Quantcast
Channel: All Centrify Express posts
Viewing all articles
Browse latest Browse all 1833

Samba and adbindproxy issues

$
0
0

Hello and thanks in advance for your help!

 

I am currently trying to implement a samba share on a Centos 7.3 server. I installed the latest centrify express package and ran the adbindproxy.pl script apparently successfully. But when testing with smbclient, I am only able to list the shares through anonymous login.

 

 

smbclient -L server-name.domain.com -U jay.baker

 

 

returns `NT_STATUS_LOGON_FAILURE`

 

Here's the relevant bit from the samba logs:

[2017/07/17 17:00:28.953020,  2] ../source3/auth/auth.c:305(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [jay.baker] -> [jay.baker] -> [DOMAIN\jay.baker] succeeded
[2017/07/17 17:00:28.953075,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953104,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953156,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
  NTLMSSP Sign/Seal - Initialising with flags:
[2017/07/17 17:00:28.953170,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x62088215
[2017/07/17 17:00:28.953264,  1] ../source3/auth/token_util.c:935(create_token_from_username)
  lookup_name_smbconf for DOMAIN\jay.baker failed
[2017/07/17 17:00:28.953283,  1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_NO_SUCH_USER
[2017/07/17 17:00:28.953349,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2017/07/17 17:00:28.958716,  3] ../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (failed to receive smb request)
[2017/07/17 17:00:28.978007,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory

To me, it looks like authentication with our domain controllers is succeeding, but then samba thinks the user isn't authorized.

 

Here's our current samba config at /etc/samba/smb.conf:

#
# This file was generated by Centrify ADBindProxy Utility
#
[global]
    security = ADS
    realm = DOMAIN.COM
    workgroup = DOMAIN
    netbios name = server-name

    auth methods = guest, sam, winbind, ntdomain
    machine password timeout = 0
    passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb
    #valid users = @"DOMAIN\Domain Admins"

    log level = 3
    #
    # Samba versions 3.4.0 and newer have replaced "use kerberos keytab"
    # with "kerberos method".  The directive "kerberos method = secrets and keytab"
    # enables Samba to honor service tickets that are still valid but were
    # created before the Samba server's password was changed.
    #
    kerberos method = secrets and keytab

    #
    # Setting "client use spnego principal" to true instructs SMB client to 
    # trust the service principal name returned by the SMB server. Otherwise, 
    # client cannot be authenticated via Kerberos by the server in a different
    # domain even though the two domains are mutually trusted.
    #
    #client use spnego principal = true

    #
    # Setting send spnego principal to yes .
    # Otherwise, it will not send this principal between Samba and Windows 2008
    #
    #send spnego principal = Yes

    # If your Samba server only serves to Windows systems, try server signing = mandatory.
    server signing = auto

    client ntlmv2 auth = yes
    client use spnego = yes 


    template shell = /bin/bash

    winbind use default domain = Yes

    winbind enum users = No
    winbind enum groups = No
    winbind nested groups = Yes

    idmap cache time = 0

    #ignore syssetgroups error = No
    idmap config * : backend  = tdb
    idmap config * : range = 1000 - 200000000
    idmap config * : base_tdb = 0
    enable core files = false

    # Disable Logging to syslog, and only write log to Samba standard log files.
    #syslog = 0

[samba-test]
    path = /samba-test
    public = yes
    read only = No
    valid users = Domain\domain_admins
    force group = Domain\domain_admins
    guest ok = Yes

I have tried a lot of different permutations of this file lol, pretty much any samba stackoverflow or blog post I could find and no matter what I try, I get the same main error of:

 

lookup_name_smbconf for DOMAIN\jay.baker failed

I'm assuming it's just something stupidly simple that I haven't yet discovered in my samba config. If anyone has seen the same problem, or has any suggestions, any help would be greatly appreciated!


Viewing all articles
Browse latest Browse all 1833

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>