On 8 March 2017 at 16:09, John Beranek <[email protected]> wrote: > On 8 March 2017 at 16:07, John Beranek <[email protected]> wrote: >> On 8 March 2017 at 14:59, Sumit Bose <[email protected]> wrote: >>> On Wed, Mar 08, 2017 at 02:09:09PM +0000, John Beranek wrote: >>>> On 8 March 2017 at 13:40, Mote, Todd <[email protected]> wrote: >>>> > Does on my rhel 6 boxes. I'm not in front of a computer at the moment, >>>> > but >>>> > there is a log where you can see it. Sssd_domain.log I think. I'll look >>>> > when I get to work and let you know. Might search the list archive too >>>> > I'm >>>> > pretty sure I asked about it when adcli was still in the .7’s. >>>> >>>> Hmm, just reading a list thread from September 2016 where it's >>>> suggested that adcli doesn't get on well with Samba,entitled "samba >>>> 4.2.11, 4.2.14 and sssd?" http://bit.ly/2n60x4r >>>> >>>> I wonder if having adcli installed, but using "net ads join" to join >>>> the domain is still troublesome... >>> >>> Maybe adcli does not lead to the expected result because you use >>> 'kerberos method = secrets and keytab'. adcli can only update the keytab >>> but not the host password stored in Samba's secrets.tdb. So chances are >>> that even if the keys in the keytab are updated Samba will still use the >>> old one from secrets.tdb. Have you tried to use 'kerberos method = >>> system keytab'? >> >> Thanks Sumit, no change with just the config change, would I need to >> clear out the Samba database after the change? > > Getting the following, which may answer that question: > > [2017/03/08 16:04:56.947025, 0] > libads/kerberos_util.c:101(ads_kinit_password) > kerberos_kinit_password [email protected] failed: Preauthentication failed > [2017/03/08 16:04:56.947192, 3] > printing/nt_printing_ads.c:639(check_published_printers) > ads_connect failed: Preauthentication failed
Cleared all Samba databases and re-joined the domain with adcli. I can now access the server via SMB from Windows, and also with smbclient, but only by using '-k'. Using Username/Password I get: session setup failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO In the Samba log: Connecting to 10.20.30.40 at port 445 [2017/03/08 16:25:57.230010, 0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) get_schannel_session_key: could not fetch trust account password for domain 'EXAMPLE' [2017/03/08 16:25:57.230740, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server DC1.EXAMPLE.COM for domain EXAMPLE. [2017/03/08 16:25:57.230827, 0] auth/auth_domain.c:193(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine DC1.EXAMPLE.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. [2017/03/08 16:25:57.231268, 0] auth/auth_domain.c:292(domain_client_validate) domain_client_validate: Domain password server not available. [2017/03/08 16:25:57.231362, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [johnb] -> [johnb] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2017/03/08 16:25:57.231419, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2017/03/08 16:25:57.231670, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) John -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
