samba - Oct 2019 - NT_STATUS_LOGON_FAILURE

Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues. I've
tried
all the fixes I could find to no avail.
My environment:  Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1, bound
to AD via Realmd. SSSD for ACL's, winbind for user map.

Installed packages:  nano, ntpdate, ntp, realmd, sssd, sssd-tools,
sssd-winbind-idmap,
samba-winbind, adcli, oddjob, oddjob-mkhomedir, policycoreutils-python, samba,
samba-client samba-common, samba-common-tools

Current iteration of the smb.conf:
[global]
client signing = if_required
domain master = No
local master = No
log file = /var/log/samba/%m
log level = 5
map to guest = Bad User
ntlm auth = ntlmv1-permitted #also tried without this; same result
preferred master = No
realm = <domain.url>
security = ADS
winbind use default domain = Yes
workgroup = <domain>
idmap config * : range = 100000-199999
idmap config <domain>:schema_mode = rfc2307
idmap config <domain>:range = 200000-214748647
idmap config <domain>:backend = sss
idmap config * : backend = tdb

[SHARES]
guest ok = Yes
map acl inherit = Yes
path = /media/usb/SHARES
read only = No
vfs objects = acl_xattr
acl_xattr:ignore system acls = Yes

What does work:
  -SSH connection from another Cent7 using my domain creds.
  -Connecting to the share from another Cent7 using my domain creds (ACLs
are messed up but that's another issue)
  -Connection to the share from Win10 using server hostname\root

What doesn't work is connecting to the share from Win10 using my domain
creds. I get an "incorrect password" error. Samba log shows:
../source3/auth/auth.c:251(auth_check_ntlm_password)
  auth_check_ntlm_password: winbind authentication for user [user_name]
FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
Human readable:  Auth: [SMB2,(null)] user [domain]\[username] at [Tue, 22
Oct 2019 13:19:40.290329 MDT] with [NTLMv1] status
[NT_STATUS_LOGON_FAILURE] workstation [hostname] remote host
[ipv4:IPaddr:59691] mapped to [domain]\[username]

Thanks!
Tim

-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.

On 22/10/2019 22:18, Timothy Brewer via samba wrote:
> Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues.
I've tried
> all the fixes I could find to no avail.
> My environment:  Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1, bound
> to AD via Realmd. SSSD for ACL's, winbind for user map.
Sorry but from Samba 4.8.0 the use of sssd with winbind is not 
supported, this is because from 4.8.0 you must run winbind if using 
'security = ADS' and the two interfere with one another.

Just remove sssd and everything should work after you replace 'backend = 
sss' with 'backend = ad' and add 'idmap config
<domain>:unix_nss_info = yes'

Rowland

Hi,
I disabled SSSD and made the suggested changes to my smb.conf. Now Win10
says "Windows cannot access <path>". I can no longer ssh to the
server -
permission denied error.


On Wed, Oct 23, 2019 at 1:35 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 22/10/2019 22:18, Timothy Brewer via samba wrote:
> > Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues.
I've
> tried
> > all the fixes I could find to no avail.
> > My environment:  Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1,
bound
> > to AD via Realmd. SSSD for ACL's, winbind for user map.
>
> Sorry but from Samba 4.8.0 the use of sssd with winbind is not
> supported, this is because from 4.8.0 you must run winbind if using
> 'security = ADS' and the two interfere with one another.
>
> Just remove sssd and everything should work after you replace 'backend
> sss' with 'backend = ad' and add 'idmap config
<domain>:unix_nss_info > yes'
>
> Rowland
>
-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.