Samba 4x domain. No logon servers available
I’ve been migrating a server that was RHEL 5 32 bit to a Centos 7 64 bit server. This a file sharing / domain server, and I have experience setting up Windows Domains, but not samba domains. My issue right now is that I can add a client windows machine to the domain, but when i attempt to add a user, I get the Trust relationship has been broken with the domain controller. I looked into some peoples questions that had the same issue, and it seemed as though that just logging in would fix that, so i attempted to log in with a domain user, and I got there were no logon servers found. What I’ve done so far: I Have copied DNS, and SMB confs to new server Ran into issue where client couldn’t resolve hostname, was related to DNS Could not find user. Users password had not been set Client pc is now able to join domain except I cannot add a user (get trust has been broken) On attempted logon I get no logon servers available. Other than dns I cant seem to think what would be causing this issue, besides having the other domain /dns on. another note, I have edited the dns conf on the old server to have the new servers information, and its the only dns running, as having the second dns server running at the same time might be problematic. I am new to doing DNS and Samba as a domain controller, so pardon any ignorance.
1 Answer 1
The samba4 packages that ship with both CentOS 6 and 7 do not have domain controller functionality. If you look inside, eg, samba-dc-4.2.3-10.el7.x86_64.rpm , you’ll find it contains exactly one file, /usr/share/doc/samba-dc-4.2.3/README.dc . This file reads as follows:
MIT Kerberos 5 Support
Fedora is using MIT Kerberos implementation as its Kerberos infrastructure of choice. The Samba build in Fedora is using MIT Kerberos implementation in order to allow system-wide interoperability between both desktop and server applications running on the same machine.
At the moment the Samba Active Directory Domain Controller implementation is not available with MIT Kereberos. FreeIPA and Samba Team members are currently working on Samba MIT Kerberos support as this is a requirement for a GNU/Linux distribution integration of Samba AD DC features.
We have just finished migrating the file server and all client utilities to MIT Kerberos. The result of this work is available in samba-* packages in Fedora. We’ll provide Samba AD DC functionality as soon as its support of MIT Kerberos KDC will be ready.
In case of further questions do not hesitate to send your inquiries to samba-owner@fedoraproject.org
If you want to run a SaMBa4 domain controller on CentOS, you will need to build SaMBa from source yourself. The samba project wiki contains excellent instructions for doing this, and there are doubtless other such guides around the ‘net.
Getting ‘ads_connect: No logon servers’ at irregular intervals
I’m currently setting up a Samba 4 AD server (on Ubuntu Server 16.04) with about 10 linux/windows members in planning. After successfully provisioning the domain controller I joined the first Xubuntu 16.04 client to the domain. At first I was able to login at the client with a samba user account. So wbinfo -u and getent passwd both listed all samba accounts. A few minutes later I tried to log in again, but the logon screen only displayed the kerberos warning, that my password is about to expire in 41 days. getent passwd now only lists the local users. wbinfo -u is inconsistently switching between an empty list and the samba users. net ads info -d 3 returns the following:
ads_connect: No logon servers ads_connect: No logon servers Didn't find the ldap server!
Deleting /var/cache/samba/gencache.tdb and /var/run/samba/gencache_notrans.tdb often changes the output to:
LDAP server: 10.230.44.1 LDAP server name: dc1.samdom.com # not the original domain Realm: SAMDOM.COM Bind Path: dc=SAMDOM,dc=COM LDAP port: 389 Server time: Sa, 15 Okt 2016 18:01:33 CEST KDC server: 10.230.44.1 Server time offset: 0
But after some time it is falling back to the output above. Sometimes simply waiting also does the trick. I’ve got the same problem on a second client but not at the same time. The server is inside a university network and also serves as a NAT router for the samba clients. However, it is possible for the clients to get internet access, if they use a non-private IP address. smb.conf of the server:
[global] workgroup = SAMDOM realm = SAMDOM.COM netbios name = DC1 server role = active directory domain controller dns forwarder = xxx.yyy.xxx.yyy idmap_ldb:use rfc2307 = Yes # Only listen to the internal network interfaces = eno2 bind interfaces only = Yes [netlogon] path = /var/lib/samba/sysvol/samdom.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
[global] netbios name = M1 security = ADS workgroup = SAMDOM realm = SAMDOM log file = /var/log/samba/%m.log log level = 1 # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config SAMDOM:backend = rid idmap config SAMDOM:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /sbin/bash template homedir = /home/%U winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes encrypt passwords = Yes
The same setup without the server as NAT router but with normal IP addresses returns the same behaviour.
Thread: smbclient : NT_STATUS_NO_LOGON_SERVERS (Samba4 into AD)
First Cup of Ubuntu
smbclient : NT_STATUS_NO_LOGON_SERVERS (Samba4 into AD)
all went almost smooth unless if i run
:~#smbclient //10.153.64.5/netlogon -U 'administrator'
session setup failed: NT_STATUS_NO_LOGON_SERVERS
# Global parameters [global] workgroup = TEST realm = test.sg netbios name = 4ECAPSVSG6 server role = active directory domain controller dns forwarder = 10.153.64.5 security = ADS allow dns updates = nonsecure and secure server services = +dns,+dnsupdate debug level = 3 log level = 0 log file = /var/log/samba4/log.%m max log size = 50 follow symlinks = yes wide links = yes unix extensions = no idmap_ldb:use rfc2307 = Yes kdc:service ticket lifetime = 36000 kdc:user ticket lifetime = 36000 kdc:renewal lifetime = 36000 #printcap name = /dev/null #load printers = yes #disable spoolss = yes #printing = bsd socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 TCP_NODELAY read raw = no [netlogon] path = /var/db/samba4/sysvol/4ecap.sg/scripts read only = No [sysvol] path = /var/db/samba4/sysvol read only = No
:~# smbtree -N -d3 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" added interface eth0 ip=10.153.64.5 bcast=10.153.64.127 netmask=255.255.255.128 resolve_lmhosts: Attempting lmhosts lookup for name 4ECAP resolve_lmhosts: Attempting lmhosts lookup for name 4ECAP name_resolve_bcast: Attempting broadcast lookup for name 4ECAP Got a positive name query response from 10.153.64.5 ( 10.153.64.5 ) Connecting to 10.153.64.5 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: No logon servers 4ECAP Connecting to 10.153.64.5 at port 445 Doing spnego session setup (blob length=96) got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: No logon servers \\4ECAPSVSG6 Samba 4.1.6-Ubuntu resolve_lmhosts: Attempting lmhosts lookup for name 4ECAPSVSG6 resolve_lmhosts: Attempting lmhosts lookup for name 4ECAPSVSG6 resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name 4ECAPSVSG6 Connecting to 10.153.64.5 at port 445
NT_STATUS_NO_LOGON_SERVERS : Samba with AD on CentOS 7.X
Samba is my black beast. It’s useful and it’s needed, but at the same time it’s complex and troublesome. I had multiple errors ( like this NT_STATUS_ACCESS_DENIED before) but once I manage to have a working configuration, it’s a matter of tuning it up to have a second instance.
The error occur in the context of some AD (Active Directory) actions. Some servers go out, some go in with samba features. At one point, the reliable and highly demanded (but not highly available) samba server stops working and it’s not possible anymore to connect to it using my user AD credentials (AD username and password). To debug I log in as root on the server in question, and I look for the samba log linked to the client I want to connect to the samba server. In this case, the samba server is called zeus, and the client has the IP 10.20.30.40. The log in question looks like this.
root@zeus /var/log/samba ## > tailf samba_log.10.20.30.40.log [YYYY/MM/DD HOUR.012707, 5] ../source3/auth/auth.c:437(load_auth_module) load_auth_module: auth method winbind has a valid init . a lot of log here. [YYYY/MM/DD HOUR.010838, 5] ../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [Pepito] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
We have used tailf to monitor the end of the samba log while it’s happening. Pepito, as usual, is my aduser. In order to fix this, we are going to join again the machine to our AD domain domain.org. Like this:
root@zeus ~ ## > net ads join -S domain_controller -U domain_admin Enter domain_admin's password: Using short domain name -- DOMAIN Joined 'ZEUS' to dns domain 'domain.org' root@zeus ~ ## > net ads testjoin Join is OK
Note that to fix this we need to know the domain controller (domain_controller) and the domain_admin password. You can’t do it as a normal user. After this (and just in case a restart of the smb and nmb services) we try again to connect our client 10.20.30.40 with the AD user pepito and it works. Hurraw!