samba - Oct 2019 - NT_STATUS_LOGON_FAILURE

Hi,
Since I don't have access to AD to add uidNumber & gidNumber attributes,
I
used the second idmap config set. I also reverified the net ads testjoin -
Join is OK.
Still can't ssh from domain accounts and can't *write to* the share from
Win10 or Cent, but I *can* now see into it from Win10 or Cent.
I think my remaining issues are outside Samba, but suggestions/advice still
welcome.

Reposting my current smb.conf for future use:
# Global parameters
[global]
client signing = if_required
local master = No
log file = /var/log/samba/%m
map to guest = Bad User
preferred master = No
realm = <domain.url>
security = ADS
template shell = /sbin/nologin
winbind use default domain = Yes
workgroup = <domain>
idmap config <domain>:backend = rid
idmap config <domain>:unix_nss_info = yes
idmap config <domain>:range = 10000-600000
idmap config * : range = 1000-2000
idmap config * : backend = tdb


[SHARES]
guest ok = Yes
map acl inherit = Yes
path = /media/usb/SHARES
read only = No
vfs objects = acl_xattr
acl_xattr:ignore system acls = Yes

On Wed, Oct 23, 2019 at 9:44 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 23/10/2019 16:16, Timothy Brewer via samba wrote:
> > Hi,
> > I disabled SSSD and made the suggested changes to my smb.conf. Now
Win10
> > says "Windows cannot access <path>". I can no longer
ssh to the server -
> > permission denied error.
> >
> >
> OK, have you added any uidNumber & gidNumber attributes to AD, if so
> your 'idmap config' block (based on what you posted earlier) should
be:
>
>      idmap config * : backend=tdb
>      idmap config * : range=1000-2000
>      idmap config SAMBADOM : backend = ad
>      idmap config SAMBADOM : range = 10000-600000
>      idmap config SAMBADOM : schema_mode =rfc2307
>      idmap config SAMBADOM : unix_nss_info = yes
>      idmap config SAMBADOM : unix_primary_group = yes
>
> Just as long as the uidNumber & gidNumber attributes contain numbers
> inside the '10000-600000' range AND 'Domain Users' has a
gidNumber
>
> If you haven't added any uidNumber & gidNumber attributes, then you
need
> to use this:
>
>      idmap config * : backend=tdb
>      idmap config * : range=1000-2000
>      idmap config SAMBADOM : backend = rid
>      idmap config SAMBADOM : range = 10000-600000
>
> You would need to run 'net cache flush'
>
> I would also test the join with 'net ads testjoin'
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Tim Brewer
Field Services Tech - ETS FS region 2
Wyoming Department of Enterprise Technology Services
2020 Grand Ave.
Laramie, WY 82070
tim.brewer at wyo.gov
website:  ets.wyo.gov
Support:  307-777-5000
Direct Line:  307-343-3183

Ensuring Wyoming has trailblazing technology to meet tomorrows challenges
while delivering the finest in business services today.

-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.

On 23/10/2019 17:17, Timothy Brewer via samba wrote:
> Hi,
> Since I don't have access to AD to add uidNumber & gidNumber
attributes, I
> used the second idmap config set. I also reverified the net ads testjoin -
> Join is OK.
> Still can't ssh from domain accounts and can't *write to* the share
from
> Win10 or Cent, but I *can* now see into it from Win10 or Cent.
> I think my remaining issues are outside Samba, but suggestions/advice still
> welcome.
>
> Reposting my current smb.conf for future use:
> # Global parameters
> [global]
> client signing = if_required
> local master = No
> log file = /var/log/samba/%m
> map to guest = Bad User
> preferred master = No
> realm = <domain.url>
> security = ADS
> template shell = /sbin/nologin
> winbind use default domain = Yes
> workgroup = <domain>
> idmap config <domain>:backend = rid
> idmap config <domain>:unix_nss_info = yes
> idmap config <domain>:range = 10000-600000
> idmap config * : range = 1000-2000
> idmap config * : backend = tdb
>
>
> [SHARES]
> guest ok = Yes
> map acl inherit = Yes
> path = /media/usb/SHARES
> read only = No
> vfs objects = acl_xattr
> acl_xattr:ignore system acls = Yes
>
Does 'getent passwd username' return a users info ?

Do the passwd & group lines in /etc/nsswitch.conf look similar to these:

passwd compat winbind

group compat winbind

Do you have libpam-krb5, libpam-winbind and libnss-winbind (or your OS's 
version of them) installed ?

Rowland

Apologies, Rowland, for the long silence - I had to make sure I could
reproduce a working system, at least to this point, so I rebuilt the system
several times. Samba still works, yay!
Thank you for the tips!

At some point during the build, realm list reports two realms. One has
winbind for the client, one has sssd for the client. Note that I disabled
SSSD *before* binding. SSH seems to stop working after the second realm
pops, but I haven't confirmed this. Net ads testjoin works, but only
*after* the second realm pops, I think.

Getent passwd <username> returns nothing.

My nsswitch has:
passwd:     files winbind
group:      files winbind

I'm now going to install the packages you mentioned below.

Cheers,
tb
> >
> Does 'getent passwd username' return a users info ?
>
> Do the passwd & group lines in /etc/nsswitch.conf look similar to
these:
>
> passwd compat winbind
>
> group compat winbind
>
> Do you have libpam-krb5, libpam-winbind and libnss-winbind (or your
OS's
> version of them) installed ?
>
> Rowland
>
-- 
E-Mail to and from me, in connection with the transaction
of public 
business, is subject to the Wyoming Public Records
Act and may be disclosed 
to third parties.