Neth7.7 Samba4 local AD cannot authenticate

NethServer Version: 7.7.1908
Module: nethserver-samba

I have set up samba but it has been years. I have scoured the net for tips all day before making this post. This install is fresh with a single test user and just samba with neth AD. The only non-defaults I set was the NETBIOS name to be the FQDN host portion name and the IP. Aside from the authentication it appears to be working. That is I can create a share and if it is tied to the user I can see the folder but not enter it. If I have the rights set to guest read write then I can enter the folder. This is both Windows 10 and a Ubuntu 18.04 host looking at the share.

I guess I am wondering if there is some magic like in the past at some point you had to have all caps and no special characters in the password, install x version SSL…stuff like that you just had to know. I have installed on a few different machines but out-of-the-box it is not working for me. Oh almost forgot there was a complaint by a test tool that workgroup and netbios were the same and needed to be unique. I made them unique which didn’t matter. I can also use some samba tools to talk to the AD server and get some user information though not all of it as it is rejecting the authentication.

Any tips are greatly appreciated !

  • Can you log in on https://yourip:980 with the user’s credentials?
  • Please login in as root and paste here the full contents of the “Domain accounts” page

User test is just a vanilla user no admin rights. Initial login produced:

Nethgui:

403 - Forbidden

1327681977+1327499272

with the url changed to : https://192.168.100.65:980/en-US/Account#!Account_User_read

changing the url to: https://192.168.100.65:980/ (which I used to log in) produced the profile change password page and now url: https://192.168.100.65:980/en-US/UserProfile

Logging in as an administrator produces a domain accounts page with:

Domain testit.com
NetBIOS domain name: FILES
LDAP server: 192.168.100.96
LDAP server name: nsdc-files.ad.testit.com
Realm: AD.TESTIT.COM
Bind Path: dc=AD,dc=testit,dc=COM
LDAP port: 389
Server time: Thu, 07 Nov 2019 10:53:00 EST
KDC server: 192.168.100.96
Server time offset: 0
Last machine account password change: Wed, 06 Nov 2019 20:24:45 EST

Join is OK

whenCreated: 20191107012444.0Z
name: files
objectSid: S-1-5-21-47661823-1987243383-4149097692-1104
accountExpires: 9223372036854775807
sAMAccountName: files$
pwdLastSet: 132175634844783980
dNSHostName: files.testit.com
servicePrincipalName: HOST/FILES
servicePrincipalName: HOST/files.testit.com
whenChanged: 20191107012445.0Z
lastLogon: 132176151723308100
distinguishedName: CN=files,CN=Computers,DC=ad,DC=testit,DC=com

I appreciate your assistance

Seems all ok.

Now install smbclient command (if not already present):

yum install -y samba-client

Then try to access your share from local system. Run as root:

smbclient -d 10 -U "psionprime@$(config getprop sssd Realm)" //$(hostname)/yourshare

You’ll be asked to type the user’s password (replace psionprime and yourshare with appropriate values).

Paste here the command output.

I noticed maybe a minor bug in some places the output indicating the host is “92” instead of “192” not that it means anything but it stood out to me.

[admin@files ~]$ smbclient -d 10 -U "test@$(config getprop sssd Realm)" //$192.168.100.65/test
-bash: config: command not found
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = FILES
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = AD.testit.COM
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.ad.testit.com
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config FILES : backend = nss
doing parameter idmap config FILES : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
directory_create_or_exist_strict: invalid ownership on directory /var/lib/samba/lock/msg.lock
messaging_init_internal: Could not create lock directory: No such file or directory
cmdline_messaging_context: Unable to initialize messaging context.
Unable to initialize messaging context
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = FILES
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = AD.testit.COM
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.ad.testit.com
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config FILES : backend = nss
doing parameter idmap config FILES : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface br0 ip=192.168.100.65 bcast=192.168.100.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="FILES"
Client started (version 4.9.1).
Connecting to 92.168.100.65 at port 445
Connecting to 92.168.100.65 at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 367360
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[NT1] against server[92.168.100.65]
 session setup ok
num_setup=1, max_setup=0, param_total=42, this_param=42, max_param=2, data_total=0, this_data=0, max_data=65535, param_offset=68, param_pad=0, param_disp=0, data_offset=112, data_pad=2, data_disp=0
Enter test@'s password:
Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
tree connect failed: NT_STATUS_ACCESS_DENIED
[admin@files ~]$

Please re-run the command as root (not admin)

Whoops, sorry, here you go:

[root@files admin]# smbclient -d 10 -U "test@$(config getprop sssd Realm)" //$192.168.100.65/test
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = FILES
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = AD.testit.COM
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.ad.testit.com
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config FILES : backend = nss
doing parameter idmap config FILES : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
messaging_dgm_ref: messaging_dgm_init returned Success
messaging_dgm_ref: unique = 12024313753798330251
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
messaging_init_internal: my id: 26845
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = FILES
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = AD.testit.COM
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.ad.testit.com
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config FILES : backend = nss
doing parameter idmap config FILES : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface br0 ip=192.168.100.65 bcast=192.168.100.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="FILES"
Client started (version 4.9.1).
Connecting to 92.168.100.65 at port 445
Connecting to 92.168.100.65 at port 139
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 87040
        SO_RCVBUF = 367360
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[NT1] against server[92.168.100.65]
 session setup ok
num_setup=1, max_setup=0, param_total=42, this_param=42, max_param=2, data_total=0, this_data=0, max_data=65535, param_offset=68, param_pad=0, param_disp=0, data_offset=112, data_pad=2, data_disp=0
Enter test@AD.testit.COM's password:
Server requested LANMAN password (share-level security) but 'client lanman auth = no' or 'client ntlmv2 auth = yes'
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@files admin]#

So you have a Workgroup name “FILES” and your server name is “FILES” too. Furthermore…

…the IP smbclient is connecting to does not look like the local system’s one (192.168.100.65).

If possible, I’d go by

  1. removing the AD accounts provider, and reinstall it from scratch with a different NT-domain name *
  2. when reinstalling, do not mix upper/lower case letters in the domain realm name ** (I cannot predict what it could break)
  3. ensure echo $(hostname) pings the local system IP

(*) NetBIOS domain name field
(**) DNS domain name field

The workgroup is set automatically. I haven’t mixed case, that’s the output. The tool is outputting 92 instead of 192. I can ping test to resolve 192.168.100.65

When I install neth, the full name is files.testit.com. When I install samba it autopopulates the netbios name with testit. I change it to files. I will completely reinstall with a unique domain from my others and see what happens.

1 Like

Ok

[Just to clarify…]

Fresh install with unique names and a couple additional tests. It looks like shares are working as long as I have guest enabled. One of the tests indicate the user is being authenticated however the file is not ? I’m going to see what ls -l shows me and add it to the bottom of this output. I’m currently installing a dedicated ubuntu samba ad and see what happens. I need to note the neth environment has been very reliable for me so wondering what I have done here :wink:

Domain zrchq.local
NetBIOS domain name: ZRCHQ
LDAP server: 192.168.100.96
LDAP server name: nsdc-files.zrchq.local
Realm: ZRCHQ.LOCAL
Bind Path: dc=ZRCHQ,dc=LOCAL
LDAP port: 389
Server time: Thu, 07 Nov 2019 13:33:14 EST
KDC server: 192.168.100.96
Server time offset: 0
Last machine account password change: Thu, 07 Nov 2019 13:14:46 EST

Join is OK

whenCreated: 20191107181445.0Z
whenChanged: 20191107181445.0Z
name: files
objectSid: S-1-5-21-2696135020-1594646949-2149067568-1104
accountExpires: 9223372036854775807
sAMAccountName: files$
pwdLastSet: 132176240855268580
dNSHostName: files.zrchq.local
servicePrincipalName: HOST/FILES
servicePrincipalName: HOST/files.zrchq.local
lastLogon: 132176250353129480
distinguishedName: CN=files,CN=Computers,DC=zrchq,DC=local




[root@files admin]# smbclient -d 10 -U "test@$(config getprop sssd Realm)" //$(hostname)/share01
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = ZRCHQ
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = ZRCHQ.LOCAL
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.zrchq.local
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config ZRCHQ : backend = nss
doing parameter idmap config ZRCHQ : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
messaging_dgm_ref: messaging_dgm_init returned Success
messaging_dgm_ref: unique = 15007052572931451870
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
Registering messaging pointer for type 51 - private_data=(nil)
messaging_init_internal: my id: 11772
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
Processing section "[global]"
doing parameter workgroup = ZRCHQ
doing parameter server string = NethServer 7.7.1908 final (Samba %v)
doing parameter security = ADS
doing parameter realm = ZRCHQ.LOCAL
doing parameter kerberos method = secrets and keytab
doing parameter password server = nsdc-files.zrchq.local
doing parameter netbios name = FILES
Processing section "[global]"
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 50
doing parameter deadtime = 10080
doing parameter netbios aliases =
doing parameter wins server =
doing parameter remote announce =
doing parameter remote browse sync =
doing parameter map to guest = Bad User
doing parameter obey pam restrictions = yes
doing parameter idmap config * : backend = tdb
doing parameter idmap config * : range = 10000-99999
doing parameter idmap config ZRCHQ : backend = nss
doing parameter idmap config ZRCHQ : range = 200000-2147483647
doing parameter inherit owner = no
doing parameter full_audit:prefix = smbauditlog|%T|%u|%I|%S|%U
doing parameter full_audit:success = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:failure = read write open unlink mkdir rmdir rename chmod
doing parameter full_audit:facility = LOCAL7
doing parameter full_audit:priority = INFO
Processing section "[global]"
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface br0 ip=192.168.100.65 bcast=192.168.100.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="FILES"
Client started (version 4.9.1).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
sitename_fetch: Returning sitename for realm 'ZRCHQ.LOCAL': "Default-First-Site-Name"
internal_resolve_name: looking up files.zrchq.local#20 (sitename Default-First-Site-Name)
gencache_set_data_blob: Adding cache entry with key=[NBT/FILES.ZRCHQ.LOCAL#20] and timeout=[Wed Dec 31 07:00:00 PM 1969 EST] (-1573151498 seconds in the past)
no entry for files.zrchq.local#20 found.
resolve_hosts: Attempting host lookup for name files.zrchq.local<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for files.zrchq.local#20: 192.168.100.65
gencache_set_data_blob: Adding cache entry with key=[NBT/FILES.ZRCHQ.LOCAL#20] and timeout=[Thu Nov  7 01:42:38 PM 2019 EST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 192.168.100.65:0
Connecting to 192.168.100.65 at port 445
Socket options:
        SO_KEEPALIVE = 0
        SO_REUSEADDR = 0
        SO_BROADCAST = 0
        TCP_NODELAY = 1
        TCP_KEEPCNT = 9
        TCP_KEEPIDLE = 7200
        TCP_KEEPINTVL = 75
        IPTOS_LOWDELAY = 0
        IPTOS_THROUGHPUT = 0
        SO_REUSEPORT = 0
        SO_SNDBUF = 2626560
        SO_RCVBUF = 1061296
        SO_SNDLOWAT = 1
        SO_RCVLOWAT = 1
        SO_SNDTIMEO = 0
        SO_RCVTIMEO = 0
        TCP_QUICKACK = 1
        TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB3_11] against server[files.zrchq.local]
got OID=1.2.840.48018.1.2.2
Enter test@ZRCHQ.LOCAL's password:
cli_session_creds_prepare_krb5: Doing kinit for test@ZRCHQ.LOCAL to access files.zrchq.local
kerberos_kinit_password: as test@ZRCHQ.LOCAL using [MEMORY:cliconnect] as ccache and config [(null)]
cli_session_creds_prepare_krb5: Successfully authenticated as test@ZRCHQ.LOCAL to access files.zrchq.local using Kerberos
cli_session_setup_spnego_send: Connect to files.zrchq.local as test@ZRCHQ.LOCAL using SPNEGO
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55f569187dc0]: subreq: 0x55f569185300
gensec_update_send: spnego[0x55f569186c60]: subreq: 0x55f569187620
gensec_update_done: gse_krb5[0x55f569187dc0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f569185300/../source3/librpc/crypto/gse.c:841]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x55f5691854b0)] timer[(nil)] finish[../source3/librpc/crypto/gse.c:851]
gensec_update_done: spnego[0x55f569186c60]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f569187620/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55f5691877d0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
SPNEGO login failed: {Operation Failed} The requested operation was unsuccessful.
session setup failed: NT_STATUS_UNSUCCESSFUL
[root@files admin]#


* note initially made type in user name and displayed same output with no error
[root@files admin]# smbclient -U ZRCHQ\\test -L 192.168.100.65
Enter ZRCHQ\test's password:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer drivers
        share01         Disk      share01
        IPC$            IPC       IPC Service (NethServer 7.7.1908 final (Samba 4.9.1))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        NAS                  ZRC
        WORKGROUP            FILES
[root@files admin]#


*share01 has domain user group and test user acl rw
[root@files admin]# smbclient //192.168.100.65/share01 -U test
Enter ZRCHQ\test's password:
tree connect failed: NT_STATUS_ACCESS_DENIED

[root@files admin]# ls -al /var/lib/nethserver/ibay/share01
total 0
drwxrws---. 2 root domain users@zrchq.local  6 Nov  7 13:23 .
drwxrwxr-x. 3 root root                     21 Nov  7 13:23 ..



*share01 enabled guest rw
[root@files admin]# smbclient //192.168.100.65/share01 -U test
Enter ZRCHQ\test's password:
Try "help" to get a list of possible commands.
smb: \> l
  .                                   D        0  Thu Nov  7 13:23:17 2019
  ..                                  D        0  Thu Nov  7 13:23:17 2019

                2141317572 blocks of size 1024. 2138325184 blocks available

[root@files admin]# ls -al /var/lib/nethserver/ibay/share01
total 0
drwxrwsrwx. 2 root domain users@zrchq.local  6 Nov  7 13:23 .
drwxrwxr-x. 3 root root                     21 Nov  7 13:23 ..
1 Like

Hi psionprime,

*share01 enabled guest rw

Can you touch a file?

Michel-André

Please note that you have a different error now.

Let’s try the following

  1. create a new share from scratch (no guest permissions)

  2. Connect with a different domain syntax

    smbclient -d 10 -U ZRCHQ\\test //FILES/shareNEW
    

As alternative

  kinit test
  smbclient -d 10 -k //FILES/shareNEW

@michelandre - Yes, as guest rw can create edit delete

@davidep - working on it :slight_smile:

I added ZRCHQ to the FILES host files for giggles. Nothing. Removed it. It works. o_O! The system shared fine when connecting from an Ubuntu 18.04 based host. A Windows 10 Pro with current updates did not connect. I managed to connect after some research.

The Windows 10 connect required a change described at this StackExchange post. I’ll supply the sentences so it can be searched:

Run > Secpol.msc

then I set Local Policies > Security Options > Network Security: LAN Manager authentication level to 'Send NTLMv2 response only. Refuse LM & NTLM'

I’m glad it is working but there is a hole in my knowledge of what was/is going on that needs filled. I don’t like magic solutions. I do appreciate the assistance I found here !