If I try to become an AD user on the console, I get a "system error" message:

root@fileserv:~# su john.doe
su: System error
(Ignored)
Creating directory '/home/domain.com/users/john.doe'.



2018-05-16 15:35 GMT+02:00 shacky <shacky83@gmail.com>:
I configured the server from scratch and joined the domain with "--membership-software=samba".

But the problem is not solved. Now if I try to access shares with a Windows 10 client I get these errors on syslog:

May 16 15:33:16 fileserv nmbd[2245]: [2018/05/16 15:33:16.904335,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:16 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276297,  0] ../source3/auth/pampass.c:589(smb_pam_account)
May 16 15:33:18 fileserv smbd[2324]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe
May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276337,  2] ../source3/auth/pampass.c:89(smb_pam_error_handler)
May 16 15:33:18 fileserv smbd[2324]:   smb_pam_error_handler: PAM: Account Check Failed : System error
May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276365,  0] ../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 16 15:33:18 fileserv smbd[2324]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe!
May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276882,  1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 16 15:33:18 fileserv smbd[2324]:   PAM account restrictions prevent user [john.doe] login
May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.475507,  0] ../source3/auth/pampass.c:589(smb_pam_account)
May 16 15:33:18 fileserv smbd[2325]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe
May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.476968,  2] ../source3/auth/pampass.c:89(smb_pam_error_handler)
May 16 15:33:18 fileserv smbd[2325]:   smb_pam_error_handler: PAM: Account Check Failed : System error
May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.478308,  0] ../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 16 15:33:18 fileserv smbd[2325]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe!
May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.479999,  1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 16 15:33:18 fileserv smbd[2325]:   PAM account restrictions prevent user [john.doe] login
May 16 15:33:18 fileserv nmbd[2245]: [2018/05/16 15:33:18.918867,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:18 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:21 fileserv nmbd[2245]: [2018/05/16 15:33:21.921971,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:21 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:23 fileserv nmbd[2245]: [2018/05/16 15:33:23.923595,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:23 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.109960,  0] ../source3/auth/pampass.c:589(smb_pam_account)
May 16 15:33:24 fileserv smbd[2328]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe
May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110013,  2] ../source3/auth/pampass.c:89(smb_pam_error_handler)
May 16 15:33:24 fileserv smbd[2328]:   smb_pam_error_handler: PAM: Account Check Failed : System error
May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110045,  0] ../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 16 15:33:24 fileserv smbd[2328]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe!
May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110624,  1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 16 15:33:24 fileserv smbd[2328]:   PAM account restrictions prevent user [john.doe] login
May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521817,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:25 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521944,  2] ../source3/nmbd/nmbd_elections.c:201(run_elections)
May 16 15:33:25 fileserv nmbd[2245]:   run_elections: >>> Won election for workgroup MAV on subnet 192.168.2.60 <<<
May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521995,  2] ../source3/nmbd/nmbd_become_lmb.c:538(become_local_master_browser)
May 16 15:33:25 fileserv nmbd[2245]:   become_local_master_browser: Starting to become a master browser for workgroup MAV on subnet 192.168.2.60
May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.648206,  0] ../source3/auth/pampass.c:589(smb_pam_account)
May 16 15:33:27 fileserv smbd[2330]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe
May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.649913,  2] ../source3/auth/pampass.c:89(smb_pam_error_handler)
May 16 15:33:27 fileserv smbd[2330]:   smb_pam_error_handler: PAM: Account Check Failed : System error
May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.651264,  0] ../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 16 15:33:27 fileserv smbd[2330]:   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe!
May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.653103,  1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 16 15:33:27 fileserv smbd[2330]:   PAM account restrictions prevent user [john.doe] login
May 16 15:33:33 fileserv nmbd[2245]: [2018/05/16 15:33:33.551576,  0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2)
May 16 15:33:33 fileserv nmbd[2245]:   *****
May 16 15:33:33 fileserv nmbd[2245]: 
May 16 15:33:33 fileserv nmbd[2245]:   Samba name server FILESERV is now a local master browser for workgroup MAV on subnet 192.168.2.60
May 16 15:33:33 fileserv nmbd[2245]: 
May 16 15:33:33 fileserv nmbd[2245]:   *****
May 16 15:33:34 fileserv nmbd[2245]: [2018/05/16 15:33:34.301419,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:34 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:36 fileserv nmbd[2245]: [2018/05/16 15:33:36.626202,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:36 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
May 16 15:33:39 fileserv nmbd[2245]: [2018/05/16 15:33:39.379370,  2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram)
May 16 15:33:39 fileserv nmbd[2245]:   send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60

Can you help me please?
Thanks!

2018-05-16 9:14 GMT+02:00 Sumit Bose <sbose@redhat.com>:
On Tue, May 15, 2018 at 09:02:38PM +0200, shacky wrote:
> Hi Sumit, thanks for your answer!
>
>
> 2018-05-15 17:53 GMT+02:00 Sumit Bose <sbose@redhat.com>:
>
> > Did you use 'realm join' to join the domain?
> >
>
> Yes, I am using Openmediavault and I followed this guide:
> https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/
>
> This guide tells to execute the following commands to join the domain:
>
> realm discover -v domain.com
> realm -v join domain.com -U administrator --membership-software=adcli
>
>
> realm can either use 'adcli' or 'net ads join' to join the AD domain. If
> > you want to run Samba you should make sure the latter is used. I do not
> > know what it the default for Debian/Ubuntu but you can tell 'realm join'
> > to use 'net ads join' with the option --membership-software=samba.
> >
>
> Would I just need to re-execute "realm join" even if I already executed it
> with adcli instead of samba?

Yes, this should work.

bye,
Sumit

>
>
> > One of the main differences is that 'net ads join' will write the clear
> > teat machine password into an internal database of Samba. Current
> > versions of adcli will not do this but my plan is to add this
> > functionality to adcli as well.
>
>
> Thanks! I will try and let you know.
>
> Bye!

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org