samba - Dec 2023 - samba fails to connect to windows file share joined to domain

On Wed, 13 Dec 2023 10:23:27 -0700
jacek burghardt via samba <samba at lists.samba.org> wrote:
> 1. Do you want to setup a domaincontroller, fileserver or a client
> The usage case is for client connecting to windows shares.
OK, in which case your existing smb.conf requires a total re-write.
> 2. If you want to setup a fileserver or client tell us if you joined
> to the domain "net ads testjoin" is showing this.
> Join to domain is not valid: LDAP_INVALID_CREDENTIALS
This could be for several reasons, your existing smb.conf isn't allowing
the join, or you just haven't joined the domain, for instance.
> 3. Did you change your smb.conf to define your role DC or filserver or
> client. At the moment it's a little bit from everything.
> What is proper config for a client ?
Based on what you posted, try this one:

[global]
        workgroup = HEBE
        security = ADS
	realm = HEBE.US

        winbind use default domain = Yes
        winbind refresh tickets = yes
        winbind offline logon = yes
        dns proxy = no

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config HEBE : backend = rid
        idmap config HEBE : range = 10000-20000
        template shell = /bin/bash

	vfs objects = acl_xattr shadow_copy2
        map acl inherit = Yes

        printcap name = /dev/null
        load printers = no
        disable spoolss = yes
        printing = bsd

        log level = 3
        max log size = 50
        log file = /var/log/samba/log.%m
        ntlm auth = mschapv2-and-ntlmv2-only

There are no shares shown, because the only shares you did show
'sysvol' & 'netlogon' shouldn't be on a fileserver.

Stop any Samba daemons, then run:

sudo net ads join -UAdministrator

Enter the Administrator password when prompted.

Once the join has succeeded, start the Samba daemons.

Rowland

I setup my samba with config provided

I cant mount shares still I see

  SPNEGO login failed: The attempted logon is invalid. This is either due
to a bad username or authentication information.

[2023/12/13 14:41:17.238710,  1]
../../source3/winbindd/winbindd_cm.c:870(cm_prepare_connection)

  authenticated session setup to den-dc01.HEBE.US using HEBE\RADREC$ failed
with NT_STATUS_LOGON_FAILURE

[2023/12/13 14:41:17.238751,  3]
../../source3/winbindd/winbindd_cm.c:365(cm_get_ipc_userpass)

  cm_get_ipc_userpass: No auth-user defined

[2023/12/13 14:41:17.238781,  3]
../../source3/winbindd/winbindd_cm.c:365(cm_get_ipc_userpass)

  cm_get_ipc_userpass: No auth-user defined

[2023/12/13 14:41:17.238910,  1]
../../source3/winbindd/winbindd_cm.c:1016(cm_prepare_connection)

  Failed to prepare SMB connection to den-dc01.HEBE.US:
NT_STATUS_LOGON_FAILURE

[2023/12/13 14:41:17.239109,  3]
../../source3/winbindd/winbindd_dual_srv.c:951(_wbint_PingDc)

  could not open handle to NETLOGON pipe: NT_STATUS_LOGON_FAILURE



On Wed, Dec 13, 2023 at 11:08?AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 13 Dec 2023 10:23:27 -0700
> jacek burghardt via samba <samba at lists.samba.org> wrote:
>
> > 1. Do you want to setup a domaincontroller, fileserver or a client
> > The usage case is for client connecting to windows shares.
>
> OK, in which case your existing smb.conf requires a total re-write.
>
> > 2. If you want to setup a fileserver or client tell us if you joined
> > to the domain "net ads testjoin" is showing this.
> > Join to domain is not valid: LDAP_INVALID_CREDENTIALS
>
> This could be for several reasons, your existing smb.conf isn't
allowing
> the join, or you just haven't joined the domain, for instance.
>
> > 3. Did you change your smb.conf to define your role DC or filserver or
> > client. At the moment it's a little bit from everything.
> > What is proper config for a client ?
>
> Based on what you posted, try this one:
>
> [global]
>         workgroup = HEBE
>         security = ADS
>         realm = HEBE.US
>
>         winbind use default domain = Yes
>         winbind refresh tickets = yes
>         winbind offline logon = yes
>         dns proxy = no
>
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config HEBE : backend = rid
>         idmap config HEBE : range = 10000-20000
>         template shell = /bin/bash
>
>         vfs objects = acl_xattr shadow_copy2
>         map acl inherit = Yes
>
>         printcap name = /dev/null
>         load printers = no
>         disable spoolss = yes
>         printing = bsd
>
>         log level = 3
>         max log size = 50
>         log file = /var/log/samba/log.%m
>         ntlm auth = mschapv2-and-ntlmv2-only
>
> There are no shares shown, because the only shares you did show
> 'sysvol' & 'netlogon' shouldn't be on a fileserver.
>
> Stop any Samba daemons, then run:
>
> sudo net ads join -UAdministrator
>
> Enter the Administrator password when prompted.
>
> Once the join has succeeded, start the Samba daemons.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>