samba - Aug 2021 - mount.cifs STATUS_NO_LOGON_SERVERS

On Wed, 2021-08-11 at 15:01 +0200, Mark Amundsen via samba
wrote:
> Hello all
> 
> I have a Samba AD DC and a Samba Fileserver. Shares on the latter is
> mainly served to W10 clients (they are also members of the samba-
> domain). All this works.
> 
> Then there is a linux box that mounts a few shares on the fileserver
> with mount.cifs, this used to work for several years but stopped
> working a few days back (most likely after an apt upgrade but
> unfortunately I didn?t notice it break at the moment).
Is the 'linux box' joined to the domain ? If not, why not ?
> 
> I have the credentials in a file (/etc/cifs-utils/cifspasswd):
> username=me at domain.example.com
> password=thesecret
> 
> mount -t cifs -o credentials=/etc/cifs-utils/cifspasswd
> //fileserver/data /mnt/samba
> returns Status code returned 0xc000005e STATUS_NO_LOGON_SERVERS
> 
> However, this works:
> smbclient -A /etc/cifs-utils/cifspasswd //fileserver/data
> 
> I?ve tried to change the credential-file to
> username=me 
> password=thesecret
> domain=domain.example.com
> 
> but then smbclient says: gensec_spnego_client_negTokenInit_step:
> gse_krb5: creating NEG_TOKEN_INIT for cifs/sneezy failed
> (next[(null)]): NT_STATUS_NO_MEMORY
Anything with 'krb5' in it, means kerberos
> and mount.cifs STATUS_NO_LOGON_SERVERS as before
It is probably looking for a KDC
> 
> If I type an invalid password smbclient also says
> NT_STATUS_NO_LOGON_SERVERS
> 
> I am aware that this might not be an issue with samba, I just hope
> that some kind soul will kick me out in the right direction :)
> 
> Any hints on how to troubleshoot this would be much appreciated!
> Samba version is 4.14.6
> mount.cifs is 6.8 (debian)
> smbclient is 4.9.5-Debian
> os on all three is debian 10.10 with Linux 4.19.0-17-amd64
> 
Lets start by you posting the smb.conf from all three machines (hint:
post the output from 'samba-tool testparm --suppress-prompt' on the DC
and 'testparm -s' on the others)

Rowland

Hi and thanks for your time


First of all, I cleaned up the krb5.conf according to the samba wiki and after
that I can connect with smbclient using the three part style of the credentials
file, i.e
username=me
password=thesecret
domain=domain.example.com

but mount.cifs still says STATUS_NO_LOGON_SERVERS


> Is the 'linux box' joined to the domain ? If not, why not ?
It is joined to the domain.

> Lets start by you posting the smb.conf from all three machines (hint:
> post the output from 'samba-tool testparm --suppress-prompt' on the
DC
> and 'testparm -s' on the others)
Here are the outputs you asked for. some info anonymized.

AD DC:
root at doc:~# samba-tool testparm --suppress-prompt
INFO 2021-08-11 17:18:37,355 pid:3345
/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #96:
Loaded smb config files from /etc/samba/smb.conf
INFO 2021-08-11 17:18:37,355 pid:3345
/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/testparm.py #97:
Loaded services file OK.
# Global parameters
[global]
dns forwarder = 1.2.3.4
netbios name = DOC
realm = THEDOMAIN.EXAMPLE.COM
server role = active directory domain controller
workgroup = THEDOMAIN
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/thedomain.example.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


Fileserver:
root at sneezy:~# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
log file = /var/log/samba/%m.log
realm = THEDOMAIN.EXAMPLE.COM
security = ADS
username map = /etc/samba/user.map
winbind use default domain = Yes
workgroup = THEDOMAIN
idmap config thedomain: range = 10000-999999
idmap config thedomain: backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
map acl inherit = Yes
vfs objects = acl_xattr


[Data]
path = /var/mntsamba/samba/Data/
read only = No


The 'linux-box' that no longer mounts shares (I wasn't aware that
mount.cifs uses the smb.conf so it is basicly default debian conf)
root at pluto:~# testparm -s
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
# Global parameters
[global]
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        server role = standalone server
        unix password sync = Yes
        usershare allow guests = Yes
        workgroup = THEDOMAIN
        idmap config * : backend = tdb
        create mask = 0700
        directory mask = 0700
        valid users = %S



cheers
Mark