On Tue, May 15, 2018 at 05:36:00PM +0200, shacky wrote: > Hi. > > I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in > an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on > another system using "realm discover" and sssd. > > The Samba fileserver is correctly joined into the domain and I can > correctly browse AD users:
Did you use 'realm join' to join the domain? realm can either use 'adcli' or 'net ads join' to join the AD domain. If you want to run Samba you should make sure the latter is used. I do not know what it the default for Debian/Ubuntu but you can tell 'realm join' to use 'net ads join' with the option --membership-software=samba. One of the main differences is that 'net ads join' will write the clear teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well. HTH bye, Sumit > > root@fileserv:/# getent passwd john.doe > john.doe:*:1616401116:1616400513:John Doe:/home/domain. > com/users/john.doe:/bin/bash > > The keytab file is correctly created: > > root@fileserv:/# ls -l /etc/krb5.* > -rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf > -rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab > > The problem is that I cannot browse my Samba server from a Windows 10 > client joined in the same Active Directory domain with a valid user. > When I try to access to \\fileserv from the Windows client I get these > errors on the Samba server: > > ========== 8< ========== > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2] > ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) > May 15 17:23:41 fileserv smbd[13001]: > ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2] > ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) > May 15 17:23:41 fileserv smbd[13001]: > ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0] > ../source3/auth/pampass.c:589(smb_pam_account) > May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM > ERROR (4) during Account Management for User: john.doe > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2] > ../source3/auth/pampass.c:89(smb_pam_error_handler) > May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account > Check Failed : System error > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0] > ../source3/auth/pampass.c:797(smb_pam_accountcheck) > May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account > Validation Failed - Rejecting User john.doe! > May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1] > ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) > May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent > user [john.doe] login > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2] > ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) > May 15 17:23:41 fileserv smbd[13002]: > ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2] > ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) > May 15 17:23:41 fileserv smbd[13002]: > ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0] > ../source3/auth/pampass.c:589(smb_pam_account) > May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM > ERROR (4) during Account Management for User: john.doe > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2] > ../source3/auth/pampass.c:89(smb_pam_error_handler) > May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account > Check Failed : System error > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0] > ../source3/auth/pampass.c:797(smb_pam_accountcheck) > May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account > Validation Failed - Rejecting User john.doe! > May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1] > ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) > May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent > user [john.doe] login > ========== 8< ========== > > This is my Samba server configuration: > > ========== 8< ========== > #======================= Global Settings ======================= > [global] > workgroup = DOMAIN > server string = File Server > dns proxy = no > log level = 3 > syslog = 3 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog only = yes > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = no > unix password sync = no > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > pam password change = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY > guest account = nobody > load printers = no > disable spoolss = yes > printing = bsd > printcap name = /dev/null > unix extensions = yes > wide links = no > create mask = 0777 > directory mask = 0777 > use sendfile = yes > aio read size = 16384 > aio write size = 16384 > local master = yes > time server = no > wins support = no > password server = * > realm = DOMAIN.COM <http://domain.com/> > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > security = ads > allow trusted domains = yes > template shell = /bin/bash > template homedir = /home/domain.com/users/%U > # Performance improvements > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > client ntlmv2 auth = yes > ========== 8< ========== > > Could you help me please? > > Thank you very much! > Bye > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
