Sumit,
Thank you! Thank you for taking the time to not only provide the answer, but for explaining why. I am now able to mount my Samba share using my AD credentials. One last question if I may... In /var/log/samba/log.10.84.2.148 (my test client's IP), I see "WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids?" Is that error expected, or is there something else I need to do? Again, thank you for all your assistance! Brian ________________________________ From: Sumit Bose <[email protected]> Sent: Tuesday, March 5, 2019 2:41:16 AM To: [email protected] Subject: [SSSD-users] Re: FAILED with error NT_STATUS_LOGON_FAILURE On Mon, Mar 04, 2019 at 06:25:40PM +0000, Paquin, Brian wrote: > > I’m trying to resolve a "FAILED with error NT_STATUS_LOGON_FAILURE” error > when trying to login to a Samba share on a CentOS test VM. I emailed the > samba mailing list and it was recommended that I contact this list instead... > > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client): > [2019/03/01 15:53:46.544858, 3] > ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth) > Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 len2=224 > [2019/03/01 15:53:46.544907, 3] ../source3/param/loadparm.c:3868(lp_load_ex) > lp_load_ex: refreshing parameters > [2019/03/01 15:53:46.544956, 3] ../source3/param/loadparm.c:547(init_globals) > Initialising global parameters > [2019/03/01 15:53:46.545088, 3] > ../source3/param/loadparm.c:2782(lp_do_section) > Processing section "[global]" > doing parameter workgroup = YALE > doing parameter realm = > YU.YALE.EDU<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FYU.YALE.EDU&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=yWN4ljW66SYlrwfz3ScYIogX3zXVuiRU8gDlZo4OXkk%3D&reserved=0> > doing parameter security = ads > doing parameter idmap config * : range = 1677216-33554431 > doing parameter idmap config YALE:schema_mode = rfc2307 > doing parameter idmap config YALE:range = 100000-199999 > doing parameter idmap config YALE:backend = rid > doing parameter idmap * : backend = tbd > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter log file = /var/log/samba/log.%m > doing parameter log level = 4 > doing parameter guest account = nobody > doing parameter guest ok = no > doing parameter template shell = /sbin/nologin > doing parameter kerberos method = system keytab > doing parameter store dos attributes = yes > doing parameter vfs objects = acl_xattr > [2019/03/01 15:53:46.545450, 2] > ../source3/param/loadparm.c:2799(lp_do_section) > Processing section "[testshare]" > doing parameter comment = testshare > doing parameter path = /testshare > doing parameter valid users = @pathology_its > doing parameter writable = yes > doing parameter read only = No > [2019/03/01 15:53:46.545573, 4] ../source3/param/loadparm.c:3910(lp_load_ex) > pm_process() returned Yes > [2019/03/01 15:53:46.545604, 3] ../source3/param/loadparm.c:1617(lp_add_ipc) > adding IPC service > [2019/03/01 15:53:46.545669, 3] > ../source3/auth/auth.c:189(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [YALE]\[btp4]@[PAQUIN3200] with the new password interface > [2019/03/01 15:53:46.545691, 3] > ../source3/auth/auth.c:192(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200] > [2019/03/01 15:53:46.545715, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > [2019/03/01 15:53:46.545735, 4] ../source3/smbd/uid.c:491(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 1 > [2019/03/01 15:53:46.545753, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > [2019/03/01 15:53:46.545807, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2019/03/01 15:53:46.545828, 2] > ../source3/auth/auth.c:332(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [btp4] -> [btp4] FAILED with > error NT_STATUS_LOGON_FAILURE, authoritative=1 > [2019/03/01 15:53:46.545864, 2] > ../auth/auth_log.c:760(log_authentication_event_human_readable) > Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019 15:53:46.545851 > EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [PAQUIN3200] > remote host [ipv4:10.84.2.148:58286] mapped to [YALE]\[btp4]. local host > [ipv4:10.84.2.79:445] > [2019/03/01 15:53:46.545899, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2019/03/01 15:53:46.545937, 3] > ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step) > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: > NT_STATUS_LOGON_FAILURE > [2019/03/01 15:53:46.545965, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2019/03/01 15:53:46.545985, 4] ../source3/smbd/uid.c:491(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2019/03/01 15:53:46.546002, 4] > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2019/03/01 15:53:46.546039, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2019/03/01 15:53:46.546067, 3] > ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex) > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137 > > My workflow for setting up SSSD and Samba: > 1) yum install -y sssd realmd adcli samba-common samba-common-tools > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd > policycoreutils-python samba-client samba nano > 2) realm join ... #shortened command; binding to specific OU; works as > expected > 3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update > 4) nano /etc/samba/smb.conf > 5) testparm > 6) mkdir /testshare > 7) id [email protected]<mailto:[email protected]> #works as expected > 8) chown -R root:[email protected]<mailto:[email protected]> > /testshare/ > 9) chcon -Rt samba_share_t /testshare/ > 10) kinit btp4 > 11) net ads join -k > 12) kinit -k CENTOSSSSD$ #name of test server > 13) /usr/bin/ldapsearch -H ... #shortened command; works as expected > 14) systemctl enable smb > 15) systemctl enable nmb > 16) systemctl start smb > 17) systemctl start nmb Which version of Samba are you using. Recent versions of smdb require that winbindd is installed and running as well because some legacy code was removed from smbd and all communication with the AD DCs is not handled by winbindd. Please note that this is only about starting winbindd as well, there is no need to configured the system to use winbindd for authentication or user lookup. To make sure that winbindd and SSSD have the same idea about IP-mapping idmap options similar to: idmap config <AD-DOMAIN-SHORTNAME> : backend = sss idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999 should be added to smb.conf and the sssd-winbind-idmap package should be installed. With this winbindd will ask SSSD for all ID-mappings for the AD-DOMAIN-SHORTNAME domain object and use idmap_tdb for BUITLINs and other objects. If, by chance, you have the sssd-libwbclient package installed you have to remove it, but since it is not listed above I assume it is not installed. HTH bye, Sumit > 18) firewall-cmd --add-service=samba --permanent > 19) firewall-cmd --reload > > I can provide contents of krb5.conf or sssd.conf if needed. > > Sorry for the lengthy email. > > Thank you, > > Brian > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=DP0%2BSkyjjj5CquhSNnsmi6OZSEXQNWPdrtPy8HbpxS8%3D&reserved=0 > List Guidelines: > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=EEWmoDBiXPIUBQT15ygoA3S2DkMXJGmvZSEnV3n2XCw%3D&reserved=0 > List Archives: > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=vDJJ95UZXOXpOVt1MmsB%2B7fl8zIYMpP47PP6ymPS6EQ%3D&reserved=0 _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=DP0%2BSkyjjj5CquhSNnsmi6OZSEXQNWPdrtPy8HbpxS8%3D&reserved=0 List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=EEWmoDBiXPIUBQT15ygoA3S2DkMXJGmvZSEnV3n2XCw%3D&reserved=0 List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=vDJJ95UZXOXpOVt1MmsB%2B7fl8zIYMpP47PP6ymPS6EQ%3D&reserved=0
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
