Good afternoon,
I have spent two days trying to figure out what's going on. It started with a few users, but it escalated quickly to just the domain admin being able to connect if I try to browse to the share from the domain controller itself.
In the first day I managed to get in by IP address after removing the old file servers from the dns entry (saw in a post). Whenever I try to log I get prompted for the username and password and failing with access denied. I get the following message:
It didn't work and now I can't even access the share through its IP address (which i could before). I get prompted for a password and says: access denied. There is also this error in log.wb-DOMAIN:
Testparm shows no errors
Completely baffled I don't know what else to do.
I reverted back to 11.0-u4 as I had the config file but the issue persists. Deleted all cif shares and recreated just 1 for now, same problem.
I have spent two days trying to figure out what's going on. It started with a few users, but it escalated quickly to just the domain admin being able to connect if I try to browse to the share from the domain controller itself.
In the first day I managed to get in by IP address after removing the old file servers from the dns entry (saw in a post). Whenever I try to log I get prompted for the username and password and failing with access denied. I get the following message:
Code:
../source3/librpc/crypto/gse.c:649(gse_get_server_auth_token) gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/HOSTNAME.DOMAIN@DOMAIN (kvno 2) in eytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
It didn't work and now I can't even access the share through its IP address (which i could before). I get prompted for a password and says: access denied. There is also this error in log.wb-DOMAIN:
Code:
../source3/winbindd/winbindd_pam.c:1500(winbind_samlogon_retry_loop) winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the DC has Restrict NTLM set or the trust account password was changed and we didn't know it. Killing connections to domain DOMAIN
Code:
net ads info -U admin ---> works net ads info -U anyuser ---> works wbinfo -u | wc -l 56 wbinfo -g | wc -l 67 wbinfo -t succeeded wbinfo --ping-dc succeeded wbinfo - 'DOMAIN\user' user:*:24670:20513:user name:/home/DOMAIN/user:/bin/sh getfacl /mnt/Cif_Share/ # file: /mnt/Cif_Share/ # owner: root # group: wheel owner@:rwxpDdaARWcCos:fd-----:allow group@:rwxpDdaARWcCos:fd-----:allow everyone@:r-x---a-R-c---:fd-----:allow getfacl /mnt/Cif_Share/Antivirus/ # file: /mnt/Cif_Share/Antivirus/ # owner: serveradmin # group: domain users owner@:rwxpDdaARWcCos:fd-----:allow group@:rwxpDdaARWcCos:fd-----:allow everyone@:r-x---a-R-c---:fd-----:allow
Testparm shows no errors
Code:
# Global parameters [global] bind interfaces only = Yes dos charset = CP437 interfaces = 127.0.0.1 192.168.2.249 realm = DOMAIN server string = Office File Server workgroup = DOMAIN domain master = No lm announce = Yes local master = No preferred master = No nsupdate command = /usr/local/bin/samba-nsupdate -g client ldap sasl wrapping = plain logging = file max log size = 51200 kernel change notify = No panic action = /usr/local/libexec/samba/samba-backtrace pid directory = /var/run/samba disable spoolss = Yes load printers = No printcap name = /dev/null allow trusted domains = No map to guest = Bad User obey pam restrictions = Yes security = ADS server role = member server deadtime = 15 hostname lookups = Yes max open files = 939359 template shell = /bin/sh winbind cache time = 7200 winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind refresh tickets = Yes dns proxy = No idmap config ionic-office: range = 20000-90000000 idmap config ionic-office: backend = rid idmap config *: range = 90000001-100000000 idmap config * : backend = tdb store dos attributes = Yes strict locking = No directory name cache size = 0 dos filemode = Yes acl allow execute always = Yes ea support = Yes create mask = 0666 directory mask = 0777 [Antivirus] path = "/mnt/Cif_Share/Antivirus" veto files = /.snapshot/.windows/.mac/.zfs/ read only = No vfs objects = zfs_space zfsacl streams_xattr aio_pthread zfsacl:acesort = dontcare nfs4:chown = true nfs4:acedup = merge nfs4:mode = special
Completely baffled I don't know what else to do.
I reverted back to 11.0-u4 as I had the config file but the issue persists. Deleted all cif shares and recreated just 1 for now, same problem.
Last edited by a moderator: