Users keep getting prompted for login but can't browse (CIFS - Active Directory)

Status
Not open for further replies.
H

HelloWill

Dabbler
Joined
May 3, 2016
Messages
20
We have a FreeNAS box running 9.10.2 that is connected to a Server 2012 AD Domain.

Everything was working fine until about 2 hours ago, whereas users could no longer access shares.

Information:
  • wbinfo reported trust issues
  • NTP was out of sync by 2 minutes (using DC as the NTP server)
  • AD users would continually get prompted for username / password, but could not browse any directories
  • root user account works totally fine via Windows through CIFS share
  • Web UI works fine
  • SSH works fine
  • Box load minimal

[2017/02/09 16:02:03.468747, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

Troubleshooting Steps
  • Rebooted the box
  • Disabled and re-enabled AD connection
  • Restarted Samba
  • Restarted ntpd (fixed sync issue)
  • Rebooted both domain controllers
  • Cleared AD cache on FreeNAS
  • Disconnected from domain and rejoined

Now after a period of time, wbinfo -t shows "success"
wbinfo -u shows all our users
root user can still connect no problem
All AD accounts still are unable to connect

Thoughs?

We're dead in the water.
 
Last edited:
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
HelloWill said:
We have a FreeNAS box running 9.10.2 that is connected to a Server 2012 AD Domain.

Everything was working fine until about 2 hours ago, whereas users could no longer access shares.

Information:
  • wbinfo reported trust issues
  • NTP was out of sync by 2 minutes (using DC as the NTP server)
  • AD users would continually get prompted for username / password, but could not browse any directories
  • root user account works totally fine via Windows through CIFS share
  • Web UI works fine
  • SSH works fine
  • Box load minimal

[2017/02/09 16:02:03.468747, 1] ../auth/gensec/spnego.c:541(gensec_spnego_parse_negTokenInit)
SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

Troubleshooting Steps
  • Rebooted the box
  • Disabled and re-enabled AD connection
  • Restarted Samba
  • Restarted ntpd (fixed sync issue)
  • Rebooted both domain controllers
  • Cleared AD cache on FreeNAS
  • Disconnected from domain and rejoined

Now after a period of time, wbinfo -t shows "success"
wbinfo -u shows all our users
root user can still connect no problem
All AD accounts still are unable to connect

Thoughs?

We're dead in the water.
Click to expand...

There was a period of time in which this would happen to me after major FreeNAS version upgrades / system changes / reboots. I believe that the old stale SMB tree connections in mapped network drives can cause 'access denied' errors. Try having client log out and log back in from client machine. That often will clear up these sorts of "access denied" errors.
 
H

HelloWill

Dabbler
Joined
May 3, 2016
Messages
20
We've rejoined the box to the domain and that seems to have solved the issue however we are still seeing some random issues.

A few users are not able to connect to the shares. It will continually prompt them for username/password and then kick out an access denied error.

One workstation was working fine yesterday, but then today she is completely unable to login from any machine, including a VM that we used for testing.

Errors we're seeing:
  • [2017/02/17 09:20:39.762291, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:41.168736, 1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:41.168841, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:42.361410, 1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:42.361484, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
HelloWill said:
We've rejoined the box to the domain and that seems to have solved the issue however we are still seeing some random issues.

A few users are not able to connect to the shares. It will continually prompt them for username/password and then kick out an access denied error.

One workstation was working fine yesterday, but then today she is completely unable to login from any machine, including a VM that we used for testing.

Errors we're seeing:
  • [2017/02/17 09:20:39.762291, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:41.168736, 1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:41.168841, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
    [2017/02/17 09:20:42.361410, 1] ../source3/auth/token_util.c:430(add_local_groups)
    SID S-1-5-21-1393113601-3259814849-2442191995-1246 -> getpwuid(21246) failed
    [2017/02/17 09:20:42.361484, 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
    Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
Click to expand...

What idmap backend are you using? Post details of your idmap config or ...
Perhaps post contents of /usr/local/etc/smb4.conf.
 
H

HelloWill

Dabbler
Joined
May 3, 2016
Messages
20
Code:
[global]
    server min protocol = SMB2_02
    server max protocol = SMB3_02
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 3770741
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = Storinator
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    workgroup = DETROIT
    realm = DETROIT.HELLOINNOVATION.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config DETROIT: backend = rid
    idmap config DETROIT: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    netbios name = HIPOD
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    full_audit:prefix = %u|%I|%S
    full_audit:failure = connect
    full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fc$
    full_audit:facility = LOCAL5
    server min protocol = SMB2_02
    server max protocol = SMB3_02
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 3770741
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = Storinator
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    workgroup = DETROIT
    realm = DETROIT.HELLOINNOVATION.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    server min protocol = SMB2_02
    server max protocol = SMB3_02
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 3770741
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = Storinator
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = no
    idmap config *: backend = tdb
    idmap config *: range = 90000001-100000000
    server role = member server
    workgroup = DETROIT
    realm = DETROIT.HELLOINNOVATION.COM
    security = ADS
    client use spnego = yes
    cache directory = /var/tmp/.cache/.samba
    local master = no
    domain master = no
    preferred master = no
    ads dns update = no
    winbind cache time = 7200
    winbind offline logon = yes
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes
    winbind use default domain = no
    winbind refresh tickets = yes
    idmap config DETROIT: backend = rid
    idmap config DETROIT: range = 20000-90000000
    allow trusted domains = no
    client ldap sasl wrapping = plain
    template shell = /bin/sh
    template homedir = /home/%D/%U
    netbios name = HIPOD
    pid directory = /var/run/samba
    create mask = 0666
    directory mask = 0777
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 1
    full_audit:prefix = %u|%I|%S
    full_audit:failure = connect
    full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod fchmod chown fchown chdir ftruncate lock symlink readlink link mknod realpath
    full_audit:facility = LOCAL5
    full_audit:priority = NOTICE


[Main]
    path = /mnt/tank/Main64
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    recycle:repository = .recycle/%U
    recycle:keeptree = yes
    recycle:versions = yes
    recycle:touch = yes
    recycle:directory_mode = 0777
    recycle:subdir_mode = 0700
    shadow:snapdir = .zfs/snapshot
    shadow:sort = desc
    shadow:localtime = yes
    shadow:format = auto-%Y%m%d.%H%M-1y
    shadow:snapdirseverywhere = yes
    vfs objects = shadow_copy2 zfs_space zfsacl recycle
    hide dot files = no
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    vfs objects = shadow_copy2 streams_xattr zfs_space zfsacl aio_pthread full_audit
    veto files = /.snapshot/.windows/.mac/.zfs/.Ds_Store/thumbs.db/desktop.ini/.recycle/_gsdata_/DfsrPrivate
    delete veto files = yes


[Video]
    path = /mnt/tank/Video
    printable = no
    veto files = /.snapshot/.windows/.mac/.zfs/
    writeable = yes
    browseable = yes
    vfs objects = zfs_space zfsacl
    hide dot files = yes
    guest ok = no
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare
    vfs objects = streams_xattr zfs_space zfsacl aio_pthread full_audit
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Try removing full_audit VFS object and any unnecessary auxiliary parameters. Then restart samba, verify that it has successfully joined the domain, log off a client machine, then log back in, and connect to the FreeNAS server via SMB.

Also, post contents of /var/log/samba4/log.wb-<domain>.
 
Status
Not open for further replies.

Similar threads

H
\\FreeNAS path not working for some users
Replies
1
Views
1K
anodos
anodos
I
  • Locked
FreeNAS AD member broke after 30 days since update from 10.4 to 11.1u1, currently on 11.1u2
Replies
6
Views
4K
Ionico
I
C
  • Locked
FreeNAS 8.2.0 Active Directory (2008 R2) authentication issue
Replies
1
Views
5K
gentoo9ball
G
TomBeech
  • Locked
Active Directory and WINS errors
Replies
3
Views
2K
bigphil
bigphil
bigphil
  • Locked
Using Active Directory with FreeNAS
Replies
17
Views
19K
Jamie Walhouse
J
Top