1 2 Previous Next 16 Replies Latest reply on Aug 29, 2018 8:16 PM by user10174131

    Oracle 7.5 SSSD and Samba

    jkinninger

      I had this working previously but after an update, which I believe is with Samba 4.7 I am no longer able to connect. I am getting error messages - ads_connect: No logon servers are currently available to service the logon request.

       

      uname -a

      Linux linstalll2t 3.10.0-862.2.3.0.1.el7.x86_64 #1 SMP Tue May 8 17:56:26 PDT 2018 x86_64 x86_64 x86_64 GNU/Linux

       

      rpm -qa | grep samba

      samba-common-libs-4.7.1-9.el7_5.x86_64

      samba-libs-4.7.1-9.el7_5.x86_64

      samba-4.7.1-9.el7_5.x86_64

      samba-common-4.7.1-9.el7_5.noarch

      samba-winbind-modules-4.7.1-9.el7_5.x86_64

      samba-common-tools-4.7.1-9.el7_5.x86_64

      samba-client-4.7.1-9.el7_5.x86_64

      samba-client-libs-4.7.1-9.el7_5.x86_64

       

      /etc/sssd/sssd.conf

      [sssd]

      domains = WS.WSFGRP.NET

      config_file_version = 2

      services = nss, pam

       

      [domain/WS.WSFGRP.NET]

      ad_domain = WS.WSFGRP.NET

      krb5_realm = WS.WSFGRP.NET

      realmd_tags = manages-system joined-with-samba

      cache_credentials = True

      id_provider = ad

      krb5_store_password_if_offline = True

      default_shell = /bin/bash

      ldap_id_mapping = True

      use_fully_qualified_names = False

      fallback_homedir = /home/%u

      access_provider = ad

      [pam]

       

      /etc/samba/smb.conf

      # See smb.conf.example for a more detailed config file or

      # read the smb.conf manpage.

      # Run 'testparm' to verify the config is correct after

      # you modified it.

       

      [global]

              workgroup - WS.WSFGRP.NET

              security = ads

      #kerberos method = secrets and keytab

              kerberos method = system keytab

              idmap config * : backend = tdb

              template homedir = /home/%U

              socket options = TCP_NODELAY

              max protocol = SMB2

              idmap config * : range = 1000 - 200000000

              idmap config * : base_tdb = 0

              enable core files = false

              client use spnego = no

       

      # Add the IPs / subnets allowed acces to the server in general.

              #hosts allow = 10.141.168.19

       

      # Not interested in printers

              load printers = no

              cups options = raw

       

      # This stops an annoying message from appearing in logs

              printcap name = /dev/null

       

       

      # log files split per-machine:

              log file = /var/log/samba/log.%m

              # enable the following line to debug:

               log level =3

              # maximum size of 50KB per log file, then rotate:

              max log size = 50

       

      [homes]

              comment = Home Directories

              valid users = %S, %D%w%S

              browseable = No

              read only = No

              inherit acls = Yes

       

      [install]

              comment = Installation Directory

              path = /install

              read only = No

       

      /var/log/samba

        ../source3/librpc/crypto/gse_krb5.c:593: Error! Unable to set mem keytab - 2

      [2018/08/28 09:07:09.426252,  1] ../auth/gensec/gensec_start.c:756(gensec_start_mech)

        Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR

      [2018/08/28 09:07:09.431482,  1] ../source3/librpc/crypto/gse_krb5.c:417(fill_mem_keytab_from_system_keytab)

        ../source3/librpc/crypto/gse_krb5.c:417: krb5_kt_start_seq_get failed (No such file or directory)

      [2018/08/28 09:07:09.431512,  1] ../source3/librpc/crypto/gse_krb5.c:593(gse_krb5_get_server_keytab)

        ../source3/librpc/crypto/gse_krb5.c:593: Error! Unable to set mem keytab - 2

      [2018/08/28 09:07:09.431530,  1] ../auth/gensec/gensec_start.c:756(gensec_start_mech)

        Failed to start GENSEC server mech gse_krb5: NT_STATUS_INTERNAL_ERROR

      [2018/08/28 09:07:09.432843,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

        Got NTLMSSP neg_flags=0xe2088297

      [2018/08/28 09:07:09.434573,  3] ../auth/ntlmssp/ntlmssp_server.c:454(ntlmssp_server_preauth)

        Got user=[jkinning] domain=[WS] workstation=[PC150115C] len1=24 len2=24

      [2018/08/28 09:07:09.434614,  3] ../source3/param/loadparm.c:3847(lp_load_ex)

        lp_load_ex: refreshing parameters

      [2018/08/28 09:07:09.434687,  3] ../source3/param/loadparm.c:543(init_globals)

        Initialising global parameters

      [2018/08/28 09:07:09.434799,  3] ../source3/param/loadparm.c:2761(lp_do_section)

        Processing section "[global]"

      [2018/08/28 09:07:09.434943,  2] ../source3/param/loadparm.c:2778(lp_do_section)

        Processing section "[homes]"

      [2018/08/28 09:07:09.434991,  2] ../source3/param/loadparm.c:2778(lp_do_section)

        Processing section "[install]"

      [2018/08/28 09:07:09.435058,  3] ../source3/param/loadparm.c:1596(lp_add_ipc)

        adding IPC service

      [2018/08/28 09:07:09.435117,  3] ../source3/auth/auth.c:189(auth_check_ntlm_password)

        check_ntlm_password:  Checking password for unmapped user [WS]\[jkinning]@[PC150115C] with the new password interface

      [2018/08/28 09:07:09.435138,  3] ../source3/auth/auth.c:192(auth_check_ntlm_password)

        check_ntlm_password:  mapped user is: [WS]\[jkinning]@[PC150115C]

      [2018/08/28 09:07:09.435304,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)

        get_dc_list: preferred server list: ", *"

      [2018/08/28 09:07:09.435357,  3] ../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)

        resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1c>

      [2018/08/28 09:07:09.435426,  3] ../source3/libsmb/namequery.c:2142(resolve_wins_send)

        resolve_wins: WINS server resolution selected and no WINS servers listed.

      [2018/08/28 09:07:09.435456,  3] ../source3/libsmb/namequery.c:1880(name_resolve_bcast_send)

        name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1c>

      [2018/08/28 09:07:10.436728,  1] ../source3/libads/ldap.c:563(ads_find_dc)

        ads_find_dc: name resolution for realm '' (domain 'WORKGROUP') failed: NT_STATUS_NO_LOGON_SERVERS

      [2018/08/28 09:07:10.436846,  3] ../source3/libsmb/namequery.c:3160(get_dc_list)

        get_dc_list: preferred server list: ", *"

      [2018/08/28 09:07:10.436875,  3] ../libcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)

        resolve_lmhosts: Attempting lmhosts lookup for name WORKGROUP<0x1c>

      [2018/08/28 09:07:10.436972,  3] ../source3/libsmb/namequery.c:2142(resolve_wins_send)

        resolve_wins: WINS server resolution selected and no WINS servers listed.

      [2018/08/28 09:07:10.436998,  3] ../source3/libsmb/namequery.c:1880(name_resolve_bcast_send)

        name_resolve_bcast: Attempting broadcast lookup for name WORKGROUP<0x1c>

      [2018/08/28 09:07:11.438286,  3] ../source3/libsmb/namequery_dc.c:175(rpc_dc_name)

        Could not look up dc's for domain WORKGROUP

      [2018/08/28 09:07:11.438363,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)

        check_ntlm_password:  Authentication for user [jkinning] -> [jkinning] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1

      [2018/08/28 09:07:11.438425,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)

        Auth: [SMB2,(null)] user [WS]\[jkinning] at [Tue, 28 Aug 2018 09:07:11.438389 EDT] with [NTLMv1] status [NT_STATUS_NO_LOGON_SERVERS] workstation [PC150115C] remote host [ipv4:10.141.168.19:57995] mapped to [WS]\[jkinning]. local host [ipv4:10.131.172.107:445]

      [2018/08/28 09:07:11.438457,  3] ../auth/auth_log.c:591(log_no_json)

        log_no_json: JSON auth logs not available unless compiled with jansson

      [2018/08/28 09:07:11.438478,  2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)

        SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS

      [2018/08/28 09:07:11.438568,  3] ../source3/smbd/smb2_server.c:3120(smbd_smb2_request_error_ex)

        smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../source3/smbd/smb2_sesssetup.c:134

      [2018/08/28 09:07:11.440137,  3] ../source3/smbd/server_exit.c:248(exit_server_common)

        Server exit (NT_STATUS_CONNECTION_RESET)

       

      One item that is standing out in the log is the "Could not look up dc's for domain WORKGROUP" I am not sure where it is looking for this as Samba should be looking at WS.WSFGRP.NET.

        • 1. Re: Oracle 7.5 SSSD and Samba
          Dude!

          What did you update, and what from?

           

          Have you seen the following: https://bugzilla.redhat.com/show_bug.cgi?id=1549969

          • 2. Re: Oracle 7.5 SSSD and Samba
            Dude!

            Perhaps you can use "yum history" to roll back the update.

            • 3. Re: Oracle 7.5 SSSD and Samba
              jkinninger

              I updated the system by running 'yum update'. Is there a way I can go back to the previous version of Samba? It was all working before I updated everything.

              • 4. Re: Oracle 7.5 SSSD and Samba
                user10174131

                Have you considered an alternate protocol? SMB is fraught with problems.

                 

                https://github.com/billziss-gh/sshfs-win

                • 5. Re: Oracle 7.5 SSSD and Samba
                  jkinninger

                  The sshfs looks interesting but not sure it would work for us. I know SMB is filled with issues but it is easy. For the record I tried to install the sshfs stuff and connect but wasn't able to access the mount I was after. I could only get to my home dir from Windows Explorer, /home/jkinning. I am sure it was something I was doing. Couldn't figure out how to get my AD user to access the /install directory I need.

                   

                  I tried running this and it seems like I am getting a little closer.

                  net ads testjoin

                  ads_connect: No logon servers are currently available to service the logon request.

                  Join to domain is not valid: No logon servers are currently available to service the logon request.

                   

                  I can run the id <AD_User> and I see all the groups so it is aware of my AD and what groups my AD user has rights to.

                  • 6. Re: Oracle 7.5 SSSD and Samba
                    Dude!

                    You can try the following:

                     

                    # yum remove "samba*"
                    # yum --showduplicates list samba
                    # yum install samba-4.6.2
                    # yum install yum-versionlock
                    # yum versionlock samba
                    

                     

                    Then restart the system.

                    • 7. Re: Oracle 7.5 SSSD and Samba
                      user10174131

                      You likely want to make this "min protocol" instead. Microsoft is strongly urging that SMB1 be retired.

                       

                              max protocol = SMB2

                      • 8. Re: Oracle 7.5 SSSD and Samba
                        jkinninger

                        Looks like when I try to then get SSSD back installed I am stuck with a bunch of dependency issues. I'll wait this out until a fix gets released. I like the sshfs or better method to access shares or directories on the Linux server other than Samba but trying to get a decent Windows client to do that isn't looking promising. I think Samba will be around for quite some time but maybe with Windows 10 having Bash and PowerShell getting SSH maybe there is something there that could work and eliminate the need for Samba. It would need to be fairly easy for end users as right now once I configure Samba they just access the share just like any other Windows servers. Especially with SSSD I just use the AD group and eliminates some of the administration I used to have.

                        • 9. Re: Oracle 7.5 SSSD and Samba
                          Dude!

                          Does resolving the Windows server work, have you checked /etc/hosts? Have tried disabling firewall and SELinux?

                           

                          Perhaps your best option is to install a virtual machine to test if you can reproduce the problem. It shouldn't be much effort and will further help you to determine the source of the problem.

                          • 10. Re: Oracle 7.5 SSSD and Samba
                            user10174131

                            Regarding sshfs, you might try setting a soft link in your home directory to the target that you want to access. Windows sshfs might interpret this soft link as a subdirectory.

                             

                            The best practice configuration for Samba is min protocol = smb3, and smb encrypt = required. Note that Windows 7 cannot participate with these settings, as it does not implement SMB3.

                             

                            Note that Windows explorer implements an FTP client. If you will tolerate cleartext traffic (which you were with SMB2), a very easy way to "mount an FTP share" is to enter an appropriate FTP URL into an Explorer address bar. FTP URLs will appear as ftp://user:password@yourFTP.yourdomain.compassword@yourFTP.yourdomain.com.

                             

                            Windows also has NFS clients, but that introduces several other problems.

                            • 11. Re: Oracle 7.5 SSSD and Samba
                              Dude!

                              Isn't the idea here to mount a Windows share on Linux using AD credentials? Encryption is usefull but adds overhead and will slow down file transfers. However, since SSH or port 22 is typically open in the Firewall, it can potentially allow Internet access  to Windows shares.

                              • 12. Re: Oracle 7.5 SSSD and Samba
                                jkinninger

                                I have added our DNS servers to the /etc/hosts file. Firewall and SELinux are disabled.

                                 

                                I can ssh into this server with my AD credentials but since the update Samba no longer is working. I set the log level to 3 for Samba but still isn't connecting.

                                 

                                From the log when I try to access my share:

                                 

                                  got OID=1.2.840.48018.1.2.2

                                [2018/08/29 13:46:35.105959,  3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)

                                  Got challenge flags:

                                [2018/08/29 13:46:35.105982,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

                                  Got NTLMSSP neg_flags=0x62898215

                                [2018/08/29 13:46:35.106018,  3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)

                                  NTLMSSP: Set final flags:

                                [2018/08/29 13:46:35.106034,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

                                  Got NTLMSSP neg_flags=0x62008a15

                                [2018/08/29 13:46:35.106049,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

                                  NTLMSSP Sign/Seal - Initialising with flags:

                                [2018/08/29 13:46:35.106069,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

                                  Got NTLMSSP neg_flags=0x62008a15

                                [2018/08/29 13:46:35.106784,  3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)

                                  NTLMSSP Sign/Seal - Initialising with flags:

                                [2018/08/29 13:46:35.106805,  3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)

                                  Got NTLMSSP neg_flags=0x62008a15

                                [2018/08/29 13:46:35.107457,  3] ../lib/ldb-samba/ldb_wrap.c:326(ldb_wrap_connect)

                                  ldb_wrap open of secrets.ldb

                                [2018/08/29 13:46:35.107586,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)

                                  Could not find machine account in secrets database: Failed to fetch machine account password for WS.WSFGRP.NET from both secrets.ldb (Could not find entry to match filter: '(&(flatname=WS.WSFGRP.NET)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4636) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

                                [2018/08/29 13:46:35.107611,  0] ../source3/auth/auth_domain.c:122(connect_to_domain_password_server)

                                  connect_to_domain_password_server: unable to open the domain client session to machine CINDCWS03P.WS.WSFGRP.NET. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.

                                [2018/08/29 13:46:35.108505,  0] ../source3/auth/auth_domain.c:185(domain_client_validate)

                                  domain_client_validate: Domain password server not available.

                                [2018/08/29 13:46:35.108556,  2] ../source3/auth/auth.c:332(auth_check_ntlm_password)

                                  check_ntlm_password:  Authentication for user [jkinning] -> [jkinning] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1

                                [2018/08/29 13:46:35.108601,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)

                                  Auth: [SMB2,(null)] user [WS]\[jkinning] at [Wed, 29 Aug 2018 13:46:35.108582 EDT] with [NTLMv1] status [NT_STATUS_NO_LOGON_SERVERS] workstation [PC150115C] remote host [ipv4:x.x.x.x:57485] mapped to [WS]\[jkinning]. local host [ipv4:x.x.x.x:445]

                                [2018/08/29 13:46:35.108623,  3] ../auth/auth_log.c:591(log_no_json)

                                  log_no_json: JSON auth logs not available unless compiled with jansson

                                [2018/08/29 13:46:35.108652,  2] ../auth/gensec/spnego.c:605(gensec_spnego_server_negTokenTarg)

                                  SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS

                                [2018/08/29 13:46:35.108767,  3] ../source3/smbd/smb2_server.c:3120(smbd_smb2_request_error_ex)

                                  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_LOGON_SERVERS] || at ../source3/smbd/smb2_sesssetup.c:134

                                [2018/08/29 13:46:35.110361,  3] ../source3/smbd/server_exit.c:248(exit_server_common)

                                  Server exit (NT_STATUS_CONNECTION_RESET)

                                 

                                Not sure why Samba can't find the logon servers as it is using SSSD and I can SSH to this server using my AD creds.

                                 

                                realm list

                                ws.wsfgrp.net

                                  type: kerberos

                                  realm-name: WS.WSFGRP.NET

                                  domain-name: ws.wsfgrp.net

                                  configured: kerberos-member

                                  server-software: active-directory

                                  client-software: winbind

                                  required-package: oddjob-mkhomedir

                                  required-package: oddjob

                                  required-package: samba-winbind-clients

                                  required-package: samba-winbind

                                  required-package: samba-common-tools

                                  login-formats: WS.WSFGRP.NET\%U

                                  login-policy: allow-any-login

                                WS.WSFGRP.NET

                                  type: kerberos

                                  realm-name: WS.WSFGRP.NET

                                  domain-name: ws.wsfgrp.net

                                  configured: kerberos-member

                                  server-software: active-directory

                                  client-software: sssd

                                  required-package: oddjob

                                  required-package: oddjob-mkhomedir

                                  required-package: sssd

                                  required-package: adcli

                                  required-package: samba-common-tools

                                  login-formats: %U

                                  login-policy: allow-realm-logins

                                 

                                Should I proceed to open an SR on this?

                                • 13. Re: Oracle 7.5 SSSD and Samba
                                  user10174131

                                  You might check for basic connectivity to your smb server with smbclient.

                                   

                                  Here is an example:

                                   

                                  $ smbclient -e //smb3enc.somecompany.com/shush -U nt_username -W dom -mSMB3

                                   

                                  Enter DOM\NT_USERNAME's password:

                                  Domain=[DOM] OS=[] Server=[]

                                  smb: \> quit

                                   

                                  Note the above call requires encrypted smb3. The smbclient binary will allow you to get and put files similar to FTP.

                                  • 14. Re: Oracle 7.5 SSSD and Samba
                                    Dude!

                                    It looks very similar to https://bugzilla.samba.org/show_bug.cgi?id=13126

                                     

                                    Should I proceed to open an SR on this?

                                    I don't see why not. I would still suggest however to test if you can reproduce the problem using a plain vanilla installation. Like starting with a system where it works, then updating. I suggest VirtualBox with a bridged network adapter. You can create snapshots before and after the problem.

                                    1 2 Previous Next