On (25/07/17 09:56), Marc-Henri Pamiseux wrote:
Hi sssd user's,
I contacted yesterday the Samba discussion list about a malfunction with
this software. I was asked to put my question to the sssd list, which I
do :)
You will find below the email sent to the Samba list:
**************************************************************************
I've update a domain member smb server to samba 4.6.5.
I don't want to use winbind for this upgrade so i'm trying with sssd.
After a long informative reading on this subject, i've finaly success to
connect using the hostname.
The domain member is well join to AD-DC :
# net ads testjoin
Join is OK
Another test :
# adcli info -D local.mydomain
[domain]
domain-name = local.mydomain
domain-short = MYDOMAIN
domain-forest = local.mydomain
domain-controller = hera.local.mydomain
domain-controller-site = Laval
domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable
good-timeserv full-secret
domain-controller-usable = yes
domain-controllers = hera.local.mydomain
[computer]
computer-site = Laval
From the Domain member server (RHEA), i can view the main sharing using
my account but not when using the administrator account. By the way, i
belive i made some limitation on this account because nobody have to use
this one
# smbclient -L //RHEA -U myident
Enter MYDOMAIN\myident's password:
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.6.5-Debian)
projets Disk Gestion des projets
public Disk Public Stuff
myident Disk Repertoire Personnel
Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
--------- -------
RHEA Samba 4.6.5-Debian
Workgroup Master
--------- -------
MYDOMAIN RHEA
From the AD-DC server (HERA), i can see the same thing using my account.
Stil on the AD-DC, i've try another method :
# smbclient -L //192.168.1.2 -U myident
Enter MYDOMAIN\myident's password:
Domain=[MYDOMAIN] OS=[] Server=[]
Sharename Type Comment
--------- ---- -------
IPC$ IPC IPC Service (Samba 4.6.5-Debian)
projets Disk Gestion des projets
public Disk Public Stuff
myident Disk Repertoire Personnel
Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
--------- -------
RHEA Samba 4.6.5-Debian
Workgroup Master
--------- -------
MYDOMAIN RHEA
Well...
Everything seems to work.
Now i want to test an access from a windows client. I have open the
session on the domain using my account. Now i open windows explorer and
i type //RHEA in the address bar. I can see the share that i can use.
So, why do i post on this mailing list ?
Because when I use address //192.168.1.2, the operating system asks me
to identify myself. But i'have already done this when i've open this
session. I am surprised because it is usually the opposite error that
occurs. Let's go to the log on RHEA Host (192.168.1.2) :
[2017/07/25 02:46:15.286177, 0]
../source3/auth/auth_domain.c:226(domain_client_validate)
domain_client_validate: unable to validate password for user myident
in domain MYDOMAIN to Domain controller HERA.LOCAL.MYDOMAIN. Error was
NT_STATUS_WRONG_PASSWORD.
[2017/07/25 02:46:15.288928, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [myident] -> [myident]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2017/07/25 02:46:15.296364, 2]
../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
Ok, but this error occurred even before I specified an identifier.
I removed the Windows-based workstation from the domain and then, i join
it again. In this regard, i have noticed that a computer can not join a
Windows Active Directory domain if the Netbios over TCP / IP option is
not enabled. Too bad !
RSAT is installed on this computer and i still can login and maintain
Active Directory and DNS zone from this computer. But now, i cannot see
RHEA share anymore. I've got the same error even if i use IP or hostname.
sssd seems to work fine because the command getent passwd give me a result :
# getent passwd myident
myident:*:1072:513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash
Does someone can help me to investigate ?
I would recommend following page for troubleshooting SSSD
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
And maybe you can directly jump to authentication section
https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshoot...
LS