Hi sssd user's,
I contacted yesterday the Samba discussion list about a malfunction with this software. I was asked to put my question to the sssd list, which I do :) You will find below the email sent to the Samba list:
************************************************************************** I've update a domain member smb server to samba 4.6.5. I don't want to use winbind for this upgrade so i'm trying with sssd. After a long informative reading on this subject, i've finaly success to connect using the hostname.
The domain member is well join to AD-DC : # net ads testjoin Join is OK
Another test : # adcli info -D local.mydomain [domain] domain-name = local.mydomain domain-short = MYDOMAIN domain-forest = local.mydomain domain-controller = hera.local.mydomain domain-controller-site = Laval domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret domain-controller-usable = yes domain-controllers = hera.local.mydomain [computer] computer-site = Laval
From the Domain member server (RHEA), i can view the main sharing using my account but not when using the administrator account. By the way, i belive i made some limitation on this account because nobody have to use this one
# smbclient -L //RHEA -U myident Enter MYDOMAIN\myident's password:
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment --------- ------- RHEA Samba 4.6.5-Debian
Workgroup Master --------- ------- MYDOMAIN RHEA
From the AD-DC server (HERA), i can see the same thing using my account. Stil on the AD-DC, i've try another method :
# smbclient -L //192.168.1.2 -U myident Enter MYDOMAIN\myident's password: Domain=[MYDOMAIN] OS=[] Server=[]
Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment --------- ------- RHEA Samba 4.6.5-Debian
Workgroup Master --------- ------- MYDOMAIN RHEA
Well... Everything seems to work. Now i want to test an access from a windows client. I have open the session on the domain using my account. Now i open windows explorer and i type //RHEA in the address bar. I can see the share that i can use. So, why do i post on this mailing list ?
Because when I use address //192.168.1.2, the operating system asks me to identify myself. But i'have already done this when i've open this session. I am surprised because it is usually the opposite error that occurs. Let's go to the log on RHEA Host (192.168.1.2) :
[2017/07/25 02:46:15.286177, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user myident in domain MYDOMAIN to Domain controller HERA.LOCAL.MYDOMAIN. Error was NT_STATUS_WRONG_PASSWORD. [2017/07/25 02:46:15.288928, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myident] -> [myident] FAILED with error NT_STATUS_WRONG_PASSWORD [2017/07/25 02:46:15.296364, 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
Ok, but this error occurred even before I specified an identifier. I removed the Windows-based workstation from the domain and then, i join it again. In this regard, i have noticed that a computer can not join a Windows Active Directory domain if the Netbios over TCP / IP option is not enabled. Too bad !
RSAT is installed on this computer and i still can login and maintain Active Directory and DNS zone from this computer. But now, i cannot see RHEA share anymore. I've got the same error even if i use IP or hostname.
sssd seems to work fine because the command getent passwd give me a result :
# getent passwd myident myident:*:1072:513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash
Does someone can help me to investigate ? ************************************************************************** Thanks in advance.
On (25/07/17 09:56), Marc-Henri Pamiseux wrote:
Hi sssd user's,
I contacted yesterday the Samba discussion list about a malfunction with this software. I was asked to put my question to the sssd list, which I do :) You will find below the email sent to the Samba list:
I've update a domain member smb server to samba 4.6.5. I don't want to use winbind for this upgrade so i'm trying with sssd. After a long informative reading on this subject, i've finaly success to connect using the hostname.
The domain member is well join to AD-DC : # net ads testjoin Join is OK
Another test : # adcli info -D local.mydomain [domain] domain-name = local.mydomain domain-short = MYDOMAIN domain-forest = local.mydomain domain-controller = hera.local.mydomain domain-controller-site = Laval domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret domain-controller-usable = yes domain-controllers = hera.local.mydomain [computer] computer-site = Laval
From the Domain member server (RHEA), i can view the main sharing using my account but not when using the administrator account. By the way, i belive i made some limitation on this account because nobody have to use this one
# smbclient -L //RHEA -U myident Enter MYDOMAIN\myident's password:
Sharename Type Comment
IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
RHEA Samba 4.6.5-Debian
Workgroup Master
MYDOMAIN RHEA
From the AD-DC server (HERA), i can see the same thing using my account. Stil on the AD-DC, i've try another method :
# smbclient -L //192.168.1.2 -U myident Enter MYDOMAIN\myident's password: Domain=[MYDOMAIN] OS=[] Server=[]
Sharename Type Comment
IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
RHEA Samba 4.6.5-Debian
Workgroup Master
MYDOMAIN RHEA
Well... Everything seems to work. Now i want to test an access from a windows client. I have open the session on the domain using my account. Now i open windows explorer and i type //RHEA in the address bar. I can see the share that i can use. So, why do i post on this mailing list ?
Because when I use address //192.168.1.2, the operating system asks me to identify myself. But i'have already done this when i've open this session. I am surprised because it is usually the opposite error that occurs. Let's go to the log on RHEA Host (192.168.1.2) :
[2017/07/25 02:46:15.286177, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user myident in domain MYDOMAIN to Domain controller HERA.LOCAL.MYDOMAIN. Error was NT_STATUS_WRONG_PASSWORD. [2017/07/25 02:46:15.288928, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myident] -> [myident] FAILED with error NT_STATUS_WRONG_PASSWORD [2017/07/25 02:46:15.296364, 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
Ok, but this error occurred even before I specified an identifier. I removed the Windows-based workstation from the domain and then, i join it again. In this regard, i have noticed that a computer can not join a Windows Active Directory domain if the Netbios over TCP / IP option is not enabled. Too bad !
RSAT is installed on this computer and i still can login and maintain Active Directory and DNS zone from this computer. But now, i cannot see RHEA share anymore. I've got the same error even if i use IP or hostname.
sssd seems to work fine because the command getent passwd give me a result :
# getent passwd myident myident:*:1072:513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash
Does someone can help me to investigate ?
I would recommend following page for troubleshooting SSSD https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
And maybe you can directly jump to authentication section https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshooting...
LS
On Tue, Jul 25, 2017 at 10:08:51AM +0200, Lukas Slebodnik wrote:
On (25/07/17 09:56), Marc-Henri Pamiseux wrote:
Hi sssd user's,
I contacted yesterday the Samba discussion list about a malfunction with this software. I was asked to put my question to the sssd list, which I do :) You will find below the email sent to the Samba list:
I've update a domain member smb server to samba 4.6.5. I don't want to use winbind for this upgrade so i'm trying with sssd. After a long informative reading on this subject, i've finaly success to connect using the hostname.
The domain member is well join to AD-DC : # net ads testjoin Join is OK
Another test : # adcli info -D local.mydomain [domain] domain-name = local.mydomain domain-short = MYDOMAIN domain-forest = local.mydomain domain-controller = hera.local.mydomain domain-controller-site = Laval domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret domain-controller-usable = yes domain-controllers = hera.local.mydomain [computer] computer-site = Laval
From the Domain member server (RHEA), i can view the main sharing using my account but not when using the administrator account. By the way, i belive i made some limitation on this account because nobody have to use this one
# smbclient -L //RHEA -U myident Enter MYDOMAIN\myident's password:
Sharename Type Comment
IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
RHEA Samba 4.6.5-Debian
Workgroup Master
MYDOMAIN RHEA
From the AD-DC server (HERA), i can see the same thing using my account. Stil on the AD-DC, i've try another method :
# smbclient -L //192.168.1.2 -U myident Enter MYDOMAIN\myident's password: Domain=[MYDOMAIN] OS=[] Server=[]
Sharename Type Comment
IPC$ IPC IPC Service (Samba 4.6.5-Debian) projets Disk Gestion des projets public Disk Public Stuff myident Disk Repertoire Personnel Domain=[MYDOMAIN] OS=[] Server=[]
Server Comment
RHEA Samba 4.6.5-Debian
Workgroup Master
MYDOMAIN RHEA
Well... Everything seems to work. Now i want to test an access from a windows client. I have open the session on the domain using my account. Now i open windows explorer and i type //RHEA in the address bar. I can see the share that i can use. So, why do i post on this mailing list ?
Because when I use address //192.168.1.2, the operating system asks me to identify myself. But i'have already done this when i've open this session. I am surprised because it is usually the opposite error that occurs. Let's go to the log on RHEA Host (192.168.1.2) :
[2017/07/25 02:46:15.286177, 0] ../source3/auth/auth_domain.c:226(domain_client_validate) domain_client_validate: unable to validate password for user myident in domain MYDOMAIN to Domain controller HERA.LOCAL.MYDOMAIN. Error was NT_STATUS_WRONG_PASSWORD. [2017/07/25 02:46:15.288928, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myident] -> [myident] FAILED with error NT_STATUS_WRONG_PASSWORD
As you can see NTLM is used for authentication in this case and SSSD does not support NTLM, hence authentication fails.
The reason is that when you use the name the Windows client can use Kerberos because it can request a Kerbers service ticket for the principal cifs/files.sever.name@AD.REALM. When using the IP address the Windows client falls back to NTLM authentication because Kerberos does not use IP addresses in principals and a reverse DNS lookup is often unreliable or not even configured.
So when using SSSD you can only use the name. If you have uses cases where only IP address can be used you currently have to use winbind.
HTH
bye, Sumit
[2017/07/25 02:46:15.296364, 2] ../auth/gensec/spnego.c:768(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_WRONG_PASSWORD
Ok, but this error occurred even before I specified an identifier. I removed the Windows-based workstation from the domain and then, i join it again. In this regard, i have noticed that a computer can not join a Windows Active Directory domain if the Netbios over TCP / IP option is not enabled. Too bad !
RSAT is installed on this computer and i still can login and maintain Active Directory and DNS zone from this computer. But now, i cannot see RHEA share anymore. I've got the same error even if i use IP or hostname.
sssd seems to work fine because the command getent passwd give me a result :
# getent passwd myident myident:*:1072:513:Marc-Henri Pamiseux:/home/MYDOMAIN/myident:/bin/bash
Does someone can help me to investigate ?
I would recommend following page for troubleshooting SSSD https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
And maybe you can directly jump to authentication section https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshooting...
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org