   ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for 
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 17:49:17.184328,  2, pid=5252, effective(0, 0), real(0, 0)] 
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------

Why is it trying to use NTLMv2 and looking for NT logon servers when I 
specified security=ads?


So, question:  it seems some people have this working: mind sharing the 
relevant parts of your smb.conf files?  I must have some parameter set 
wrong, I just can't figure out what it is.

OK, just for fun tried:

   security=auto
   server role = member server

and it's still trying to do NT authentication!

---------------------------------------
  check_ntlm_password:  Authentication for user [pgoetz] -> [pgoetz] 
FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278208,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:760(log_authentication_event_human_readable)
   Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 
18:12:19.278194 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] 
workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:36182] 
mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445]
[2019/06/14 18:12:19.278369,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/auth_log.c:220(log_json)
   JSON Authentication: {"timestamp":
"2019-06-14T18:12:19.278263-0500",
"type": "Authentication", "Authentication":
{"version": {"major": 1,
"minor": 0}, "status":
"NT_STATUS_NO_LOGON_SERVERS", "localAddress":
"ipv4:146.6.73.197:445", "remoteAddress":
"ipv4:128.83.133.100:36182",
"serviceDescription": "SMB2", "authDescription":
null, "clientDomain":
"austin", "clientAccount": "pgoetz",
"workstation": "CNS-VM-PGOETZ1",
"becameAccount": null, "becameDomain": null,
"becameSid": "(NULL SID)",
"mappedAccount": "pgoetz", "mappedDomain":
"austin", "netlogonComputer":
null, "netlogonTrustAccount": null,
"netlogonNegotiateFlags":
"0x00000000", "netlogonSecureChannelType": 0,
"netlogonTrustAccountSid":
"(NULL SID)", "passwordType": "NTLMv2"}}
[2019/06/14 18:12:19.278415,  5, pid=5407, effective(0, 0), real(0, 0)] 
../source3/auth/auth_ntlmssp.c:199(auth3_check_password)
   Checking NTLMSSP password for austin\pgoetz failed: 
NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2019/06/14 18:12:19.278440,  5, pid=5407, effective(0, 0), real(0, 0)] 
../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password)
   ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for 
austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS
[2019/06/14 18:12:19.278467,  2, pid=5407, effective(0, 0), real(0, 0)] 
../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)
   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
---------------------------------------

Totally at a loss.  Did Canonical ship an absolutely broken version of 
Samba in an LTS?!

On 15/06/2019 00:15, Goetz, Patrick G via samba wrote:
> OK, At a loss for what to try next.
>
> According to this page, it should be possible to make this work:
>
>     http://www.hexblot.com/blog/centos-7-active-directory-and-samba
>
> However, I can't get AD users to authenticate when I run
>
>     net use * \\cns-cryo-road1\my_share /user:austin\pgoetz
Patrick, as far as I am aware, using sssd with Samba <= 4.7.x should 
work. However, as I have said numerous times, we do not produce sssd. 
This mean that we cannot provide support for it, sorry if this isn't 
what you wanted to hear, can I suggest asking on the sssd-users mailing 
list for help.

Rowland