samba - Feb 2020 - NT_STATUS_ACCESS_DENIED when issuing smbclient -k

Hi Rowland,
I tried to set that option but still same result.
I recreated the setup in old debian wheezy 7.11 and it's working.
set the log level = 10
'abcd' is the user account

then i noticed this in /var/log/samba/log.10.0.2.15 = the ip of the samba
server, i am issuing the smbclient in the samba server itself.

Unix User found. Rid marked as special and sid (S-1-22-1-12658) saved as extra
sid
[2020/02/24 21:13:21.436397,? 1, pid=5914, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/server_info.c:484(SamInfo3_handl
e_sids)
? The primary group domain sid(S-1-5-21-2449491038-845518472-943770720-512) does
not match the domain sid(S-1-5-21-3914098627-448258
429-2114528033) for abcd(S-1-22-1-12658)
[2020/02/24 21:13:21.436416,? 1, pid=5914, effective(0, 0), real(0, 0),
class=auth] ../source3/auth/user_krb5.c:254(make_session_inf
o_krb5)
? make_server_info_[sam|pw] failed: NT_STATUS_INVALID_SID!
[2020/02/24 21:13:21.436435,? 1, pid=5914, effective(0, 0), real(0, 0)]
../source3/auth/auth_generic.c:174(auth3_generate_session_in
fo_pac)
? Failed to map kerberos pac to server info (NT_STATUS_INVALID_SID)
[2020/02/24 21:13:21.436477,? 3, pid=5914, effective(0, 0), real(0, 0),
class=smb2] ../source3/smbd/smb2_server.c:3195(smbd_smb2_request_error_ex)
? smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
status[NT_STATUS_ACCESS_DENIED]


Thanks!

    On Monday, February 24, 2020, 8:37:07 PM GMT+1, Rowland penny via samba
<samba at lists.samba.org> wrote:
 
 On 24/02/2020 19:00, Marlon Franco wrote:
> Hi Rowland,
>
> Can we at least make it work in a new server, i need to virtualize 
> this first before i moved to Samba AD domain, this conf came from the 
> debian wheezy which has a samba 3.6.6 i'm trying to replicate the OLD 
> server exactly as much as possible because i might break something.
>
> I tried to changed the security = ads and kerberos method = secrets 
> and keytab but still could not work
>
> when i do smbclient -k -L //sample.test.de/ -d 2
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> or you saying it is not possible unless i moved to samba ad?
>
It wasn't very common to use kerberos with a PDC, so I am unsure if it 
will work now. However, it could be fallout from the various changes 
since 3.6.x, such 'ntlm auth' now defaulting to NTLMv2.

Try setting these options in smb.conf:

ntlm auth = yes

server max protocol = NT1

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba

On 26/02/2020 08:19, Marlon Franco wrote:
>
>
> ? The primary group domain 
> sid(S-1-5-21-2449491038-845518472-943770720-512) does not match the 
> domain sid(S-1-5-21-3914098627-448258
> 429-2114528033) for abcd(S-1-22-1-12658)
All domain members must use the same SID, you can obtain this on the PDC 
with 'net getdomainsid'. You should then be able set the domain SID on 
Unix domain members with 'net setdomainsid 
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' , replacing the SID with the 
one you obtained on the PDC.

Rowland

Dear Rowland,
setting the SID really show progress
smbclient -k -L //sample.test.de/ now works

now i'm stuck with session setup failed: NT_STATUS_LOGON_FAILURE
even if ntlm auth and client max protocol is set
In the OLD setup i can login even if i dont type a password
smbclient //localhost/netlogon -U 'abcd'Enter abcd's password: 
Anonymous login successful
Domain=[TEST.DE] OS=[Unix] Server=[Samba 3.6.6]smb: \>

now i get session setup failed: NT_STATUS_LOGON_FAILURE even if i type the
correct password

based on the logs:ntlmssp_server_auth_send: Checking NTLMSSP password for
TEST.DE\abcd failed:? NT_STATUS_NO_SUCH_USER

Thanks!
    On Wednesday, February 26, 2020, 10:06:02 AM GMT+1, Rowland penny via samba
<samba at lists.samba.org> wrote:
 
 On 26/02/2020 08:19, Marlon Franco wrote:
>
>
> ? The primary group domain 
> sid(S-1-5-21-2449491038-845518472-943770720-512) does not match the 
> domain sid(S-1-5-21-3914098627-448258
> 429-2114528033) for abcd(S-1-22-1-12658)
All domain members must use the same SID, you can obtain this on the PDC 
with 'net getdomainsid'. You should then be able set the domain SID on 
Unix domain members with 'net setdomainsid 
S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' , replacing the SID with the 
one you obtained on the PDC.

Rowland





-- 
To unsubscribe from this list go to the following URL and read the
instructions:? https://lists.samba.org/mailman/options/samba