Ubuntu 16.04.2 samba 4.3.11+dfsg-0ubuntu0.16.04.6 sssd 1.13.4-1ubuntu1.2 Windows Server 2008 R2 Standard
Have 2 sites with the above setup. Each site has 1 ubuntu/samba server authenticating to 1 Windows Server 2008 R2 server running Active Directory
Site 1 works as expected. Traditional linux service, like ssh, auth to AD as expected. So do the samba shares.
Site 2 partially works. Linux services like ssh work but samba shares fail to auth, session setup failed: NT_STATUS_NO_LOGON_SERVERS
connect_to_domain_password_server: unable to open the domain client session to machine DC-1.CORP.DOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2017/04/20 01:49:28.902051, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate: Domain password server not available.
I have double checked site1 smb.conf, sssd.conf, krb5.conf against site2 configuration and they are the "same".
I don't understand why ssh can authenticate but not samba.
It seems like the problem is on DC-1 but do not know where to start on the debugging of Windows!
sssd.conf
[nss] filter_groups = root filter_users = root reconnection_retries = 3 # debug_level = 7
[pam] reconnection_retries = 3 # debug_level = 7
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, pac config_file_version = 2 domains = CORP.DOMAIN.COM debug_level = 7
[domain/CORP.DOMAIN.COM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true debug_level = 7
# Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /var/samba/users/%u
smb.conf [global] workgroup = CORP realm = CORP.DOMAIN.COM preferred master = no wins server = 192.168.110.249 server string = samba-2 security = ADS encrypt passwords = true obey pam restrictions = yes kerberos method = secrets and keytab
syslog = 0 log file = /var/log/samba/%m.log
max xmit = 16384
# NO roaming profiles http://melecio.org/node/5 logon path = logon home = logon script = %U.bat
idmap config CORP : backend = ad idmap uid = 600-20000 idmap gid = 600-20000 template shell = /bin/bash template homedir = /var/samba/users/%U
server signing = auto client signing = auto client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2
load printers = no
sssd-users@lists.fedorahosted.org