On Tue, May 15, 2018 at 05:36:00PM +0200, shacky wrote:
Hi.
I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in
an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on
another system using "realm discover" and sssd.
The Samba fileserver is correctly joined into the domain and I can
correctly browse AD users:
Did you use 'realm join' to join the domain?
realm can either use 'adcli' or 'net ads join' to join the AD domain. If
you want to run Samba you should make sure the latter is used. I do not
know what it the default for Debian/Ubuntu but you can tell 'realm join'
to use 'net ads join' with the option --membership-software=samba.
One of the main differences is that 'net ads join' will write the clear
teat machine password into an internal database of Samba. Current
versions of adcli will not do this but my plan is to add this
functionality to adcli as well.
HTH
bye,
Sumit
root@fileserv:/# getent passwd john.doe
john.doe:*:1616401116:1616400513:John Doe:/home/domain.
com/users/john.doe:/bin/bash
The keytab file is correctly created:
root@fileserv:/# ls -l /etc/krb5.*
-rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf
-rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab
The problem is that I cannot browse my Samba server from a Windows 10
client joined in the same Active Directory domain with a valid user.
When I try to access to \\fileserv from the Windows client I get these
errors on the Samba server:
========== 8< ==========
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
May 15 17:23:41 fileserv smbd[13001]:
../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
May 15 17:23:41 fileserv smbd[13001]:
../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0]
../source3/auth/pampass.c:589(smb_pam_account)
May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM
ERROR (4) during Account Management for User: john.doe
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2]
../source3/auth/pampass.c:89(smb_pam_error_handler)
May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account
Check Failed : System error
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0]
../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account
Validation Failed - Rejecting User john.doe!
May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1]
../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent
user [john.doe] login
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
May 15 17:23:41 fileserv smbd[13002]:
../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2]
../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
May 15 17:23:41 fileserv smbd[13002]:
../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0]
../source3/auth/pampass.c:589(smb_pam_account)
May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM
ERROR (4) during Account Management for User: john.doe
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2]
../source3/auth/pampass.c:89(smb_pam_error_handler)
May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account
Check Failed : System error
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0]
../source3/auth/pampass.c:797(smb_pam_accountcheck)
May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account
Validation Failed - Rejecting User john.doe!
May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1]
../source3/auth/user_krb5.c:142(get_user_from_kerberos_info)
May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent
user [john.doe] login
========== 8< ==========
This is my Samba server configuration:
========== 8< ==========
#======================= Global Settings =======================
[global]
workgroup = DOMAIN
server string = File Server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
password server = *
realm =
DOMAIN.COM <
http://domain.com/>
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
security = ads
allow trusted domains = yes
template shell = /bin/bash
template homedir = /home/domain.com/users/%U
# Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
========== 8< ==========
Could you help me please?
Thank you very much!
Bye
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org