Themis Hoffmeister Villegas
2019-Nov-07 19:25 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
Good afternoon friends I have a problem with SAMPA My environment has several branches. And each branch office has an AD Win 2012 Server And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only communicates with the matrix server AD. Samba does not communicate with the local AD Server. Follow my SAMPA setup # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] #--authconfig--start-line-- # Generated by authconfig on 2019/08/16 20:00:43 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = FEMME realm = FEMME.BR security = ads password server = 10.3.24.1 idmap config * : range = 16777216-33554431 template shell = /sbin/nologin kerberos method = secrets only winbind use default domain = yes winbind offline logon = false #--authconfig--end-line-- netbios name = SVFEBELC7PX02 server string = SVFEBELC7PX02 server Proxy Internet load printers = no printcap name = /dev/null #log level = 10 log file = /var/log/samba/log.%m max log size = 500 idmap config * : backend = tdb winbind separator = + encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind cache time = 15 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes local master = no os level = 233 domain master = no preferred master = no domain logons = no wins server = 10.3.24.1 dns proxy = no Tests Test wbinfo ?u ok Test wbinfo ?g ok Test wbinfo ?u ok wbinfo -Ptp checking the NETLOGON for domain[FEMME] dc connection to "SVFEBEW12AD01.femme.br" succeeded checking the trust secret for domain FEMME via RPC calls succeeded Ping to winbindd succeeded Test fail ntlm_auth --username=user --password=Password NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022) wbinfo -a sathemis Enter sathemis's password: plaintext password authentication failed Could not authenticate user sathemis with plaintext password Enter sathemis's password: challenge/response password authentication failed wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0) error message was: {Access Denied} A process has requested access to an object but has not been granted those access rights. Could not authenticate user sathemis with challenge/response ---------------------------------- can anyone help me?
Rowland penny
2019-Nov-07 19:37 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
On 07/11/2019 19:25, Themis Hoffmeister Villegas via samba wrote:> Good afternoon friends > > I have a problem with SAMPA > My environment has several branches. And each branch office has an AD Win 2012 Server > And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only communicates with the matrix server AD. Samba does not communicate with the local AD Server. > > Follow my SAMPA setup > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > #--authconfig--start-line-- > > # Generated by authconfig on 2019/08/16 20:00:43 > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) > # Any modification may be deleted or altered by authconfig in future > > workgroup = FEMME > realm = FEMME.BR > security = ads > password server = 10.3.24.1 > idmap config * : range = 16777216-33554431 > template shell = /sbin/nologin > kerberos method = secrets only > winbind use default domain = yes > winbind offline logon = false > > #--authconfig--end-line-- > > netbios name = SVFEBELC7PX02 > server string = SVFEBELC7PX02 server Proxy Internet > load printers = no > printcap name = /dev/null > #log level = 10 > log file = /var/log/samba/log.%m > max log size = 500 > idmap config * : backend = tdb > winbind separator = + > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind cache time = 15 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > local master = no > os level = 233 > domain master = no > preferred master = no > domain logons = no > wins server = 10.3.24.1 > dns proxy = no > > > Tests > > > > Test wbinfo ?u ok > > Test wbinfo ?g ok > > Test wbinfo ?u ok > > wbinfo -Ptp > > checking the NETLOGON for domain[FEMME] dc connection to "SVFEBEW12AD01.femme.br" succeeded > > checking the trust secret for domain FEMME via RPC calls succeeded > > Ping to winbindd succeeded > > > > Test fail > > ntlm_auth --username=user --password=Password > > NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022) > > wbinfo -a sathemis > > Enter sathemis's password: > > plaintext password authentication failed > > Could not authenticate user sathemis with plaintext password > > Enter sathemis's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0) > > error message was: {Access Denied} A process has requested access to an object but has not been granted those access rights. > > Could not authenticate user sathemis with challenge/response > > ---------------------------------- > > can anyone help me? > >Are you using sssd ? Rowland
Themis Hoffmeister Villegas
2019-Nov-08 01:01 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
No the solution is to use sssd ??? ________________________________ De: Themis Hoffmeister Villegas <themis.villegas at outlook.com> Enviado: quinta-feira, 7 de novembro de 2019 16:25 Para: samba at lists.samba.org <samba at lists.samba.org> Assunto: NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0) Good afternoon friends I have a problem with SAMPA My environment has several branches. And each branch office has an AD Win 2012 Server And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only communicates with the matrix server AD. Samba does not communicate with the local AD Server. Follow my SAMPA setup # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] #--authconfig--start-line-- # Generated by authconfig on 2019/08/16 20:00:43 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future workgroup = FEMME realm = FEMME.BR security = ads password server = 10.3.24.1 idmap config * : range = 16777216-33554431 template shell = /sbin/nologin kerberos method = secrets only winbind use default domain = yes winbind offline logon = false #--authconfig--end-line-- netbios name = SVFEBELC7PX02 server string = SVFEBELC7PX02 server Proxy Internet load printers = no printcap name = /dev/null #log level = 10 log file = /var/log/samba/log.%m max log size = 500 idmap config * : backend = tdb winbind separator = + encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind cache time = 15 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes local master = no os level = 233 domain master = no preferred master = no domain logons = no wins server = 10.3.24.1 dns proxy = no Tests Test wbinfo ?u ok Test wbinfo ?g ok Test wbinfo ?u ok wbinfo -Ptp checking the NETLOGON for domain[FEMME] dc connection to "SVFEBEW12AD01.femme.br" succeeded checking the trust secret for domain FEMME via RPC calls succeeded Ping to winbindd succeeded Test fail ntlm_auth --username=user --password=Password NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022) wbinfo -a sathemis Enter sathemis's password: plaintext password authentication failed Could not authenticate user sathemis with plaintext password Enter sathemis's password: challenge/response password authentication failed wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0) error message was: {Access Denied} A process has requested access to an object but has not been granted those access rights. Could not authenticate user sathemis with challenge/response ---------------------------------- can anyone help me?
Rowland penny
2019-Nov-08 09:16 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
On 08/11/2019 01:01, Themis Hoffmeister Villegas via samba wrote:> No > > the solution is to use sssd ???No, I asked because your smb.conf only has these idmap config lines: idmap config * : backend = tdb idmap config * : range = 16777216-33554431 This generally means that sssd is being used and you cannot use sssd with Samba >= 4.8.0 I would also expect lines like these (at least): idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config FEMME : backend = rid idmap config FEMME : range = 10000-999999 I would also remove the 'password server' line and allow Samba to find the best DC for you. I take it the 'matrix server' is the DC with the PDC Emulator role, but as you are possibly using 'sites' (and if you aren't, it sounds like you should), then each Samba domain member should use the local DC. Rowland