On Tue, Mar 05, 2019 at 04:21:45PM +0000, Paquin, Brian wrote:
> Sumit,
>
>
> Thank you! Thank you for taking the time to not only provide the answer, but
> for explaining why.
>
>
> I am now able to mount my Samba share using my AD credentials.
>
>
> One last question if I may...
>
>
> In /var/log/samba/log.10.84.2.148 (my test client's IP), I see "WARNING:
> Failed to create BUILTIN\Administrators group! Can Winbind allocate gids?" Is
> that error expected, or is there something else I need to do?
If you have
idmap config * : backend = tdb
idmap config * : range = 100000-199999
in the [global] section of smb.conf I would expect that the gid is
picked automatically by winbindd. As an alternative you can try to call
net groupmap add sid=S-1-5-32-544 unixgroup=some_existing_unix_group
type=builtin
(S-1-5-32-544 is the SID for BUILTIN\Administrators).
If this does not work I need more log context, best would be all logs
from /var/log/samba.
bye,
Sumit
>
>
> Again, thank you for all your assistance!
>
>
> Brian
>
> ________________________________
> From: Sumit Bose <[email protected]>
> Sent: Tuesday, March 5, 2019 2:41:16 AM
> To: [email protected]
> Subject: [SSSD-users] Re: FAILED with error NT_STATUS_LOGON_FAILURE
>
> On Mon, Mar 04, 2019 at 06:25:40PM +0000, Paquin, Brian wrote:
> >
> > I’m trying to resolve a "FAILED with error NT_STATUS_LOGON_FAILURE” error
> > when trying to login to a Samba share on a CentOS test VM. I emailed the
> > samba mailing list and it was recommended that I contact this list
> > instead...
> >
> > Partial output of /var/log/samba/log.10.84.2.148 (the Mac client):
> > [2019/03/01 15:53:46.544858, 3]
> > ../auth/ntlmssp/ntlmssp_server.c:552(ntlmssp_server_preauth)
> > Got user=[btp4] domain=[YALE] workstation=[PAQUIN3200] len1=24 len2=224
> > [2019/03/01 15:53:46.544907, 3]
> > ../source3/param/loadparm.c:3868(lp_load_ex)
> > lp_load_ex: refreshing parameters
> > [2019/03/01 15:53:46.544956, 3]
> > ../source3/param/loadparm.c:547(init_globals)
> > Initialising global parameters
> > [2019/03/01 15:53:46.545088, 3]
> > ../source3/param/loadparm.c:2782(lp_do_section)
> > Processing section "[global]"
> > doing parameter workgroup = YALE
> > doing parameter realm =
> > YU.YALE.EDU<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2FYU.YALE.EDU&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=yWN4ljW66SYlrwfz3ScYIogX3zXVuiRU8gDlZo4OXkk%3D&reserved=0>
> > doing parameter security = ads
> > doing parameter idmap config * : range = 1677216-33554431
> > doing parameter idmap config YALE:schema_mode = rfc2307
> > doing parameter idmap config YALE:range = 100000-199999
> > doing parameter idmap config YALE:backend = rid
> > doing parameter idmap * : backend = tbd
> > doing parameter dedicated keytab file = /etc/krb5.keytab
> > doing parameter log file = /var/log/samba/log.%m
> > doing parameter log level = 4
> > doing parameter guest account = nobody
> > doing parameter guest ok = no
> > doing parameter template shell = /sbin/nologin
> > doing parameter kerberos method = system keytab
> > doing parameter store dos attributes = yes
> > doing parameter vfs objects = acl_xattr
> > [2019/03/01 15:53:46.545450, 2]
> > ../source3/param/loadparm.c:2799(lp_do_section)
> > Processing section "[testshare]"
> > doing parameter comment = testshare
> > doing parameter path = /testshare
> > doing parameter valid users = @pathology_its
> > doing parameter writable = yes
> > doing parameter read only = No
> > [2019/03/01 15:53:46.545573, 4]
> > ../source3/param/loadparm.c:3910(lp_load_ex)
> > pm_process() returned Yes
> > [2019/03/01 15:53:46.545604, 3]
> > ../source3/param/loadparm.c:1617(lp_add_ipc)
> > adding IPC service
> > [2019/03/01 15:53:46.545669, 3]
> > ../source3/auth/auth.c:189(auth_check_ntlm_password)
> > check_ntlm_password: Checking password for unmapped user
> > [YALE]\[btp4]@[PAQUIN3200] with the new password interface
> > [2019/03/01 15:53:46.545691, 3]
> > ../source3/auth/auth.c:192(auth_check_ntlm_password)
> > check_ntlm_password: mapped user is: [YALE]\[btp4]@[PAQUIN3200]
> > [2019/03/01 15:53:46.545715, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> > [2019/03/01 15:53:46.545735, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> > push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> > [2019/03/01 15:53:46.545753, 4]
> > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> > [2019/03/01 15:53:46.545807, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2019/03/01 15:53:46.545828, 2]
> > ../source3/auth/auth.c:332(auth_check_ntlm_password)
> > check_ntlm_password: Authentication for user [btp4] -> [btp4] FAILED
> > with error NT_STATUS_LOGON_FAILURE, authoritative=1
> > [2019/03/01 15:53:46.545864, 2]
> > ../auth/auth_log.c:760(log_authentication_event_human_readable)
> > Auth: [SMB2,(null)] user [YALE]\[btp4] at [Fri, 01 Mar 2019
> > 15:53:46.545851 EST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE]
> > workstation [PAQUIN3200] remote host [ipv4:10.84.2.148:58286] mapped to
> > [YALE]\[btp4]. local host [ipv4:10.84.2.79:445]
> > [2019/03/01 15:53:46.545899, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2019/03/01 15:53:46.545937, 3]
> > ../auth/gensec/spnego.c:1414(gensec_spnego_server_negTokenTarg_step)
> > gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed:
> > NT_STATUS_LOGON_FAILURE
> > [2019/03/01 15:53:46.545965, 4] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > [2019/03/01 15:53:46.545985, 4] ../source3/smbd/uid.c:491(push_conn_ctx)
> > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > [2019/03/01 15:53:46.546002, 4]
> > ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2019/03/01 15:53:46.546039, 4] ../source3/smbd/sec_ctx.c:438(pop_sec_ctx)
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2019/03/01 15:53:46.546067, 3]
> > ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
> > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> > status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
> >
> > My workflow for setting up SSSD and Samba:
> > 1) yum install -y sssd realmd adcli samba-common samba-common-tools
> > krb5-workstation openldap-clients ntpdate ntp nss-pam-ldapd
> > policycoreutils-python samba-client samba nano
> > 2) realm join ... #shortened command; binding to specific OU; works as
> > expected
> > 3) authconfig --enablesssdauth --enablesssd --enablemkhomedir --update
> > 4) nano /etc/samba/smb.conf
> > 5) testparm
> > 6) mkdir /testshare
> > 7) id [email protected]<mailto:[email protected]> #works as expected
> > 8) chown -R
> > root:[email protected]<mailto:[email protected]> /testshare/
> > 9) chcon -Rt samba_share_t /testshare/
> > 10) kinit btp4
> > 11) net ads join -k
> > 12) kinit -k CENTOSSSSD$ #name of test server
> > 13) /usr/bin/ldapsearch -H ... #shortened command; works as expected
> > 14) systemctl enable smb
> > 15) systemctl enable nmb
> > 16) systemctl start smb
> > 17) systemctl start nmb
>
> Which version of Samba are you using. Recent versions of smdb require
> that winbindd is installed and running as well because some legacy code
> was removed from smbd and all communication with the AD DCs is not
> handled by winbindd. Please note that this is only about starting
> winbindd as well, there is no need to configured the system to use
> winbindd for authentication or user lookup.
>
> To make sure that winbindd and SSSD have the same idea about IP-mapping
> idmap options similar to:
>
> idmap config <AD-DOMAIN-SHORTNAME> : backend = sss
> idmap config <AD-DOMAIN-SHORTNAME> : range =
> 200000-2147483647
>
> idmap config * : backend = tdb
> idmap config * : range = 100000-199999
>
> should be added to smb.conf and the sssd-winbind-idmap package should be
> installed. With this winbindd will ask SSSD for all ID-mappings for the
> AD-DOMAIN-SHORTNAME domain object and use idmap_tdb for BUITLINs and
> other objects. If, by chance, you have the sssd-libwbclient package
> installed you have to remove it, but since it is not listed above I
> assume it is not installed.
>
> HTH
>
> bye,
> Sumit
>
> > 18) firewall-cmd --add-service=samba --permanent
> > 19) firewall-cmd --reload
> >
> > I can provide contents of krb5.conf or sssd.conf if needed.
> >
> > Sorry for the lengthy email.
> >
> > Thank you,
> >
> > Brian
>
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=DP0%2BSkyjjj5CquhSNnsmi6OZSEXQNWPdrtPy8HbpxS8%3D&reserved=0
> > List Guidelines:
> > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=EEWmoDBiXPIUBQT15ygoA3S2DkMXJGmvZSEnV3n2XCw%3D&reserved=0
> > List Archives:
> > https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=vDJJ95UZXOXpOVt1MmsB%2B7fl8zIYMpP47PP6ymPS6EQ%3D&reserved=0
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=DP0%2BSkyjjj5CquhSNnsmi6OZSEXQNWPdrtPy8HbpxS8%3D&reserved=0
> List Guidelines:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=EEWmoDBiXPIUBQT15ygoA3S2DkMXJGmvZSEnV3n2XCw%3D&reserved=0
> List Archives:
> https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Cbrian.paquin%40yale.edu%7C89c953e0d8f34113324c08d6a13dfce9%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C636873684951890998&sdata=vDJJ95UZXOXpOVt1MmsB%2B7fl8zIYMpP47PP6ymPS6EQ%3D&reserved=0
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
