Hello and thanks in advance for your help!
I am currently trying to implement a samba share on a Centos 7.3 server. I installed the latest centrify express package and ran the adbindproxy.pl script apparently successfully. But when testing with smbclient, I am only able to list the shares through anonymous login.
smbclient -L server-name.domain.com -U jay.baker
returns `NT_STATUS_LOGON_FAILURE`
Here's the relevant bit from the samba logs:
[2017/07/17 17:00:28.953020, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
check_ntlm_password: authentication for user [jay.baker] -> [jay.baker] -> [DOMAIN\jay.baker] succeeded
[2017/07/17 17:00:28.953075, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953104, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953156, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953170, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953264, 1] ../source3/auth/token_util.c:935(create_token_from_username)
lookup_name_smbconf for DOMAIN\jay.baker failed
[2017/07/17 17:00:28.953283, 1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
Failed to generate session_info (user and group token) for session setup: NT_STATUS_NO_SUCH_USER
[2017/07/17 17:00:28.953349, 3] ../source3/smbd/error.c:82(error_packet_set)
NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/07/17 17:00:28.958716, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2017/07/17 17:00:28.978007, 3] ../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
To me, it looks like authentication with our domain controllers is succeeding, but then samba thinks the user isn't authorized.
Here's our current samba config at /etc/samba/smb.conf:
#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
security = ADS
realm = DOMAIN.COM
workgroup = DOMAIN
netbios name = server-name
auth methods = guest, sam, winbind, ntdomain
machine password timeout = 0
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
#valid users = @"DOMAIN\Domain Admins"
log level = 3
#
# Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
# with "kerberos method". The directive "kerberos method = secrets and keytab"
# enables Samba to honor service tickets that are still valid but were
# created before the Samba server's password was changed.
#
kerberos method = secrets and keytab
#
# Setting "client use spnego principal" to true instructs SMB client to
# trust the service principal name returned by the SMB server. Otherwise,
# client cannot be authenticated via Kerberos by the server in a different
# domain even though the two domains are mutually trusted.
#
#client use spnego principal = true
#
# Setting send spnego principal to yes .
# Otherwise, it will not send this principal between Samba and Windows 2008
#
#send spnego principal = Yes
# If your Samba server only serves to Windows systems, try server signing = mandatory.
server signing = auto
client ntlmv2 auth = yes
client use spnego = yes
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No
winbind enum groups = No
winbind nested groups = Yes
idmap cache time = 0
#ignore syssetgroups error = No
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
idmap config * : base_tdb = 0
enable core files = false
# Disable Logging to syslog, and only write log to Samba standard log files.
#syslog = 0
[samba-test]
path = /samba-test
public = yes
read only = No
valid users = Domain\domain_admins
force group = Domain\domain_admins
guest ok = YesI have tried a lot of different permutations of this file lol, pretty much any samba stackoverflow or blog post I could find and no matter what I try, I get the same main error of:
lookup_name_smbconf for DOMAIN\jay.baker failed
I'm assuming it's just something stupidly simple that I haven't yet discovered in my samba config. If anyone has seen the same problem, or has any suggestions, any help would be greatly appreciated!
