Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Problem with adding an Samba Member Server to a Samba AD Domain
372 views
Skip to first unread message
Stefan Schäfer via samba
Mar 18, 2017, 3:10:03 AM3/18/17
to
Hi List,
I found some threads here in the list with similar problems, but nothing
helped to solve my problem.
We have a very much to old Samba DC (Version 4.1.x) and a new Samba
4.5.6 which should act as a member server.
The first problem we had during joining the domain:
"net ads join -k" didn't work.
The Error Message said: Failed to join domain: failed to lookup DC info
for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.
Joining with "net ads join -S s4ad.baettenhausen.local -U
Admini...@baettenhausen.local" worked.
After this it wasn't possible to connect to any share of this server. I
found the following message in the logs:
[2017/03/18 01:48:18.760431, 1]
../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find
cifs/fileserver.baet...@BAETTENHAUSEN.LOCAL(kvno 2) in
keytab MEMORY:cifs_srv_keytab
(arcfour-hmac-md5)]
Trying to search the keytab for "arcfour-hmac-md5" with "klist -e -k
/etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.
Trying to connect with the Domain admins Account with smbclient didn't work:
smbclient -L 127.0.0.1 -U admini...@baettenhausen.local
Enter admini...@baettenhausen.local's password:
session setup failed: NT_STATUS_LOGON_FAILURE
The log shows:
[2017/03/18 07:35:01.529313, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface
[2017/03/18 07:35:01.529339, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[BAETTENHAUSEN]\[administrator]@[FILESERVER]
[2017/03/18 07:35:01.552411, 3]
../source3/auth/auth_util.c:1233(check_account)
Failed to find authenticated user BAETTENHAUSEN\administrator via
getpwnam(), denying access.
[2017/03/18 07:35:01.552450, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552482, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552546, 3]
../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/03/18 07:35:01.552988, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2017/03/18 07:35:01.577737, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
kinit instead works fine and wbinfo -u is able to show all domain users
My smb.conf:
[global]
workgroup = BAETTENHAUSEN
interfaces = 127.0.0.1 eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
user share allow guests = no
log level = 3
## keine Offline Dateien
# csc policy = disable
## Domain Settings
security = ADS
realm = BAETTENHAUSEN.LOCAL
# server signing = auto
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
ntlm auth = yes
winbind trusted domains only = no
winbind use default domain = yes
## Winbind Settings
#winbind separator = +
# ID-Mapping mit RFC2307 Erweiterung
# Builtin und lokale Benutzer/Gruppen
idmap config *:backend = tdb
idmap config *:range = 40000-49999
# BAETTENHAUSEN
idmap config BAETTENHAUSEN:backend = ad
#idmap config BAETTENHAUSEN:schema_mode = rfc2307
idmap config BAETTENHAUSEN:range = 500-30000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
## Charset Settings
unix charset = UTF8
# display charset = UTF8
dos charset = ASCII
....
Here the krb5.conf
[libdefaults]
default_realm = BAETTENHAUSEN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
BAETTENHAUSEN.LOCAL = {
kdc = s4ad.baettenhausen.local
admin_server = s4ad.baettenhausen.local
}
Resolving the DNS service records for LDAP and Kerberos works:
fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV _ldap._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.baettenhausen.local. 900 IN SRV 0 100 389
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 8 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:45:39 CET 2017
;; MSG SIZE rcvd: 133
fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV _kerberos._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.baettenhausen.local. 900 IN SRV 0 100 88
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:46:58 CET 2017
;; MSG SIZE rcvd: 137
Resolving the Hostnames of the AD-DC and the new Member Server works in
both directions.
Any Ideas?
Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I found some threads here in the list with similar problems, but nothing
helped to solve my problem.
We have a very much to old Samba DC (Version 4.1.x) and a new Samba
4.5.6 which should act as a member server.
The first problem we had during joining the domain:
"net ads join -k" didn't work.
The Error Message said: Failed to join domain: failed to lookup DC info
for domain 'BAETTENHAUSEN.LOCAL' over rpc: An internal error occurred.
Joining with "net ads join -S s4ad.baettenhausen.local -U
Admini...@baettenhausen.local" worked.
After this it wasn't possible to connect to any share of this server. I
found the following message in the logs:
[2017/03/18 01:48:18.760431, 1]
../source3/librpc/crypto/gse.c:498(gse_get_server_auth_token)
gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find
cifs/fileserver.baet...@BAETTENHAUSEN.LOCAL(kvno 2) in
keytab MEMORY:cifs_srv_keytab
(arcfour-hmac-md5)]
Trying to search the keytab for "arcfour-hmac-md5" with "klist -e -k
/etc/krb5.keytab | grep arcfour-hmac-md5" delivers no matches.
Trying to connect with the Domain admins Account with smbclient didn't work:
smbclient -L 127.0.0.1 -U admini...@baettenhausen.local
Enter admini...@baettenhausen.local's password:
session setup failed: NT_STATUS_LOGON_FAILURE
The log shows:
[2017/03/18 07:35:01.529313, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[BAETTENHAUSEN]\[administrator]@[FILESERVER] with the new password interface
[2017/03/18 07:35:01.529339, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is:
[BAETTENHAUSEN]\[administrator]@[FILESERVER]
[2017/03/18 07:35:01.552411, 3]
../source3/auth/auth_util.c:1233(check_account)
Failed to find authenticated user BAETTENHAUSEN\administrator via
getpwnam(), denying access.
[2017/03/18 07:35:01.552450, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [administrator] ->
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552482, 2]
../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2017/03/18 07:35:01.552546, 3]
../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(277) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/03/18 07:35:01.552988, 3]
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2017/03/18 07:35:01.577737, 3]
../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
kinit instead works fine and wbinfo -u is able to show all domain users
My smb.conf:
[global]
workgroup = BAETTENHAUSEN
interfaces = 127.0.0.1 eth0
bind interfaces only = true
printing = cups
printcap name = cups
load printers = yes
user share allow guests = no
log level = 3
## keine Offline Dateien
# csc policy = disable
## Domain Settings
security = ADS
realm = BAETTENHAUSEN.LOCAL
# server signing = auto
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
ntlm auth = yes
winbind trusted domains only = no
winbind use default domain = yes
## Winbind Settings
#winbind separator = +
# ID-Mapping mit RFC2307 Erweiterung
# Builtin und lokale Benutzer/Gruppen
idmap config *:backend = tdb
idmap config *:range = 40000-49999
# BAETTENHAUSEN
idmap config BAETTENHAUSEN:backend = ad
#idmap config BAETTENHAUSEN:schema_mode = rfc2307
idmap config BAETTENHAUSEN:range = 500-30000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
## Charset Settings
unix charset = UTF8
# display charset = UTF8
dos charset = ASCII
....
Here the krb5.conf
[libdefaults]
default_realm = BAETTENHAUSEN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
BAETTENHAUSEN.LOCAL = {
kdc = s4ad.baettenhausen.local
admin_server = s4ad.baettenhausen.local
}
Resolving the DNS service records for LDAP and Kerberos works:
fileserver:~ # dig SRV _ldap._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV _ldap._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_ldap._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_ldap._tcp.baettenhausen.local. 900 IN SRV 0 100 389
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 8 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:45:39 CET 2017
;; MSG SIZE rcvd: 133
fileserver:~ # dig SRV _kerberos._tcp.baettenhausen.local
; <<>> DiG 9.9.9-P1 <<>> SRV _kerberos._tcp.baettenhausen.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_kerberos._tcp.baettenhausen.local. IN SRV
;; ANSWER SECTION:
_kerberos._tcp.baettenhausen.local. 900 IN SRV 0 100 88
s4ad.baettenhausen.local.
;; AUTHORITY SECTION:
baettenhausen.local. 900 IN NS s4ad.baettenhausen.local.
;; ADDITIONAL SECTION:
s4ad.baettenhausen.local. 900 IN A 192.168.1.10
;; Query time: 7 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: Sat Mar 18 07:46:58 CET 2017
;; MSG SIZE rcvd: 137
Resolving the Hostnames of the AD-DC and the new Member Server works in
both directions.
Any Ideas?
Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Mar 18, 2017, 5:50:02 AM3/18/17
to
On Sat, 18 Mar 2017 07:48:27 +0100
Stefan Schäfer via samba <sa...@lists.samba.org> wrote:
> Hi List,
>
> I found some threads here in the list with similar problems, but
> nothing helped to solve my problem.
>
> We have a very much to old Samba DC (Version 4.1.x) and a new Samba
> 4.5.6 which should act as a member server.
Don't suppose you can update the DC to a newer Samba version ?
Stefan Schäfer via samba <sa...@lists.samba.org> wrote:
> Hi List,
>
> I found some threads here in the list with similar problems, but
> nothing helped to solve my problem.
>
> We have a very much to old Samba DC (Version 4.1.x) and a new Samba
> 4.5.6 which should act as a member server.
>
> smbclient -L 127.0.0.1 -U admini...@baettenhausen.local
> Enter admini...@baettenhausen.local's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
username map = /etc/samba/user.map
Then create the user.map:
nano /etc/samba/user.map
!root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
Administrator administrator
>
> Here the krb5.conf
You only need:
[libdefaults]
default_realm = BAETTENHAUSEN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
If your TLD really is '.local' turn off Avahi on the domain member
Rowland
Stefan Schäfer via samba
Mar 18, 2017, 8:30:03 AM3/18/17
to
Am 18.03.2017 um 10:43 schrieb Rowland Penny via samba:
> On Sat, 18 Mar 2017 07:48:27 +0100
> Stefan Schäfer via samba <sa...@lists.samba.org> wrote:
>
>> Hi List,
>>
>> I found some threads here in the list with similar problems, but
>> nothing helped to solve my problem.
>>
>> We have a very much to old Samba DC (Version 4.1.x) and a new Samba
>> 4.5.6 which should act as a member server.
> Don't suppose you can update the DC to a newer Samba version ?
>
>
>> smbclient -L 127.0.0.1 -U admini...@baettenhausen.local
>> Enter admini...@baettenhausen.local's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
> You should be able to fix this by adding this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> Then create the user.map:
>
> nano /etc/samba/user.map
> !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
> Administrator administrator
This works for the Administrator account, but I have this Problem with
>
>> smbclient -L 127.0.0.1 -U admini...@baettenhausen.local
>> Enter admini...@baettenhausen.local's password:
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
> You should be able to fix this by adding this line to smb.conf:
>
> username map = /etc/samba/user.map
>
> Then create the user.map:
>
> nano /etc/samba/user.map
> !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
> Administrator administrator
all users.
It's a user mapping problem?
>
>> Here the krb5.conf
> You only need:
>
> [libdefaults]
> default_realm = BAETTENHAUSEN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
I tested this before, makes no difference.
>> Here the krb5.conf
> You only need:
>
> [libdefaults]
> default_realm = BAETTENHAUSEN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> If your TLD really is '.local' turn off Avahi on the domain member
Avahi isn't running.
>
> Rowland
>
Stefan
Rowland Penny via samba
Mar 18, 2017, 8:40:02 AM3/18/17
to
On Sat, 18 Mar 2017 13:23:29 +0100
Stefan Schäfer via samba <sa...@lists.samba.org> wrote:
> This works for the Administrator account, but I have this Problem
> with all users.
> It's a user mapping problem?
You are using the winbind 'ad' backend, Have you given Domain Users a
Stefan Schäfer via samba <sa...@lists.samba.org> wrote:
> This works for the Administrator account, but I have this Problem
> with all users.
> It's a user mapping problem?
gidNumber attribute containing a number inside the '500-30000' range?
(by the way, this range isn't a good idea, no space for ANY local Unix
users).
Have you also given your users a uidNumber attribute containing a
unique number inside the same range ?
Rowland
Stefan Schäfer via samba
Mar 18, 2017, 9:30:03 AM3/18/17
to
Got it!
There was "pam-32bit" installed on the server but without
"/lib/security/pam_winbind.so". Removing pam-32bit was the solution.
Thanx for your help Rowland.
Stefan
There was "pam-32bit" installed on the server but without
"/lib/security/pam_winbind.so". Removing pam-32bit was the solution.
Thanx for your help Rowland.
Stefan
0 new messages