Orion Poplawski
2025-Sep-15 20:23 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS for remote connections with DOMAIN\user
One of our EL 9.6 samba servers has stopped being able to do password authentication over the network when using the DOMAIN\user format. If I connect with smbclient, when winbind is trying to connect to the AD server we see: [2025/09/15 12:58:12.542784, 3, traceid=16] ../../source3/lib/util_sock.c:458(open_socket_out_send) Connecting to IPADDR at port 49681 [2025/09/15 12:58:12.548802, 3, traceid=16] ../../source3/winbindd/winbindd_pam.c:1819(winbind_samlogon_retry_loop) winbind_samlogon_retry_loop: This is problem 3 for this particular call,DOMAIN[NWRA] DC[FQDN] - NT_STATUS_ACCESS_DENIED [2025/09/15 12:58:12.548897, 1, traceid=16] ../../source3/winbindd/winbindd_pam.c:1865(winbind_samlogon_retry_loop) winbind_samlogon_retry_loop: Mapping NT_STATUS_ACCESS_DENIED/authoritative=1 to NT_STATUS_NO_LOGON_SERVERS/authoritative=1 forUSERNAME[USER] USERDOMAIN[NWRA] REMOTE-DOMAIN[NWRA] the smbclient connection then fails with: session setup failed: NT_STATUS_NO_LOGON_SERVERS However wbinfo -a DOMAIN\\user works fine: [2025/09/15 12:59:18.042880, 3, traceid=18] ../../source3/lib/util_sock.c:458(open_socket_out_send) Connecting to IPADDR at port 49681 [2025/09/15 12:59:18.053684, 3, traceid=18] ../../auth/auth_log.c:858(log_authentication_event_human_readable) Auth: [winbind,PAM_AUTH, wbinfo, 3196706] user []\[USER] at [Mon, 15 Sep 2025 12:59:18.053668 PDT] with [Plaintext] status [NT_STATUS_OK] workstation [(null)] remote host [unix:] became USER/SID. local host [unix:] we've rejoined and restarted to no avail. Other similar servers work fine here. If we use the username format user at domain it works. Any ideas? -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/
Rowland Penny
2025-Sep-16 08:13 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS for remote connections with DOMAIN\user
On Mon, 15 Sep 2025 14:23:25 -0600 Orion Poplawski via samba <samba at lists.samba.org> wrote:> One of our EL 9.6 samba servers has stopped being able to do password > authentication over the network when using the DOMAIN\user format. > If I connect with smbclient, when winbind is trying to connect to the > AD server we see: > > [2025/09/15 12:58:12.542784, 3, traceid=16] > ../../source3/lib/util_sock.c:458(open_socket_out_send) > Connecting to IPADDR at port 49681 > [2025/09/15 12:58:12.548802, 3, traceid=16] > ../../source3/winbindd/winbindd_pam.c:1819(winbind_samlogon_retry_loop) > winbind_samlogon_retry_loop: This is problem 3 for this particular > call,DOMAIN[NWRA] DC[FQDN] - NT_STATUS_ACCESS_DENIED > [2025/09/15 12:58:12.548897, 1, traceid=16] > ../../source3/winbindd/winbindd_pam.c:1865(winbind_samlogon_retry_loop) > winbind_samlogon_retry_loop: Mapping > NT_STATUS_ACCESS_DENIED/authoritative=1 to > NT_STATUS_NO_LOGON_SERVERS/authoritative=1 forUSERNAME[USER] > USERDOMAIN[NWRA] REMOTE-DOMAIN[NWRA] > > the smbclient connection then fails with: > > session setup failed: NT_STATUS_NO_LOGON_SERVERS > > However wbinfo -a DOMAIN\\user works fine: > > [2025/09/15 12:59:18.042880, 3, traceid=18] > ../../source3/lib/util_sock.c:458(open_socket_out_send) > Connecting to IPADDR at port 49681 > [2025/09/15 12:59:18.053684, 3, traceid=18] > ../../auth/auth_log.c:858(log_authentication_event_human_readable) > Auth: [winbind,PAM_AUTH, wbinfo, 3196706] user []\[USER] at [Mon, > 15 Sep 2025 12:59:18.053668 PDT] with [Plaintext] status > [NT_STATUS_OK] workstation [(null)] remote host [unix:] became > USER/SID. local host [unix:] > > we've rejoined and restarted to no avail. Other similar servers work > fine here. > > If we use the username format user at domain it works. > > Any ideas? >I think you are going to have to give us more info, it works for myself. You could start by posting the output of 'testparm -s' from the Rocky machine Rowland
Orion Poplawski
2025-Sep-18 16:07 UTC
[Samba] NT_STATUS_NO_LOGON_SERVERS for remote connections with DOMAIN\user
On 9/15/25 14:23, Orion Poplawski wrote:> One of our EL 9.6 samba servers has stopped being able to do password > authentication over the network when using the DOMAIN\user format. If I > connect with smbclient, when winbind is trying to connect to the AD server we see:...> Other similar servers work fine here. > > If we use the username format user at domain it works. > > Any ideas?My list delivery was disabled so I didn't get Rowland's response for more info directly, replying here. Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_DOMAIN_MEMBER # Global parameters [global] ???????bind interfaces only = Yes ???????disable spoolss = Yes ???????interfaces = lo eno49 ???????load printers = No ???????log file = /var/log/samba/log.%m ???????logging = systemd file ???????max log size = 500 ???????preferred master = No ???????printcap name = /dev/null ???????realm = AD.NWRA.COM ???????security = ADS ???????server min protocol = SMB2 ???????server string = NWRA Seattle Disk Server %h ???????workgroup = NWRA ???????idmap config nwra : range = 1000-999999 ???????idmap config nwra : backend = nss ???????idmap config * : range = 1000000-1999999 ???????idmap config * : backend = tdb ???????include = /etc/samba/HOST.conf ???????printing = bsd [seattle_data1] ???????create mask = 0775 ???????path = /srv/data1 ???????read only = No [souls] ???????create mask = 0644 ???????path = /srv/souls ???????read only = No ???????valid users = ... I'm completely flummoxed as well - near as I can tell only this one machine is having this issue among many samba servers here, including another EL9.6 one (in a different office). -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane orion at nwra.com Boulder, CO 80301 https://www.nwra.com/