Hello and thanks in advance for your help!
I am currently trying to implement a samba share on a Centos 7.3 server. I installed the latest centrify express package and ran the adbindproxy.pl script apparently successfully. But when testing with smbclient, I am only able to list the shares through anonymous login.
smbclient -L server-name.domain.com -U jay.baker
returns `NT_STATUS_LOGON_FAILURE`
Here's the relevant bit from the samba logs:
[2017/07/17 17:00:28.953020, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [jay.baker] -> [jay.baker] -> [DOMAIN\jay.baker] succeeded [2017/07/17 17:00:28.953075, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2017/07/17 17:00:28.953104, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62088215 [2017/07/17 17:00:28.953156, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset) NTLMSSP Sign/Seal - Initialising with flags: [2017/07/17 17:00:28.953170, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x62088215 [2017/07/17 17:00:28.953264, 1] ../source3/auth/token_util.c:935(create_token_from_username) lookup_name_smbconf for DOMAIN\jay.baker failed [2017/07/17 17:00:28.953283, 1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_NO_SUCH_USER [2017/07/17 17:00:28.953349, 3] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/sesssetup.c(293) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2017/07/17 17:00:28.958716, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (failed to receive smb request) [2017/07/17 17:00:28.978007, 3] ../source3/lib/util_procid.c:54(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
To me, it looks like authentication with our domain controllers is succeeding, but then samba thinks the user isn't authorized.
Here's our current samba config at /etc/samba/smb.conf:
# # This file was generated by Centrify ADBindProxy Utility # [global] security = ADS realm = DOMAIN.COM workgroup = DOMAIN netbios name = server-name auth methods = guest, sam, winbind, ntdomain machine password timeout = 0 passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb #valid users = @"DOMAIN\Domain Admins" log level = 3 # # Samba versions 3.4.0 and newer have replaced "use kerberos keytab" # with "kerberos method". The directive "kerberos method = secrets and keytab" # enables Samba to honor service tickets that are still valid but were # created before the Samba server's password was changed. # kerberos method = secrets and keytab # # Setting "client use spnego principal" to true instructs SMB client to # trust the service principal name returned by the SMB server. Otherwise, # client cannot be authenticated via Kerberos by the server in a different # domain even though the two domains are mutually trusted. # #client use spnego principal = true # # Setting send spnego principal to yes . # Otherwise, it will not send this principal between Samba and Windows 2008 # #send spnego principal = Yes # If your Samba server only serves to Windows systems, try server signing = mandatory. server signing = auto client ntlmv2 auth = yes client use spnego = yes template shell = /bin/bash winbind use default domain = Yes winbind enum users = No winbind enum groups = No winbind nested groups = Yes idmap cache time = 0 #ignore syssetgroups error = No idmap config * : backend = tdb idmap config * : range = 1000 - 200000000 idmap config * : base_tdb = 0 enable core files = false # Disable Logging to syslog, and only write log to Samba standard log files. #syslog = 0 [samba-test] path = /samba-test public = yes read only = No valid users = Domain\domain_admins force group = Domain\domain_admins guest ok = Yes
I have tried a lot of different permutations of this file lol, pretty much any samba stackoverflow or blog post I could find and no matter what I try, I get the same main error of:
lookup_name_smbconf for DOMAIN\jay.baker failed
I'm assuming it's just something stupidly simple that I haven't yet discovered in my samba config. If anyone has seen the same problem, or has any suggestions, any help would be greatly appreciated!