Nt_printing_init error checking published printers werr_access_denied

nt_printing_init error checking published printers werr_access_denied

source3/printing/nt_printing.c:249(nt_printing_init) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2020/03/03. nt_printing_init: error checking published printers: WERR_ACCESS_DENIED Sep 28 10:34:13 servera winbindd[3576]: [2006/09/28 10:34:13. LOCAL failed: Preauthentication \ failed [2005/08/31 17:46:32, nt_printing_init: error checking published printers: WERR_ACCESS_DENIED My. nt_printing_init error checking published printers werr_access_denied

Nt_printing_init error checking published printers werr_access_denied - found site

[Samba] Samba upgrade problem with ADS

Nitin Thakur's profile photo

Nitin Thakur

unread,
Sep 5, 2012, 6:20:01 AM9/5/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to


hi gurus

My samba upgrade woes: -

I have to run 2 instances of samba one for dev and one for UAT. both the instances are giving me hard time after the upgrade.

One instance keeps giving me following error: -

connect_to_domain_password_server: unable to open the domain client session to machine xxxxx.xxxxx.xxxxx.xxxxxxx.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 16:19:36.993000, 0] auth/auth_domain.c:292(domain_client_validate)

It returns this error for all the password servers. I deleted the server from ad and tried to rejoin the domain. it did join the domain but returned the error: -


# /opt/local/samba/bin/net -s /opt/local/samba/lib/smb.conf.dev ads join -U admin
Enter admin's password:
Using short domain name -- XXXX
Joined 'XXXX' to realm 'xxxx.xxxx.xxxx.com'
DNS Update for xxxxx.xxxx.xx.xxxxxxx.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!

since then it keeps giving me error: -
[2012/09/04 21:43:10.299657, 0] smbd/server.c:1109(main)
standard input is not a socket, assuming -D option
[2012/09/04 21:43:10.606915, 0] libads/kerberos_util.c:101(ads_kinit_password)
kerberos_kinit_password [email protected] failed: Preauthentication failed
[2012/09/04 21:43:10.608476, 0] printing/nt_printing.c:102(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED


moving on to other instance: -

[2012/09/04 15:51:47.207600, 5] rpc_client/cli_pipe.c:738(rpc_api_pipe_send)
rpc_api_pipe: host XXXXXX.XXXXX.XXXXX.XXXXXX.COM
[2012/09/04 15:51:47.209191, 5] rpc_client/cli_pipe.c:97(rpc_read_send)
rpc_read_send: data_to_read: 52
[2012/09/04 15:51:47.209422, 5] rpc_client/cli_pipe.c:1521(check_bind_response)
check_bind_response: accepted!
[2012/09/04 15:51:47.209687, 5] passdb/passdb.c:2365(get_trust_pw_clear)
get_trust_pw_clear: could not fetch clear text trust account password for domain XXXXXX
[2012/09/04 15:51:47.209844, 5] passdb/machine_account_secrets.c:267(secrets_fetch_trust_account_password_legacy)
secrets_fetch failed!
[2012/09/04 15:51:47.209998, 5] passdb/passdb.c:2403(get_trust_pw_hash)
get_trust_pw_hash: could not fetch trust account password for domain XXXXXXX
[2012/09/04 15:51:47.210109, 0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
get_schannel_session_key: could not fetch trust account password for domain 'XXXXX'
[2012/09/04 15:51:47.211665, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
cli_rpc_pipe_open_schannel: failed to get schannel session key from server XXXXXXX.XXXXXXXXX.XXXXXXX.XXXXXX.COM for domain XXXXXX.
[2012/09/04 15:51:47.211845, 0] auth/auth_domain.c:193(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine XXXXXXXX.XXXXXXXX.XXXX.XXXXXXXX.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 15:51:47.213484, 0] auth/auth_domain.c:292(domain_client_validate)
domain_client_validate: Domain password server not available.
[2012/09/04 15:51:47.213654, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [XXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213779, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [XXXXX] -> [XXXXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213950, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Here is the smbd.conf for 1st instance
#======================= Global Settings =====================================
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX
workgroup = XXXXX
server string = XXXX Samba Server ver %v
security = ADS
log file = /opt/local/samba/dev/logs/log.%m
max log size = 50
password server = xxxxxx.xxxx.xxxx.xxxxxxx.com, xxxx.xxxx.xxxx.xxxxxxx.com
encrypt passwords = yes
realm = XXXXXXX.XXXX.XXXXXXXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/dev/private
private dir = /opt/local/samba/dev/private
username map = /opt/local/samba/dev/users.map
pid directory = /opt/local/samba/dev
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/var/dev/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[share]
comment = share
path = /share
read only = No
create mask = 0774
browseable = yes
preserve case = yes


and smb.conf.uat for second instance
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX-UAT
workgroup = XXXXX
server string = XXXX-UAT Samba Server ver %v
security = ADS
map untrusted to domain = Yes
log file = /opt/local/samba/uat/logs/log.%m
log level = 5
max log size = 50
password server = xxx.xxx.xxx.xxxx.xxx xxxx.xxxx.xxxx.xxxx.com
encrypt passwords = yes
realm = XXXXX.XXXX.XXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/uat/private
private dir = /opt/local/samba/uat/private
username map = /opt/local/samba/uat/users.map
pid directory = /opt/local/samba/uat
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/uat/var/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[uat-share]
comment = uat-share
path = /uat-share
read only = No
create mask = 0774
browseable = yes


-------------------------------------------------------------------------------------------------------

I am using: -
krb5-1.10.3
openldap-2.4.31
samba-3.6.7


The same config files work fine with: -
krb5-1.7
openldap-2.4.16
samba-3.3.5


Any pointers?

Thanks

Nitin

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Andrew Bartlett's profile photo

Andrew Bartlett

unread,
Sep 5, 2012, 8:30:01 AM9/5/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to

On Tue, 2012-09-04 at 22:10 -0400, Nitin Thakur wrote:
> hi gurus
>
> My samba upgrade woes: -
>
> I have to run 2 instances of samba one for dev and one for UAT. both the instances are giving me hard time after the upgrade.
>
> One instance keeps giving me following error: -
>
> connect_to_domain_password_server: unable to open the domain client session to machine xxxxx.xxxxx.xxxxx.xxxxxxx.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
> [2012/09/04 16:19:36.993000, 0] auth/auth_domain.c:292(domain_client_validate)

that means it could not find the domain password in secrets.tdb. When
you upgraded, did you either copy the secrets.tdb to the new prefix, or
use the same prefix?

This doesn't explain the re-join issues, unless you are mixing up a
'net' binary from one release (and prefix) with smbd/winbindd from the
other however.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Nitin Thakur's profile photo

Nitin Thakur

unread,
Sep 5, 2012, 4:10:01 PM9/5/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to

how about i get rid of secrets file all together?

Nitin Thakur
Andrew Bartlett's profile photo

Andrew Bartlett

unread,
Sep 7, 2012, 4:50:01 AM9/7/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to

On Wed, 2012-09-05 at 12:07 +0000, Nitin Thakur wrote:
> how about i get rid of secrets file all together?

You can delete secrets.tdb and secrets.ldb if either exists.
Nitin Thakur's profile photo

Nitin Thakur

unread,
Sep 7, 2012, 5:50:01 AM9/7/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to

Andrew Bartlett's profile photo

Andrew Bartlett

unread,
Sep 7, 2012, 6:00:02 AM9/7/12

Reply to author

Sign in to reply to author

Forward

Sign in to forward

Delete

Link

Report message as abuse

Sign in to report message as abuse

Show original message

Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message

to

On Fri, 2012-09-07 at 01:41 +0000, Nitin Thakur wrote:
> is it possible to run samba with ad without winbind?

It isn't recommended, and won't help the issue you are having.

I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) and built a couple of servers using CentOS 8; results are the same each time -- no worky. These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated. ----- [[email protected] samba]# cat log.smbd [2020/03/03 18:49:25.650974, 0] ../../source3/smbd/server.c:1782(main) smbd version 4.10.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2019 [2020/03/03 18:49:25.651595, 2] ../../source3/lib/tallocmsg.c:56(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2020/03/03 18:49:25.651616, 2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2020/03/03 18:49:25.651658, 3] ../../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2020/03/03 18:49:25.651703, 3] ../../source3/param/loadparm.c:550(init_globals) Initialising global parameters [2020/03/03 18:49:25.651773, 3] ../../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2020/03/03 18:49:25.651976, 2] ../../source3/param/loadparm.c:2803(lp_do_section) Processing section "[transfer]" [2020/03/03 18:49:25.652112, 3] ../../source3/param/loadparm.c:1621(lp_add_ipc) adding IPC service [2020/03/03 18:49:25.652353, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.652401, 3] ../../source3/smbd/server.c:1851(main) loaded services [2020/03/03 18:49:25.662297, 1] ../../source3/profile/profile.c:51(set_profile_level) INFO: Profiling turned OFF from pid 2872 [2020/03/03 18:49:25.662333, 3] ../../source3/smbd/server.c:1871(main) Standard input is not a socket, assuming -D option [2020/03/03 18:49:25.662347, 3] ../../source3/smbd/server.c:1883(main) Becoming a daemon. [2020/03/03 18:49:25.662669, 2] ../../source3/passdb/pdb_interface.c:161(make_pdb_method_name) No builtin backend found, trying to load plugin [2020/03/03 18:49:25.667658, 3] ../../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib64/samba/pdb/tdbsam.so' loaded [2020/03/03 18:49:25.670380, 3] ../../source3/lib/util_procid.c:54(pid_to_procid) pid_to_procid: messaging_dgm_get_unique failed: No such file or directory [2020/03/03 18:49:25.708568, 3] ../../source3/rpc_server/svcctl/srv_svcctl_reg.c:565(svcctl_init_winreg) Initialise the svcctl registry keys if needed. [2020/03/03 18:49:25.710710, 3] ../../source3/rpc_server/eventlog/srv_eventlog_reg.c:59(eventlog_init_winreg) Initialise the eventlog registry keys if needed. [2020/03/03 18:49:25.711103, 0] ../../lib/util/become_daemon.c:136(daemon_ready) daemon_ready: daemon 'smbd' finished starting up and ready to serve connections [2020/03/03 18:49:25.711395, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.716447, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.716507, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.717755, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.720066, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.729787, 3] ../../source3/libads/ldap.c:679(ads_connect) Connected to LDAP server ld9-cont-idm2.idm.domain.lan [2020/03/03 18:49:25.733298, 3] ../../source3/printing/nt_printing_ads.c:650(check_published_printers) ads_connect failed: No results returned [2020/03/03 18:49:25.733672, 0] ../../source3/printing/nt_printing.c:249(nt_printing_init) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2020/03/03 18:49:25.733738, 3] ../../source3/printing/queue_process.c:328(start_background_queue) start_background_queue: Starting background LPQ thread [2020/03/03 18:49:25.736685, 1] ../../source3/printing/printer_list.c:234(printer_list_get_last_refresh) Failed to fetch record! [2020/03/03 18:49:25.736760, 2] ../../source3/smbd/server.c:1415(smbd_parent_loop) waiting for connections [2020/03/03 18:49:25.737512, 3] ../../source3/printing/pcap.c:140(pcap_cache_reload) reloading printcap cache [2020/03/03 18:49:25.738321, 3] ../../source3/printing/pcap.c:194(pcap_cache_reload) reload status: ok [2020/03/03 18:49:25.739690, 3] ../../source3/printing/print_cups.c:158(cups_connect) Unable to connect to CUPS server localhost:631 - Bad file descriptor [2020/03/03 18:49:25.740315, 3] ../../source3/printing/print_cups.c:536(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2020/03/03 18:49:25.740359, 2] ../../lib/util/tevent_debug.c:66(samba_tevent_debug) samba_tevent: EPOLL_CTL_DEL EBADF for fde[0x557b78295c20] mpx_fde[(nil)] fd[15] - disabling ----- [[email protected] samba]# cat log.winbindd [2020/03/03 18:49:25.540832, 0] ../../source3/winbindd/winbindd.c:1731(main) winbindd version 4.10.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2019 [2020/03/03 18:49:25.541626, 2] ../../source3/lib/tallocmsg.c:56(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2020/03/03 18:49:25.541648, 2] ../../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2020/03/03 18:49:25.541685, 3] ../../source3/param/loadparm.c:3872(lp_load_ex) lp_load_ex: refreshing parameters [2020/03/03 18:49:25.541729, 3] ../../source3/param/loadparm.c:550(init_globals) Initialising global parameters [2020/03/03 18:49:25.541748, 2] ../../source3/param/loadparm.c:322(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2020/03/03 18:49:25.541812, 3] ../../source3/param/loadparm.c:2786(lp_do_section) Processing section "[global]" [2020/03/03 18:49:25.542292, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.542439, 2] ../../source3/lib/interface.c:345(add_interface) added interface ens160 ip=10.13.10.46 bcast=10.13.10.255 netmask=255.255.255.0 [2020/03/03 18:49:25.544253, 2] ../../source3/passdb/pdb_interface.c:161(make_pdb_method_name) No builtin backend found, trying to load plugin [2020/03/03 18:49:25.549553, 3] ../../lib/util/modules.c:167(load_module_absolute_path) load_module_absolute_path: Module '/usr/lib64/samba/pdb/tdbsam.so' loaded [2020/03/03 18:49:25.549763, 0] ../../source3/winbindd/winbindd_cache.c:3166(initialize_winbindd_cache) initialize_winbindd_cache: clearing cache and re-creating with version number 2 [2020/03/03 18:49:25.552125, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [BUILTIN] [(null)] [S-1-5-32] [2020/03/03 18:49:25.552184, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [NER-CONT-TFER01] [(null)] [S-1-5-21-3888470300-4080800567-3624582073] [2020/03/03 18:49:25.552238, 3] ../../source3/winbindd/winbindd_util.c:297(add_trusted_domain) add_trusted_domain: Added domain [IDM] [IDM.CONTENT.domain.lan] [S-1-5-21-2682878861-151095253-3776833076] [2020/03/03 18:49:25.552602, 0] ../../lib/util/become_daemon.c:136(daemon_ready) daemon_ready: daemon 'winbindd' finished starting up and ready to serve connections [2020/03/03 18:49:25.704494, 3] ../../source3/winbindd/winbindd_misc.c:432(winbindd_interface_version) winbindd_interface_version: [smbd (2872)]: request interface version (version = 31) [2020/03/03 18:49:25.704604, 3] ../../source3/winbindd/winbindd_misc.c:407(winbindd_ping) winbindd_ping: [smbd (2872)]: ping [2020/03/03 18:49:25.795046, 1] ../../source3/winbindd/winbindd_util.c:442(trustdom_list_done) trustdom_list_done: Could not receive trusts for domain IDM ----- [[email protected] samba]# cat log.wb-IDM [2020/03/03 18:49:25.568371, 3] ../../source3/winbindd/winbindd_cm.c:2148(connection_ok) connection_ok: Connection to (null) for domain IDM is not connected [2020/03/03 18:49:25.580016, 3] ../../source3/libads/ldap.c:636(ads_connect) Successfully contacted LDAP server 10.17.10.60 [2020/03/03 18:49:25.580096, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.591042, 3] ../../source3/libsmb/namequery.c:3112(get_dc_list) get_dc_list: preferred server list: "ld9-cont-idm2.idm.domain.lan, *" [2020/03/03 18:49:25.613487, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 445 [2020/03/03 18:49:25.658699, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2020/03/03 18:49:25.658913, 3] ../../source3/libsmb/cliconnect.c:273(cli_session_creds_prepare_krb5) got OID=1.2.840.48018.1.2.2 [2020/03/03 18:49:25.696869, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_spnego' registered [2020/03/03 18:49:25.696927, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5' registered [2020/03/03 18:49:25.696942, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2020/03/03 18:49:25.696954, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'spnego' registered [2020/03/03 18:49:25.696970, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'schannel' registered [2020/03/03 18:49:25.696983, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2020/03/03 18:49:25.696996, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2020/03/03 18:49:25.697008, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp' registered [2020/03/03 18:49:25.697019, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'ntlmssp_resume_ccache' registered [2020/03/03 18:49:25.697031, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_basic' registered [2020/03/03 18:49:25.697043, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_ntlm' registered [2020/03/03 18:49:25.697055, 3] ../../auth/gensec/gensec_start.c:977(gensec_register) GENSEC backend 'http_negotiate' registered [2020/03/03 18:49:25.774922, 3] ../../source3/winbindd/winbindd_misc.c:291(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: [ 2869]: list trusted domains [2020/03/03 18:49:25.774969, 3] ../../source3/winbindd/winbindd_ads.c:1400(trusted_domains) ads: trusted_domains [2020/03/03 18:49:25.775303, 3] ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2020/03/03 18:49:25.775766, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 135 [2020/03/03 18:49:25.777290, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 49152 [2020/03/03 18:49:25.790440, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 135 [2020/03/03 18:49:25.792367, 3] ../../source3/lib/util_sock.c:515(open_socket_out_send) Connecting to 10.17.10.60 at port 49152 [2020/03/03 18:49:25.794491, 1] ../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu) ../../source3/rpc_client/cli_pipe.c:569: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host ld9-cont-idm2.idm.domain.lan! [2020/03/03 18:49:25.794528, 3] ../../source3/winbindd/winbindd_ads.c:1400(trusted_domains) ads: trusted_domains [2020/03/03 18:49:25.794913, 1] ../../source3/rpc_client/cli_pipe.c:569(cli_pipe_validate_current_pdu) ../../source3/rpc_client/cli_pipe.c:569: RPC fault code DCERPC_NCA_S_OP_RNG_ERROR received from host ld9-cont-idm2.idm.domain.lan! [2020/03/03 18:49:25.794945, 3] ../../source3/winbindd/winbindd_misc.c:297(winbindd_dual_list_trusted_domains) winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE ----- There are no users in the IDM domain, but there are groups, yet wbinfo doesn't turn them up: [[email protected] samba]# wbinfo -g [[email protected] samba]# ----- wbinfo can lookup the trusted domains, but doesn't show them as trusted: [[email protected] samba]# wbinfo --getdcname=AD dc2 (no domain portion) [[email protected] samba]# wbinfo --getdcname=MOPO dc1.mopo.lan [[email protected] samba]# wbinfo -m BUILTIN NER-CONT-TFER01 IDM ----- klist shows the principal correctly I think: [[email protected] samba]# klist -k /etc/samba/samba.keytab Keytab name: FILE:/etc/samba/samba.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 cifs/ner-cont-tfer01.idm.domain.lan(a)IDM.DOMAIN.LAN 1 cifs/ner-cont-tfer01.idm.domain.lan(a)IDM.DOMAIN.LAN 1 cifs/ner-cont-tfer01.idm.domain.lan(a)IDM.DOMAIN.LAN ----- Any pointers appreciated!

Show replies by date

On ti, 03 maalis 2020, C T via FreeIPA-users wrote:

...

I am trying to set up a samba server as part of a freeipa domain. I'd like users on windows machines from two trusted AD domains to access shares on the server (both users and computers are in the trusted AD domains). I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain member", https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) and built a couple of servers using CentOS 8; results are the same each time -- no worky. These servers integrate with Freeipa fine -- users from both trusted AD domains can SSH in etc. But errors are legion in samba. Both IPA and AD domains (and the trust relationshipts) have been in production for a while working fine so I'm pretty confident DNS is ok. Kerberos seems to be working fine too as I can kinit users in all domains OK from the samba box. I'm confident firewalls are not blocking anything. I'm thinking it's winbind that is the key problem, with it somehow not being able to auth to the AD domains, but I'm not experienced with Samba/winbind so I'm struggling after all day on it. Any guidance would be appreciated.

Your details are not enough. Could you please show exactly what you ran to set up the file server and what problems you see. No need to show Samba logs without that first. The instructions in RHEL 8 documentation (basically, have RHEL 8.1 machines for IPA master and IPA client, install and run ipa-client-samba tool and start smb/winbind services) should be enough. Anything else is not needed and should not be needed. Do not look into wbinfo output, it is misleading and is not really relevant here. Show how you set things up. We have SMB setup tested every week in upstream CI, for both IPA users and trusted AD users and there are no issues for quite some time: Fedora 31: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c...Fedora 30: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aea...You can expand the reports to see detailed logs, https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_sm...is the test suite that defines all those tests. Can you show how smbclient behaves when you are using it against the SMB server you set up? You can see expected use and expected output in the test reports above. Also, design documents for the integration are here: Domain Member: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-m...Domain Controller: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-c...-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
I actually think it's working fine now.  My problem seems to have been a straightforward file permissions issue, but I was completely thrown by the number of errors in the various logs (even with no debug logging) and the behaviour of wbinfo, and couldn't see the wood for the trees. Thanks though anyway. Alexander Bokovoy wrote:

...

On ti, 03 maalis 2020, C T via FreeIPA-users wrote: > I am trying to set up a samba server as part of a freeipa domain.  > I'd like > users on windows machines from two trusted AD domains to access > shares on > the server (both users and computers are in the trusted AD domains). > I've been through the docs (RHEL 8 "Setting up Samba on an IDM domain > member", > https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA) > > and built a couple of servers using CentOS 8; results are the same each > time -- no worky. > These servers integrate with Freeipa fine -- users from both trusted AD > domains can SSH in etc.  But errors are legion in samba.  Both IPA > and AD > domains (and the trust relationshipts) have been in production for a > while > working fine so I'm pretty confident DNS is ok. Kerberos seems to be > working fine too as I can kinit users in all domains OK from the samba > box.  I'm confident firewalls are not blocking anything. I'm thinking > it's > winbind that is the key problem, with it somehow not being able to > auth to > the AD domains, but I'm not experienced with Samba/winbind so I'm > struggling after all day on it.  Any guidance would be appreciated. Your details are not enough. Could you please show exactly what you ran to set up the file server and what problems you see. No need to show Samba logs without that first. The instructions in RHEL 8 documentation (basically, have RHEL 8.1 machines for IPA master and IPA client, install and run ipa-client-samba tool and start smb/winbind services) should be enough. Anything else is not needed and should not be needed. Do not look into wbinfo output, it is misleading and is not really relevant here. Show how you set things up. We have SMB setup tested every week in upstream CI, for both IPA users and trusted AD users and there are no issues for quite some time: Fedora 31: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/cb96c... Fedora 30: http://freeipa-org-pr-ci.s3-website.eu-central-1.amazonaws.com/jobs/68aea... You can expand the reports to see detailed logs, https://pagure.io/freeipa/blob/master/f/ipatests/test_integration/test_sm... is the test suite that defines all those tests. Can you show how smbclient behaves when you are using it against the SMB server you set up? You can see expected use and expected output in the test reports above. Also, design documents for the integration are here: Domain Member: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-m... Domain Controller: https://pagure.io/freeipa/raw/master/f/doc/designs/adtrust/samba-domain-c...

Samba service failed to start on centos 7 after patching

Postby kitchaaa_r » Sat Sep 22, 2018 3:53 am

Hi Team,

Samba service failed to start on centos 7 after patching. even i tried to start but no luck.. this server is used as NFS server.
please help me to fix the issue at the earliest..

Also i have noticed the samba packages got upgraded to this version

rpm -qa

Samba server authenticating against Active Directory. Is it possible to reboot and still connect to the domain?

I have tried to setup Samba File Server with AD authentication.

The authentication via Active Directory is successful but if you reboot the server the linux Samba file server will NOT join the domain automatically like windows server do.

You still have to manually join the domain by issue the below command line with user password:

net join ads -U username -S DOMAIN.COM

Is there a way to automate this?

I know I can put a init scripts but the user password will change every 3 months and I don't want to change the scripts every 3 months.

I am looking for something like a windows file server in which after reboot it will still be connected to the domain without any login credential requirements.

Here are my configuration file:

Here is the samba log after reboot: (I didn't find any abnormal/error messages in the system logs)

Then I have to manually join the domain after reboot:

https://bugzilla.novell.com/show_bug.cgi?id=846586

https://bugzilla.novell.com/show_bug.cgi?id=846586#c0

Summary: smbd nt_printing_init error on starting smb Classification: openSUSE Product: openSUSE 13.1 Version: RC 1 Platform: i386 OS/Version: SUSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: [email protected] ReportedBy: [email protected] QAContact: [email protected] Found By: --- Blocker: ---

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1632.0 Safari/537.36 SUSE/31.0.1632.0

zypper duped now so it includes the apparmor patches (bnc#845867, bnc#846054)

Oct 18 12:21:00 altea smbd[548]: [2013/10/18 12:21:00.247955, 0] ./source3/printing/nt_printing.c:164(nt_printing_init) Oct 18 12:21:00 altea smbd[548]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

No problem as our domain is working fine but I don't think those errors shuld be ter.

Reproducible: Always

Steps to Reproduce: 1.systemctl start smb 2.systemctl status smb 3. Actual Results: nt_printing-INIT ERROR

Expected Results: Clean startup

smb.conf [global] workgroup = HH3 realm = HH3.SITE security = ADS kerberos method = system keytab username map = /home/steve/smbmap log level = 3

[users] path = /home/users read only = No

[profiles] path = /home/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 browseable = No guest ok = No printable = No profile acls = Yes csc policy = disable

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

grep -i samba
samba-4.7.1-9.el7_5.x86_64
samba-common-4.7.1-9.el7_5.noarch
samba-common-tools-4.7.1-9.el7_5.x86_64
samba-common-libs-4.7.1-9.el7_5.x86_64
samba-libs-4.7.1-9.el7_5.x86_64
samba-client-libs-4.7.1-9.el7_5.x86_64



[[email protected]]# systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● rngd.service loaded failed failed Hardware RNG Entropy Gatherer Daemon
● smb.service loaded failed failed Samba SMB Daemon

LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.

2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[[email protected]]# systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2018-09-22 03:41:21 UTC; 2min 17s ago
Process: 1031 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255)
Main PID: 1031 (code=exited, status=255)

Starting Samba SMB Daemon...
S [2018/09/22 03:41:21.437707, 0] ../source3/auth/auth_util.c:1399(make_new_session_info_guest)
create_local_token failed: NT_STATUS_NO_MEMORY
[1031]: [2018/09/22 03:41:21.446449, 0] ../source3/smbd/server.c:2011(main)
[1031]: ERROR: failed to setup guest info.
: smb.service: main process exited, code=exited, status=255/n/a
Failed to start Samba SMB Daemon.
Unit smb.service entered failed state.
smb.service failed.
# systemctl start smb.service
Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details.
# systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2018-09-22 03:44:21 UTC; 6s ago
Process: 1729 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255)
Main PID: 1729 (code=exited, status=255)


--
-- The result is failed.
Sep 22 03:44:21 systemd[1]: Unit smb.service entered failed state.
Sep 22 03:44:21 systemd[1]: smb.service failed.
Sep 22 03:44:21 polkitd[787]: Unregistered Authentication Agent for unix-process:1722:20756 (system bus name :1.18, object path /org/freedesktop/P

Samba server authenticating against Active Directory. Is it possible to reboot and still connect to the domain?

I have tried to setup Samba File Server with AD authentication.

The authentication via Active Directory is successful but if you reboot the server the linux Samba file server will NOT join the domain automatically like windows server do.

You still have to manually join the domain by issue the below command line with user password:

net join ads -U username -S DOMAIN.COM

Is there a way to automate this?

I know I can put a init scripts but the user password will change every 3 months and I don’t want to change the scripts every 3 months, nt_printing_init error checking published printers werr_access_denied.

I am looking for something like a windows file server in which after reboot it will still be connected to the domain without any login credential requirements.

Here are my configuration file:

Here is the samba log after reboot: (I didn’t find fbx animation import error abnormal/error messages in the system logs)

Then I have to manually join the domain after reboot:

grep -i samba
samba-4.7.1-9.el7_5.x86_64
samba-common-4.7.1-9.el7_5.noarch
samba-common-tools-4.7.1-9.el7_5.x86_64
samba-common-libs-4.7.1-9.el7_5.x86_64
samba-libs-4.7.1-9.el7_5.x86_64
samba-client-libs-4.7.1-9.el7_5.x86_64



[[email protected]]# systemctl --failed
UNIT LOAD ACTIVE SUB DESCRIPTION
● rngd.service loaded failed failed Hardware RNG Entropy Gatherer Daemon
● smb.service loaded failed failed Samba SMB Daemon

LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.

2 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
[[email protected]]# systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2018-09-22 03:41:21 UTC; 2min 17s ago
Process: 1031 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255)
Main PID: 1031 (code=exited, status=255)

Starting Samba SMB Daemon.
S [2018/09/22 03:41:21.437707, 0] ./source3/auth/auth_util.c:1399(make_new_session_info_guest)
create_local_token failed: NT_STATUS_NO_MEMORY
[1031]: [2018/09/22 03:41:21.446449, 0] ./source3/smbd/server.c:2011(main)
[1031]: Error zona search klient failed to setup guest info.
: smb.service: main process exited, code=exited, status=255/n/a
Failed to start Samba SMB Daemon.
Unit smb.service entered failed state.
smb.service failed.
# systemctl start smb.service
Job for smb.service failed because the control process exited with error code. See "systemctl status smb.service" and "journalctl -xe" for details.
# systemctl status smb.service
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2018-09-22 03:44:21 UTC; 6s ago
Process: 1729 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255)
Main PID: 1729 (code=exited, status=255)


--
-- The result is failed.
Sep 22 03:44:21 systemd[1]: Unit smb.service entered failed state.
Sep 22 03:44:21 systemd[1]: smb.service failed.
Sep 22 03:44:21 polkitd[787]: Unregistered Authentication Agent for unix-process:1722:20756 (system bus name :1.18, object path /org/freedesktop/P