Themis Hoffmeister Villegas
2019-Nov-07 19:25 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
Good afternoon friends
I have a problem with SAMPA
My environment has several branches. And each branch office has an AD Win 2012
Server
And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only
communicates with the matrix server AD. Samba does not communicate with the
local AD Server.
Follow my SAMPA setup
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2019/08/16 20:00:43
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = FEMME
realm = FEMME.BR
security = ads
password server = 10.3.24.1
idmap config * : range = 16777216-33554431
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = yes
winbind offline logon = false
#--authconfig--end-line--
netbios name = SVFEBELC7PX02
server string = SVFEBELC7PX02 server Proxy Internet
load printers = no
printcap name = /dev/null
#log level = 10
log file = /var/log/samba/log.%m
max log size = 500
idmap config * : backend = tdb
winbind separator = +
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 10.3.24.1
dns proxy = no
Tests
Test wbinfo ?u ok
Test wbinfo ?g ok
Test wbinfo ?u ok
wbinfo -Ptp
checking the NETLOGON for domain[FEMME] dc connection to
"SVFEBEW12AD01.femme.br" succeeded
checking the trust secret for domain FEMME via RPC calls succeeded
Ping to winbindd succeeded
Test fail
ntlm_auth --username=user --password=Password
NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an
object but has not been granted those access rights. (0xc0000022)
wbinfo -a sathemis
Enter sathemis's password:
plaintext password authentication failed
Could not authenticate user sathemis with plaintext password
Enter sathemis's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED
(0xc0000022, authoritative=0)
error message was: {Access Denied} A process has requested access to an object
but has not been granted those access rights.
Could not authenticate user sathemis with challenge/response
----------------------------------
can anyone help me?
Rowland penny
2019-Nov-07 19:37 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
On 07/11/2019 19:25, Themis Hoffmeister Villegas via samba wrote:> Good afternoon friends > > I have a problem with SAMPA > My environment has several branches. And each branch office has an AD Win 2012 Server > And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only communicates with the matrix server AD. Samba does not communicate with the local AD Server. > > Follow my SAMPA setup > > # See smb.conf.example for a more detailed config file or > # read the smb.conf manpage. > # Run 'testparm' to verify the config is correct after > # you modified it. > > [global] > #--authconfig--start-line-- > > # Generated by authconfig on 2019/08/16 20:00:43 > # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) > # Any modification may be deleted or altered by authconfig in future > > workgroup = FEMME > realm = FEMME.BR > security = ads > password server = 10.3.24.1 > idmap config * : range = 16777216-33554431 > template shell = /sbin/nologin > kerberos method = secrets only > winbind use default domain = yes > winbind offline logon = false > > #--authconfig--end-line-- > > netbios name = SVFEBELC7PX02 > server string = SVFEBELC7PX02 server Proxy Internet > load printers = no > printcap name = /dev/null > #log level = 10 > log file = /var/log/samba/log.%m > max log size = 500 > idmap config * : backend = tdb > winbind separator = + > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind cache time = 15 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > local master = no > os level = 233 > domain master = no > preferred master = no > domain logons = no > wins server = 10.3.24.1 > dns proxy = no > > > Tests > > > > Test wbinfo ?u ok > > Test wbinfo ?g ok > > Test wbinfo ?u ok > > wbinfo -Ptp > > checking the NETLOGON for domain[FEMME] dc connection to "SVFEBEW12AD01.femme.br" succeeded > > checking the trust secret for domain FEMME via RPC calls succeeded > > Ping to winbindd succeeded > > > > Test fail > > ntlm_auth --username=user --password=Password > > NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an object but has not been granted those access rights. (0xc0000022) > > wbinfo -a sathemis > > Enter sathemis's password: > > plaintext password authentication failed > > Could not authenticate user sathemis with plaintext password > > Enter sathemis's password: > > challenge/response password authentication failed > > wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0) > > error message was: {Access Denied} A process has requested access to an object but has not been granted those access rights. > > Could not authenticate user sathemis with challenge/response > > ---------------------------------- > > can anyone help me? > >Are you using sssd ? Rowland
Themis Hoffmeister Villegas
2019-Nov-08 01:01 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
No
the solution is to use sssd ???
________________________________
De: Themis Hoffmeister Villegas <themis.villegas at outlook.com>
Enviado: quinta-feira, 7 de novembro de 2019 16:25
Para: samba at lists.samba.org <samba at lists.samba.org>
Assunto: NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
Good afternoon friends
I have a problem with SAMPA
My environment has several branches. And each branch office has an AD Win 2012
Server
And I have in each branch a Centos Server 7.7 with sampa 4.9.1 that only
communicates with the matrix server AD. Samba does not communicate with the
local AD Server.
Follow my SAMPA setup
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
#--authconfig--start-line--
# Generated by authconfig on 2019/08/16 20:00:43
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future
workgroup = FEMME
realm = FEMME.BR
security = ads
password server = 10.3.24.1
idmap config * : range = 16777216-33554431
template shell = /sbin/nologin
kerberos method = secrets only
winbind use default domain = yes
winbind offline logon = false
#--authconfig--end-line--
netbios name = SVFEBELC7PX02
server string = SVFEBELC7PX02 server Proxy Internet
load printers = no
printcap name = /dev/null
#log level = 10
log file = /var/log/samba/log.%m
max log size = 500
idmap config * : backend = tdb
winbind separator = +
encrypt passwords = yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind cache time = 15
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 10.3.24.1
dns proxy = no
Tests
Test wbinfo ?u ok
Test wbinfo ?g ok
Test wbinfo ?u ok
wbinfo -Ptp
checking the NETLOGON for domain[FEMME] dc connection to
"SVFEBEW12AD01.femme.br" succeeded
checking the trust secret for domain FEMME via RPC calls succeeded
Ping to winbindd succeeded
Test fail
ntlm_auth --username=user --password=Password
NT_STATUS_ACCESS_DENIED: {Access Denied} A process has requested access to an
object but has not been granted those access rights. (0xc0000022)
wbinfo -a sathemis
Enter sathemis's password:
plaintext password authentication failed
Could not authenticate user sathemis with plaintext password
Enter sathemis's password:
challenge/response password authentication failed
wbcAuthenticateUserEx(FEMME+sathemis): error code was NT_STATUS_ACCESS_DENIED
(0xc0000022, authoritative=0)
error message was: {Access Denied} A process has requested access to an object
but has not been granted those access rights.
Could not authenticate user sathemis with challenge/response
----------------------------------
can anyone help me?
Rowland penny
2019-Nov-08 09:16 UTC
[Samba] NT_STATUS_ACCESS_DENIED (0xc0000022, authoritative=0)
On 08/11/2019 01:01, Themis Hoffmeister Villegas via samba wrote:> No > > the solution is to use sssd ???No, I asked because your smb.conf only has these idmap config lines: idmap config * : backend = tdb idmap config * : range = 16777216-33554431 This generally means that sssd is being used and you cannot use sssd with Samba >= 4.8.0 I would also expect lines like these (at least): idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config FEMME : backend = rid idmap config FEMME : range = 10000-999999 I would also remove the 'password server' line and allow Samba to find the best DC for you. I take it the 'matrix server' is the DC with the PDC Emulator role, but as you are possibly using 'sites' (and if you aren't, it sounds like you should), then each Samba domain member should use the local DC. Rowland