On Fri, 03 Jun 2016, lejeczek wrote:
hi users,
I have a samba and sssd trying AD, it's 7.2 Linux.
That linux box is via sssd and samba talking to AD DC and win10
clients get to samba shares, getent pass sees AD users, samba can get
to DC's shares and win10's clients shares, all good except...
smbclient @samba, in other words - to itself - fails
session setup failed: NT_STATUS_LOGON_FAILURE
Do you run winbindd? samba in RHEL 7.2 as of now has a regression that
if you don't run winbindd, current code forbids establishing anonymous
secure channel connections to AD DCs as part of Badlock fixes. The
regression is fixed upstream and RHEL 7.2 packages are currently being
tested by Red Hat QE team.
If you start winbindd, this should not affect you -- if the machine is
enrolled into Active Directory domain. However, the Kerberos error below
makes me thinking you have some problems on AD side as well.
and with smbclient -k
gss_init_sec_context failed with [Unspecified GSS failure. Minor code
may provide more information: Server cifs/swir.private....@private.dom
not found in Kerberos database]
The statement above says your KDC for PRIVATE.DOM does not know anything
about cifs/swir.private.dom principal. Fix that problem and Kerberos
authentication will be working.
SPNEGO(gse_krb5) creating NEG_TOKEN_INIT failed:
NT_STATUS_INTERNAL_ERROR
Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR
session setup failed: NT_STATUS_INTERNAL_ERROR
here is a snippet from smb.conf which I thought has relevance, I set
it up following samba sssd wiki.
security = ads
realm = CCNR.DOM
workgroup = CCNR
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.swir.ccnr.keytab
client signing = auto
client use spnego = yes
encrypt passwords = yes
password server = ccnr-winsrv1.ccnr.dom
netbios name = SWIR
template shell = /bin/bash
template homedir = /home/%D/%U
preferred master = no
dns proxy = no
wins server = ccnr-winsrv1.ccnr.dom
wins proxy = no
inherit acls = Yes
map acl inherit = Yes
acl group control = yes
and in samba log:
domain_client_validate: Domain password server not available.
I've tried samba user list, dead silence.
many thanks,
L.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project