Hi.
I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on another system using "realm discover" and sssd.
The Samba fileserver is correctly joined into the domain and I can correctly browse AD users:
root@fileserv:/# getent passwd john.doe john.doe:*:1616401116:1616400513:John Doe:/home/domain. com/users/john.doe:/bin/bash
The keytab file is correctly created:
root@fileserv:/# ls -l /etc/krb5.* -rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf -rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab
The problem is that I cannot browse my Samba server from a Windows 10 client joined in the same Active Directory domain with a valid user. When I try to access to \fileserv from the Windows client I get these errors on the Samba server:
========== 8< ========== May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent user [john.doe] login May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent user [john.doe] login ========== 8< ==========
This is my Samba server configuration:
========== 8< ========== #======================= Global Settings ======================= [global] workgroup = DOMAIN server string = File Server dns proxy = no log level = 3 syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = no unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = yes aio read size = 16384 aio write size = 16384 local master = yes time server = no wins support = no password server = * realm = DOMAIN.COM http://domain.com/ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab security = ads allow trusted domains = yes template shell = /bin/bash template homedir = /home/domain.com/users/%U # Performance improvements socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes ========== 8< ==========
Could you help me please?
Thank you very much! Bye
On Tue, May 15, 2018 at 05:36:00PM +0200, shacky wrote:
Hi.
I joined a fileserver system with Samba version 4.5.12-Debian (fileserv) in an Active Directory domain managed by a Samba 4.6.7-Ubuntu installed on another system using "realm discover" and sssd.
The Samba fileserver is correctly joined into the domain and I can correctly browse AD users:
Did you use 'realm join' to join the domain?
realm can either use 'adcli' or 'net ads join' to join the AD domain. If you want to run Samba you should make sure the latter is used. I do not know what it the default for Debian/Ubuntu but you can tell 'realm join' to use 'net ads join' with the option --membership-software=samba.
One of the main differences is that 'net ads join' will write the clear teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well.
HTH
bye, Sumit
root@fileserv:/# getent passwd john.doe john.doe:*:1616401116:1616400513:John Doe:/home/domain. com/users/john.doe:/bin/bash
The keytab file is correctly created:
root@fileserv:/# ls -l /etc/krb5.* -rw-r--r-- 1 root root 2794 May 11 17:32 /etc/krb5.conf -rw------- 1 root root 2208 May 11 16:18 /etc/krb5.keytab
The problem is that I cannot browse my Samba server from a Windows 10 client joined in the same Active Directory domain with a valid user. When I try to access to \fileserv from the Windows client I get these errors on the Samba server:
========== 8< ========== May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.610956, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.617631, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13001]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652613, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13001]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652658, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13001]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.652690, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13001]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13001]: [2018/05/15 17:23:41.653190, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13001]: PAM account restrictions prevent user [john.doe] login May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.668010, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.674384, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) May 15 17:23:41 fileserv smbd[13002]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.696605, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 15 17:23:41 fileserv smbd[13002]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.697795, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 15 17:23:41 fileserv smbd[13002]: smb_pam_error_handler: PAM: Account Check Failed : System error May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.698882, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 15 17:23:41 fileserv smbd[13002]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 15 17:23:41 fileserv smbd[13002]: [2018/05/15 17:23:41.700591, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 15 17:23:41 fileserv smbd[13002]: PAM account restrictions prevent user [john.doe] login ========== 8< ==========
This is my Samba server configuration:
========== 8< ========== #======================= Global Settings ======================= [global] workgroup = DOMAIN server string = File Server dns proxy = no log level = 3 syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = no unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = yes aio read size = 16384 aio write size = 16384 local master = yes time server = no wins support = no password server = * realm = DOMAIN.COM http://domain.com/ dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab security = ads allow trusted domains = yes template shell = /bin/bash template homedir = /home/domain.com/users/%U # Performance improvements socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 client ntlmv2 auth = yes ========== 8< ==========
Could you help me please?
Thank you very much! Bye
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Sumit, thanks for your answer!
2018-05-15 17:53 GMT+02:00 Sumit Bose sbose@redhat.com:
Did you use 'realm join' to join the domain?
Yes, I am using Openmediavault and I followed this guide: https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-Op...
This guide tells to execute the following commands to join the domain:
realm discover -v domain.com realm -v join domain.com -U administrator --membership-software=adcli
realm can either use 'adcli' or 'net ads join' to join the AD domain. If
you want to run Samba you should make sure the latter is used. I do not know what it the default for Debian/Ubuntu but you can tell 'realm join' to use 'net ads join' with the option --membership-software=samba.
Would I just need to re-execute "realm join" even if I already executed it with adcli instead of samba?
One of the main differences is that 'net ads join' will write the clear teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well.
Thanks! I will try and let you know.
Bye!
On Tue, May 15, 2018 at 09:02:38PM +0200, shacky wrote:
Hi Sumit, thanks for your answer!
2018-05-15 17:53 GMT+02:00 Sumit Bose sbose@redhat.com:
Did you use 'realm join' to join the domain?
Yes, I am using Openmediavault and I followed this guide: https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-Op...
This guide tells to execute the following commands to join the domain:
realm discover -v domain.com realm -v join domain.com -U administrator --membership-software=adcli
realm can either use 'adcli' or 'net ads join' to join the AD domain. If
you want to run Samba you should make sure the latter is used. I do not know what it the default for Debian/Ubuntu but you can tell 'realm join' to use 'net ads join' with the option --membership-software=samba.
Would I just need to re-execute "realm join" even if I already executed it with adcli instead of samba?
Yes, this should work.
bye, Sumit
One of the main differences is that 'net ads join' will write the clear teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well.
Thanks! I will try and let you know.
Bye!
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
I configured the server from scratch and joined the domain with "--membership-software=samba".
But the problem is not solved. Now if I try to access shares with a Windows 10 client I get these errors on syslog:
May 16 15:33:16 fileserv nmbd[2245]: [2018/05/16 15:33:16.904335, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:16 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276297, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:18 fileserv smbd[2324]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276337, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:18 fileserv smbd[2324]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276365, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:18 fileserv smbd[2324]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276882, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:18 fileserv smbd[2324]: PAM account restrictions prevent user [john.doe] login May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.475507, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:18 fileserv smbd[2325]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.476968, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:18 fileserv smbd[2325]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.478308, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:18 fileserv smbd[2325]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.479999, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:18 fileserv smbd[2325]: PAM account restrictions prevent user [john.doe] login May 16 15:33:18 fileserv nmbd[2245]: [2018/05/16 15:33:18.918867, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:18 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:21 fileserv nmbd[2245]: [2018/05/16 15:33:21.921971, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:21 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:23 fileserv nmbd[2245]: [2018/05/16 15:33:23.923595, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:23 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.109960, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:24 fileserv smbd[2328]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110013, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:24 fileserv smbd[2328]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110045, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:24 fileserv smbd[2328]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110624, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:24 fileserv smbd[2328]: PAM account restrictions prevent user [john.doe] login May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521817, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:25 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521944, 2] ../source3/nmbd/nmbd_elections.c:201(run_elections) May 16 15:33:25 fileserv nmbd[2245]: run_elections: >>> Won election for workgroup MAV on subnet 192.168.2.60 <<< May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521995, 2] ../source3/nmbd/nmbd_become_lmb.c:538(become_local_master_browser) May 16 15:33:25 fileserv nmbd[2245]: become_local_master_browser: Starting to become a master browser for workgroup MAV on subnet 192.168.2.60 May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.648206, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:27 fileserv smbd[2330]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.649913, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:27 fileserv smbd[2330]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.651264, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:27 fileserv smbd[2330]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.653103, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:27 fileserv smbd[2330]: PAM account restrictions prevent user [john.doe] login May 16 15:33:33 fileserv nmbd[2245]: [2018/05/16 15:33:33.551576, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) May 16 15:33:33 fileserv nmbd[2245]: ***** May 16 15:33:33 fileserv nmbd[2245]: May 16 15:33:33 fileserv nmbd[2245]: Samba name server FILESERV is now a local master browser for workgroup MAV on subnet 192.168.2.60 May 16 15:33:33 fileserv nmbd[2245]: May 16 15:33:33 fileserv nmbd[2245]: ***** May 16 15:33:34 fileserv nmbd[2245]: [2018/05/16 15:33:34.301419, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:34 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:36 fileserv nmbd[2245]: [2018/05/16 15:33:36.626202, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:36 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:39 fileserv nmbd[2245]: [2018/05/16 15:33:39.379370, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:39 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
Can you help me please? Thanks!
2018-05-16 9:14 GMT+02:00 Sumit Bose sbose@redhat.com:
On Tue, May 15, 2018 at 09:02:38PM +0200, shacky wrote:
Hi Sumit, thanks for your answer!
2018-05-15 17:53 GMT+02:00 Sumit Bose sbose@redhat.com:
Did you use 'realm join' to join the domain?
Yes, I am using Openmediavault and I followed this guide: https://forum.openmediavault.org/index.php/Thread/18886-
Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/
This guide tells to execute the following commands to join the domain:
realm discover -v domain.com realm -v join domain.com -U administrator --membership-software=adcli
realm can either use 'adcli' or 'net ads join' to join the AD domain. If
you want to run Samba you should make sure the latter is used. I do not know what it the default for Debian/Ubuntu but you can tell 'realm
join'
to use 'net ads join' with the option --membership-software=samba.
Would I just need to re-execute "realm join" even if I already executed
it
with adcli instead of samba?
Yes, this should work.
bye, Sumit
One of the main differences is that 'net ads join' will write the clear teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well.
Thanks! I will try and let you know.
Bye!
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
If I try to become an AD user on the console, I get a "system error" message:
root@fileserv:~# su john.doe su: System error (Ignored) Creating directory '/home/domain.com/users/john.doe'.
2018-05-16 15:35 GMT+02:00 shacky shacky83@gmail.com:
I configured the server from scratch and joined the domain with "--membership-software=samba".
But the problem is not solved. Now if I try to access shares with a Windows 10 client I get these errors on syslog:
May 16 15:33:16 fileserv nmbd[2245]: [2018/05/16 15:33:16.904335, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:16 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276297, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:18 fileserv smbd[2324]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276337, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:18 fileserv smbd[2324]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276365, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:18 fileserv smbd[2324]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:18 fileserv smbd[2324]: [2018/05/16 15:33:18.276882, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:18 fileserv smbd[2324]: PAM account restrictions prevent user [john.doe] login May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.475507, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:18 fileserv smbd[2325]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.476968, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:18 fileserv smbd[2325]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.478308, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:18 fileserv smbd[2325]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:18 fileserv smbd[2325]: [2018/05/16 15:33:18.479999, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:18 fileserv smbd[2325]: PAM account restrictions prevent user [john.doe] login May 16 15:33:18 fileserv nmbd[2245]: [2018/05/16 15:33:18.918867, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:18 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:21 fileserv nmbd[2245]: [2018/05/16 15:33:21.921971, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:21 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:23 fileserv nmbd[2245]: [2018/05/16 15:33:23.923595, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:23 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.109960, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:24 fileserv smbd[2328]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110013, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:24 fileserv smbd[2328]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110045, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:24 fileserv smbd[2328]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:24 fileserv smbd[2328]: [2018/05/16 15:33:24.110624, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:24 fileserv smbd[2328]: PAM account restrictions prevent user [john.doe] login May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521817, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:25 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521944, 2] ../source3/nmbd/nmbd_elections.c:201(run_elections) May 16 15:33:25 fileserv nmbd[2245]: run_elections: >>> Won election for workgroup MAV on subnet 192.168.2.60 <<< May 16 15:33:25 fileserv nmbd[2245]: [2018/05/16 15:33:25.521995, 2] ../source3/nmbd/nmbd_become_lmb.c:538(become_local_master_browser) May 16 15:33:25 fileserv nmbd[2245]: become_local_master_browser: Starting to become a master browser for workgroup MAV on subnet 192.168.2.60 May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.648206, 0] ../source3/auth/pampass.c:589(smb_pam_account) May 16 15:33:27 fileserv smbd[2330]: smb_pam_account: PAM: UNKNOWN PAM ERROR (4) during Account Management for User: john.doe May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.649913, 2] ../source3/auth/pampass.c:89(smb_pam_error_handler) May 16 15:33:27 fileserv smbd[2330]: smb_pam_error_handler: PAM: Account Check Failed : System error May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.651264, 0] ../source3/auth/pampass.c:797(smb_pam_accountcheck) May 16 15:33:27 fileserv smbd[2330]: smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User john.doe! May 16 15:33:27 fileserv smbd[2330]: [2018/05/16 15:33:27.653103, 1] ../source3/auth/user_krb5.c:142(get_user_from_kerberos_info) May 16 15:33:27 fileserv smbd[2330]: PAM account restrictions prevent user [john.doe] login May 16 15:33:33 fileserv nmbd[2245]: [2018/05/16 15:33:33.551576, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local_master_stage2) May 16 15:33:33 fileserv nmbd[2245]: ***** May 16 15:33:33 fileserv nmbd[2245]: May 16 15:33:33 fileserv nmbd[2245]: Samba name server FILESERV is now a local master browser for workgroup MAV on subnet 192.168.2.60 May 16 15:33:33 fileserv nmbd[2245]: May 16 15:33:33 fileserv nmbd[2245]: ***** May 16 15:33:34 fileserv nmbd[2245]: [2018/05/16 15:33:34.301419, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:34 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:36 fileserv nmbd[2245]: [2018/05/16 15:33:36.626202, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:36 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60 May 16 15:33:39 fileserv nmbd[2245]: [2018/05/16 15:33:39.379370, 2] ../source3/nmbd/nmbd_elections.c:41(send_election_dgram) May 16 15:33:39 fileserv nmbd[2245]: send_election_dgram: Sending election packet for workgroup MAV on subnet 192.168.2.60
Can you help me please? Thanks!
2018-05-16 9:14 GMT+02:00 Sumit Bose sbose@redhat.com:
On Tue, May 15, 2018 at 09:02:38PM +0200, shacky wrote:
Hi Sumit, thanks for your answer!
2018-05-15 17:53 GMT+02:00 Sumit Bose sbose@redhat.com:
Did you use 'realm join' to join the domain?
Yes, I am using Openmediavault and I followed this guide: https://forum.openmediavault.org/index.php/Thread/18886-Guid
e-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/
This guide tells to execute the following commands to join the domain:
realm discover -v domain.com realm -v join domain.com -U administrator --membership-software=adcli
realm can either use 'adcli' or 'net ads join' to join the AD domain. If
you want to run Samba you should make sure the latter is used. I do
not
know what it the default for Debian/Ubuntu but you can tell 'realm
join'
to use 'net ads join' with the option --membership-software=samba.
Would I just need to re-execute "realm join" even if I already executed
it
with adcli instead of samba?
Yes, this should work.
bye, Sumit
One of the main differences is that 'net ads join' will write the
clear
teat machine password into an internal database of Samba. Current versions of adcli will not do this but my plan is to add this functionality to adcli as well.
Thanks! I will try and let you know.
Bye!
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
shacky -
Sumit Bose