Ubuntu 16.04.2 samba 4.3.11+dfsg-0ubuntu0.16.04.6 sssd 1.13.4-1ubuntu1.2 Windows Server 2008 R2 Standard
Have 2 sites with the above setup. Each site has 1 ubuntu/samba server authenticating to 1 Windows Server 2008 R2 server running Active Directory
Site 1 works as expected. Traditional linux service, like ssh, auth to AD as expected. So do the samba shares.
Site 2 partially works. Linux services like ssh work but samba shares fail to auth, session setup failed: NT_STATUS_NO_LOGON_SERVERS
connect_to_domain_password_server: unable to open the domain client session to machine DC-1.CORP.DOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2017/04/20 01:49:28.902051, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate: Domain password server not available.
I have double checked site1 smb.conf, sssd.conf, krb5.conf against site2 configuration and they are the "same".
I don't understand why ssh can authenticate but not samba.
It seems like the problem is on DC-1 but do not know where to start on the debugging of Windows!
sssd.conf
[nss] filter_groups = root filter_users = root reconnection_retries = 3 # debug_level = 7
[pam] reconnection_retries = 3 # debug_level = 7
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, pac config_file_version = 2 domains = CORP.DOMAIN.COM debug_level = 7
[domain/CORP.DOMAIN.COM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true debug_level = 7
# Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /var/samba/users/%u
smb.conf [global] workgroup = CORP realm = CORP.DOMAIN.COM preferred master = no wins server = 192.168.110.249 server string = samba-2 security = ADS encrypt passwords = true obey pam restrictions = yes kerberos method = secrets and keytab
syslog = 0 log file = /var/log/samba/%m.log
max xmit = 16384
# NO roaming profiles http://melecio.org/node/5 logon path = logon home = logon script = %U.bat
idmap config CORP : backend = ad idmap uid = 600-20000 idmap gid = 600-20000 template shell = /bin/bash template homedir = /var/samba/users/%U
server signing = auto client signing = auto client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2
load printers = no
Couple other log entries that look like they might be relevant.
(Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [exec_child_ex] (0x0040): execv failed [2][No such file or directory]. (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory]. (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [2]: No such file or directory (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1492846623] (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1492846683] (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [child_sig_handler] (0x1000): Waiting for child [1735]. (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [child_sig_handler] (0x0020): child [1735] was terminated by signal [9]. (Fri Apr 21 02:39:28 2017) [sssd[be[CORP.DOMAIN.COM]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it (Fri Apr 21 02:39:28 2017) [sssd[be[CORP.DOMAIN.COM]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
On Fri, Apr 21, 2017 at 07:41:54AM -0000, tanner@real-time.com wrote:
Couple other log entries that look like they might be relevant.
(Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [exec_child_ex] (0x0040): execv failed [2][No such file or directory]. (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal child: [2][No such file or directory]. (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [2]: No such file or directory (Fri Apr 21 02:37:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1492846623] (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [ad_machine_account_password_renewal_timeout] (0x0020): Timeout reached for AD renewal child. (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_done] (0x0040): Task [AD machine account password renewal]: failed with [1432158266]: AD renewal child failed (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from now [1492846683] (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [child_sig_handler] (0x1000): Waiting for child [1735]. (Fri Apr 21 02:38:03 2017) [sssd[be[CORP.DOMAIN.COM]]] [child_sig_handler] (0x0020): child [1735] was terminated by signal [9]. (Fri Apr 21 02:39:28 2017) [sssd[be[CORP.DOMAIN.COM]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it (Fri Apr 21 02:39:28 2017) [sssd[be[CORP.DOMAIN.COM]]] [sdap_id_conn_data_expire_handler] (0x0080): connection is about to expire, releasing it
This is just adcli not being installed, I doubt it's related to the original report.
(Sorry, I don't know enough to help with that one..)
The samba mailing list says this problem is -not- a samba problem.
It was recommended I change my smb.conf to:
[global] workgroup = CORP realm = CORP.CELADONSYSTEMS.COM server string = samba-2 security = ADS kerberos method = secrets and keytab
log file = /var/log/samba/%m.log
logon script = %U.bat restrict anonymous = 2 load printers = no
The samba logs indicate the problem is with samba. The sssd logs show everything working except for samba (like I can ssh as AD DC users).
With max debug on for sssd I do not see samba even using sssd for authentication information. Maybe a permissions problem on the AD DC? Although I can auth via ssh? Can you recommend web links on confirming permissions are appropriate on the AD DC?
Testing using
% smbclient -L //samba-2 -U test
I get logs entries below.
(Sun Apr 23 17:36:52 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [samba-2\nobody@CORP.CELADONSYSTEMS.COM] (Sun Apr 23 17:36:52 2017) [sssd[nss]] [sysdb_search_user_by_upn] (0x0040): Error: 5 (Input/output error) (Sun Apr 23 17:36:52 2017) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): sysdb_search_user_by_upn failed. (Sun Apr 23 17:36:52 2017) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
Not sure it's relevant, but posting it here anyways.
Anyone?
I find sssd easier to configure but since I cannot get it to work at 1 site I'm going to have to go back to winbind.
Is there any help on how to troubleshoot this problem?
Seems like there's something different on the AD DC but I do not know where to start troubleshooting.
I was going to point you to the troubleshooting doc at fedorahosted.org/sssd/wiki/Troubleshooting but since that site points you to pagure.io and the links on pagure.io point you back there, I'm not sure where to look for that any longer. There are a few other sites if you look for "sssd troubleshooting" but I've not looked at them to see how helpful they are.
=G=
________________________________________ From: tanner@real-time.com tanner@real-time.com Sent: Wednesday, April 26, 2017 5:33 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: session setup failed: NT_STATUS_NO_LOGON_SERVERS
Anyone?
I find sssd easier to configure but since I cannot get it to work at 1 site I'm going to have to go back to winbind.
Is there any help on how to troubleshoot this problem?
Seems like there's something different on the AD DC but I do not know where to start troubleshooting. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Wed, Apr 26, 2017 at 09:42:17PM +0000, Galen Johnson wrote:
I was going to point you to the troubleshooting doc at fedorahosted.org/sssd/wiki/Troubleshooting but since that site points you to pagure.io and the links on pagure.io point you back there, I'm not sure where to look for that any longer. There are a few other sites if you look for "sssd troubleshooting" but I've not looked at them to see how helpful they are.
Yes, I'm sorry, we're still migrating the wiki pages..
sssd-users@lists.fedorahosted.org