Goetz, Patrick G
2019-Jun-14 23:15 UTC
[Samba] Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction
OK, At a loss for what to try next. According to this page, it should be possible to make this work: http://www.hexblot.com/blog/centos-7-active-directory-and-samba However, I can't get AD users to authenticate when I run net use * \\cns-cryo-road1\my_share /user:austin\pgoetz Authenticating via ssh, su, or from the console using the same AD UserName is not a problem. It seems like the relevant smb.conf keys here are: security = user|ads server role = auto I've been leaving server-role set at auto (assuming this will do the right thing). When I set security=user and turn up debugging to 10, I see this in the log file: --------------------------------------- [2019/06/14 17:34:58.892367, 3, pid=5112, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface [2019/06/14 17:34:58.892385, 3, pid=5112, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1] ... [2019/06/14 17:34:58.892644, 5, pid=5112, effective(0, 0), real(0, 0), class=passdb] ../source3/passdb/pdb_tdb.c:600(tdbsam_getsampwnam) pdb_getsampwnam (TDB): error fetching database. Key: USER_pgoetz [2019/06/14 17:34:58.892678, 4, pid=5112, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2019/06/14 17:34:58.892697, 3, pid=5112, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'pgoetz' in passdb. --------------------------------------- Yes, of course. There is no passdb, this is a domain user. Further the "check_ntlm_password" seems to be indicative of attempting to use NTLM, which won't work with AD. Also, I have netbios turned off: disable netbios = yes OK, so I change to security=ads, but get similar same stuff in the resulting log file: --------------------------------------- [2019/06/14 17:49:17.067591, 3, pid=5252, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [austin]\[pgoetz]@[CNS-VM-PGOETZ1] with the new password interface [2019/06/14 17:49:17.067616, 3, pid=5252, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: [austin]\[pgoetz]@[CNS-VM-PGOETZ1] ... auth_check_ntlm_password: winbind authentication for user [pgoetz] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2019/06/14 17:49:17.184022, 2, pid=5252, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:332(auth_check_ntlm_password) check_ntlm_password: Authentication for user [pgoetz] -> [pgoetz] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2019/06/14 17:49:17.184060, 2, pid=5252, effective(0, 0), real(0, 0)] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 17:49:17.184047 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:34782] mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445] [2019/06/14 17:49:17.184212, 2, pid=5252, effective(0, 0), real(0, 0)] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2019-06-14T17:49:17.184116-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress": "ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:34782", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} [2019/06/14 17:49:17.184275, 5, pid=5252, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:199(auth3_check_password) Checking NTLMSSP password for austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2019/06/14 17:49:17.184302, 5, pid=5252, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password) ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS [2019/06/14 17:49:17.184328, 2, pid=5252, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS --------------------------------------- Why is it trying to use NTLMv2 and looking for NT logon servers when I specified security=ads? So, question: it seems some people have this working: mind sharing the relevant parts of your smb.conf files? I must have some parameter set wrong, I just can't figure out what it is. OK, just for fun tried: security=auto server role = member server and it's still trying to do NT authentication! --------------------------------------- check_ntlm_password: Authentication for user [pgoetz] -> [pgoetz] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2019/06/14 18:12:19.278208, 2, pid=5407, effective(0, 0), real(0, 0)] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,(null)] user [austin]\[pgoetz] at [Fri, 14 Jun 2019 18:12:19.278194 CDT] with [NTLMv2] status [NT_STATUS_NO_LOGON_SERVERS] workstation [CNS-VM-PGOETZ1] remote host [ipv4:128.83.133.100:36182] mapped to [austin]\[pgoetz]. local host [ipv4:146.6.73.197:445] [2019/06/14 18:12:19.278369, 2, pid=5407, effective(0, 0), real(0, 0)] ../auth/auth_log.c:220(log_json) JSON Authentication: {"timestamp": "2019-06-14T18:12:19.278263-0500", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 0}, "status": "NT_STATUS_NO_LOGON_SERVERS", "localAddress": "ipv4:146.6.73.197:445", "remoteAddress": "ipv4:128.83.133.100:36182", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "austin", "clientAccount": "pgoetz", "workstation": "CNS-VM-PGOETZ1", "becameAccount": null, "becameDomain": null, "becameSid": "(NULL SID)", "mappedAccount": "pgoetz", "mappedDomain": "austin", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": "(NULL SID)", "passwordType": "NTLMv2"}} [2019/06/14 18:12:19.278415, 5, pid=5407, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:199(auth3_check_password) Checking NTLMSSP password for austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS, authoritative=1 [2019/06/14 18:12:19.278440, 5, pid=5407, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:751(ntlmssp_server_check_password) ../auth/ntlmssp/ntlmssp_server.c:751: Checking NTLMSSP password for austin\pgoetz failed: NT_STATUS_NO_LOGON_SERVERS [2019/06/14 18:12:19.278467, 2, pid=5407, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS --------------------------------------- Totally at a loss. Did Canonical ship an absolutely broken version of Samba in an LTS?!
Rowland penny
2019-Jun-15 10:15 UTC
[Samba] Ubuntu 18.04, bound to Windows AD, sssd auth, Samba 4.7.6: Can't get no share satisfaction
On 15/06/2019 00:15, Goetz, Patrick G via samba wrote:> OK, At a loss for what to try next. > > According to this page, it should be possible to make this work: > > http://www.hexblot.com/blog/centos-7-active-directory-and-samba > > However, I can't get AD users to authenticate when I run > > net use * \\cns-cryo-road1\my_share /user:austin\pgoetzPatrick, as far as I am aware, using sssd with Samba <= 4.7.x should work. However, as I have said numerous times, we do not produce sssd. This mean that we cannot provide support for it, sorry if this isn't what you wanted to hear, can I suggest asking on the sssd-users mailing list for help. Rowland
Possibly Parallel Threads
- Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
- Samba + sssd deployment: success and failure
- Samba + SSSD: confirmed working for Samba versions 4.7.6 and 4, 8.3
- Samba + sssd deployment: success and failure
- Can't setup shares on domain member server samba4