Hi. I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on another system using "realm discover" and sssd.
The Samba fileserver is correctly joined into the domain and I can correctly browse AD users: root@fileserv:/# getent passwd john.doe john.doe:*:1616401116:1616400513:John Doe:/home/domain. com/users/john.doe:/bin/bash The keytab file is correctly created: root@fileserv:/# ls -l /etc/krb5.* -rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf -rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab The problem is that I cannot browse my Samba server from a Windows 10 client joined in the same Active Directory domain with a valid user. When I try to access to \\fileserv from the Windows client I get these errors on the Samba server: ========== 8< ========== May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent user [john.doe] login May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent user [john.doe] login ========== 8< ========== This is my Samba server configuration: ========== 8< ========== #======================= Global Settings ======================= [global] workgroup = DOMAIN server string = File Server dns proxy = no log level = 3 syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = no unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = yes aio read size = 16384 aio write size = 16384 local master = yes time server = no wins support = no password server = * realm = DOMAIN.COM <http://domain.com/> dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab security = ads allow trusted domains = yes template shell = /bin/bash template homedir = /home/domain.com/users/%U # Performance improvements socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes ========== 8< ========== Could you help me please? Thank you very much! Bye
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org