Hi, I disabled SSSD and made the suggested changes to my smb.conf. Now Win10 says "Windows cannot access <path>". I can no longer ssh to the server - permission denied error. On Wed, Oct 23, 2019 at 1:35 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 22/10/2019 22:18, Timothy Brewer via samba wrote: > > Like so many others, I'm having NT_STATUS_LOGON_FAILURE issues. I've > tried > > all the fixes I could find to no avail. > > My environment: Cent 7 (Linux 4.19.72-v7l.1.el7) with Samba 4.9.1, bound > > to AD via Realmd. SSSD for ACL's, winbind for user map. > > Sorry but from Samba 4.8.0 the use of sssd with winbind is not > supported, this is because from 4.8.0 you must run winbind if using > 'security = ADS' and the two interfere with one another. > > Just remove sssd and everything should work after you replace 'backend > sss' with 'backend = ad' and add 'idmap config <domain>:unix_nss_info > yes' > > Rowland >-- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.
On 23/10/2019 16:16, Timothy Brewer via samba wrote:> Hi, > I disabled SSSD and made the suggested changes to my smb.conf. Now Win10 > says "Windows cannot access <path>". I can no longer ssh to the server - > permission denied error. > >OK, have you added any uidNumber & gidNumber attributes to AD, if so your 'idmap config' block (based on what you posted earlier) should be: ??? idmap config * : backend=tdb ??? idmap config * : range=1000-2000 ??? idmap config SAMBADOM : backend = ad ??? idmap config SAMBADOM : range = 10000-600000 ??? idmap config SAMBADOM : schema_mode =rfc2307 ??? idmap config SAMBADOM : unix_nss_info = yes ??? idmap config SAMBADOM : unix_primary_group = yes Just as long as the uidNumber & gidNumber attributes contain numbers inside the '10000-600000' range AND 'Domain Users' has a gidNumber If you haven't added any uidNumber & gidNumber attributes, then you need to use this: ??? idmap config * : backend=tdb ??? idmap config * : range=1000-2000 ??? idmap config SAMBADOM : backend = rid ??? idmap config SAMBADOM : range = 10000-600000 You would need to run 'net cache flush' I would also test the join with 'net ads testjoin' Rowland
Hi, Since I don't have access to AD to add uidNumber & gidNumber attributes, I used the second idmap config set. I also reverified the net ads testjoin - Join is OK. Still can't ssh from domain accounts and can't *write to* the share from Win10 or Cent, but I *can* now see into it from Win10 or Cent. I think my remaining issues are outside Samba, but suggestions/advice still welcome. Reposting my current smb.conf for future use: # Global parameters [global] client signing = if_required local master = No log file = /var/log/samba/%m map to guest = Bad User preferred master = No realm = <domain.url> security = ADS template shell = /sbin/nologin winbind use default domain = Yes workgroup = <domain> idmap config <domain>:backend = rid idmap config <domain>:unix_nss_info = yes idmap config <domain>:range = 10000-600000 idmap config * : range = 1000-2000 idmap config * : backend = tdb [SHARES] guest ok = Yes map acl inherit = Yes path = /media/usb/SHARES read only = No vfs objects = acl_xattr acl_xattr:ignore system acls = Yes On Wed, Oct 23, 2019 at 9:44 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 23/10/2019 16:16, Timothy Brewer via samba wrote: > > Hi, > > I disabled SSSD and made the suggested changes to my smb.conf. Now Win10 > > says "Windows cannot access <path>". I can no longer ssh to the server - > > permission denied error. > > > > > OK, have you added any uidNumber & gidNumber attributes to AD, if so > your 'idmap config' block (based on what you posted earlier) should be: > > idmap config * : backend=tdb > idmap config * : range=1000-2000 > idmap config SAMBADOM : backend = ad > idmap config SAMBADOM : range = 10000-600000 > idmap config SAMBADOM : schema_mode =rfc2307 > idmap config SAMBADOM : unix_nss_info = yes > idmap config SAMBADOM : unix_primary_group = yes > > Just as long as the uidNumber & gidNumber attributes contain numbers > inside the '10000-600000' range AND 'Domain Users' has a gidNumber > > If you haven't added any uidNumber & gidNumber attributes, then you need > to use this: > > idmap config * : backend=tdb > idmap config * : range=1000-2000 > idmap config SAMBADOM : backend = rid > idmap config SAMBADOM : range = 10000-600000 > > You would need to run 'net cache flush' > > I would also test the join with 'net ads testjoin' > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Tim Brewer Field Services Tech - ETS FS region 2 Wyoming Department of Enterprise Technology Services 2020 Grand Ave. Laramie, WY 82070 tim.brewer at wyo.gov website: ets.wyo.gov Support: 307-777-5000 Direct Line: 307-343-3183 Ensuring Wyoming has trailblazing technology to meet tomorrows challenges while delivering the finest in business services today. -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.
hmm, got called away from this project this afternoon. When I came back, I discovered I am getting almost the same error again: ../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [user.name] -> [user.name] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1. The difference in the error is the username is no longer prefaced with the domain name, which seems to imply that the file server is not joined except I have flushed the cache and tested the join (Join is ok). My brain is turning to mush... -- E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.