I am sorry logs are bad formatted I am trying again and hope it will be better. Otherwise lokk at link bellow or tell me how to send logs correctly. Mirek 21.12.2018 v 13:19 Miroslav Geisselreiter: > Originally I posted this question at CentOS forum 20.12.2018. > https://www.centos.org/forums/viewtopic.php?f=48&t=69193 > > Hi all, > > I am not able to mount samba shares after upgrading CentOS 7.5 to 7.6. > I have been searching and trying to configure samba and winbind but no > success. I find a lot of manuals and help pages about setting samba > and winbind for machine acting as AD DC member but almost nothing > about machine acting as NT4 style DC member and that is my case. > > Samba version before upgrade: samba-4.7.1-9.el7_5.x86_64, after > upgrade: samba-4.8.3-4.el7.x86_64. I noticed that now it is necessary > to use winbind which I did not use before upgrade. > > My network: > > Machine with CentOS 6.9 is PDC (NT4 style) configured with ldap and > kerberos, providing domain logon services to Windows and Samba clients > of an NT4-like domain. openldap-2.4.40-16.el6.x86_64, > krb5-server-1.10.3-65.el6.x86_64, samba-3.6.23-51.el6.x86_64. > > Machine with CentOS 7.6 is domain member offering network shares to > windows clients. Before upgrade my samba-4.7 run only smb and nmb > services and everything were fine. After upgrade samba-4.8.3 runs smb > nmb and winbind services. > smb.conf: > workgroup = NT4DOMAIN > netbios name = NT4MEMBER > |# wbinfo -m --verbose Domain Name DNS Domain Trust Type Transitive In > Out BUILTIN Local NT4MEMBER Local NT4DOMAIN INTRANET.XX Workstation > Yes No Yes # wbinfo --own-domain NT4DOMAIN | > > I discovered that winbind is not authenticating users with NT4DOMAIN > but only with NT4MEMBER. In this case NT4MEMBER users ARE NT4DOMAIN > users (there is only one user1 in ldap database). It can be seen in > logs bellow. I set debug level 3 for smbd and winbindd. Windows > machines have joined NT4DOMAIN but now cannot mount shares from > NT4MEMBER. Windows mount command net use /user:NT4DOMAIN\user1 > \\NT4MEMBER\share1 is equal to linux command smbclient > //NT4MEMBER/share1 -U NT4DOMAIN\\user1. From linux machine I can mount > share by this command: smbclient //NT4MEMBER/share1 -U > NT4MEMBER\\user1 but from windows machine it is not possible. Normally > (before upgrade) Windows users mapped shares from startup script with > this command: net use \\NT4MEMBER\share1. > > What is going wrong can be seen from logs: > |# smbclient //NT4MEMBER/share1 -U NT4DOMAIN\\user1 smbd log: > check_ntlm_password: Checking password for unmapped user > [NT4DOMAIN]\[user1]@[NT4MEMBER] with the new password interface > check_ntlm_password: mapped user is: [NT4DOMAIN]\[user1]@[NT4MEMBER] > check_ntlm_password: Authentication for user [user1] -> [user1] FAILED > with error NT_STATUS_NO_MEMORY, authoritative=1 Auth: [SMB2,(null)] > user [NT4DOMAIN]\[user1] at [Wed, 19 Dec 2018 13:56:08.989053 CET] > with [NTLMv2] status [NT_STATUS_NO_MEMORY] workstation [NT4MEMBER] > remote host [ipv4:X.X.X.X:40488] mapped to [NT4DOMAIN]\[user1]. local > host [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available > unless compiled with jansson gensec_spnego_server_negTokenTarg_step: > SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_NO_MEMORY] || at ../source3/smbd/smb2_sesssetup.c:137 > Server exit (NT_STATUS_END_OF_FILE) Terminated winbind log: [ 9232]: > request interface version (version = 30) [ 9232]: request location of > privileged pipe [ 9232]: pam auth crap domain: [NT4DOMAIN] user: user1 > set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was > a DC for domain NT4MEMBER, refusing to initialize [ 9228]: pam auth > crap domain: NT4DOMAIN user: user1 set_dc_type_and_flags_connect: DC > for domain NT4DOMAIN claimed it was a DC for domain NT4MEMBER, > refusing to initialize set_dc_type_and_flags_connect: DC for domain > NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to > initialize ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds > failed for NT4DOMAIN, unable to create NETLOGON credentials: > NT_STATUS_NO_MEMORY Could not open handle to NETLOGON pipe (error: > NT_STATUS_NO_MEMORY, attempts: 0) The connection to netlogon failed, > retrying set_dc_type_and_flags_connect: DC for domain NT4DOMAIN > claimed it was a DC for domain NT4MEMBER, refusing to initialize > set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was > a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of > secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable > to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open > handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 1) This > is again a problem for this particular call, forcing the close of this > connection The connection to netlogon failed, retrying > set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was > a DC for domain NT4MEMBER, refusing to initialize > set_dc_type_and_flags_connect: DC for domain NT4DOMAIN claimed it was > a DC for domain NT4MEMBER, refusing to initialize ldb_wrap open of > secrets.ldb rpccli_create_netlogon_creds failed for NT4DOMAIN, unable > to create NETLOGON credentials: NT_STATUS_NO_MEMORY Could not open > handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, attempts: 2) This > is again a problem for this particular call, forcing the close of this > connection This is the third problem for this particular call, adding > DC to the negative cache list: NT4DOMAIN (null) The connection to > netlogon failed, retrying set_dc_type_and_flags_connect: DC for domain > NT4DOMAIN claimed it was a DC for domain NT4MEMBER, refusing to > initialize set_dc_type_and_flags_connect: DC for domain NT4DOMAIN > claimed it was a DC for domain NT4MEMBER, refusing to initialize > ldb_wrap open of secrets.ldb rpccli_create_netlogon_creds failed for > NT4DOMAIN, unable to create NETLOGON credentials: NT_STATUS_NO_MEMORY > Could not open handle to NETLOGON pipe (error: NT_STATUS_NO_MEMORY, > attempts: 3) This is again a problem for this particular call, forcing > the close of this connection This is the third problem for this > particular call, adding DC to the negative cache list: NT4DOMAIN > (null) NTLM CRAP authentication for user [NT4DOMAIN]\[user1] returned > NT_STATUS_NO_MEMORY # smbclient //NT4MEMBER/share1 -U NT4MEMBER\\user1 > smbd log: check_ntlm_password: Checking password for unmapped user > [NT4MEMBER]\[user1]@[NT4MEMBER] with the new password interface > check_ntlm_password: mapped user is: [NT4MEMBER]\[user1]@[NT4MEMBER] > init_sam_from_ldap: Entry found for user: user1 > auth_check_ntlm_password: sam authentication for user [user1] > succeeded Auth: [SMB2,(null)] user [NT4MEMBER]\[user1] at [Wed, 19 Dec > 2018 14:00:37.714900 CET] with [NTLMv2] status [NT_STATUS_OK] > workstation [NT4MEMBER] remote host [ipv4:X.X.X.X:40494] became > [NT4MEMBER]\[user1] [S-1-5-21-x-x-x-21020]. local host > [ipv4:X.X.X.X:445] log_no_json: JSON auth logs not available unless > compiled with jansson check_ntlm_password: authentication for user > [user1] -> [user1] -> [user1] succeeded NTLMSSP Sign/Seal - > Initialising with flags: Got NTLMSSP neg_flags=0x62088215 NTLMSSP > Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x62088215 > init_group_from_ldap: Entry found for group: 544 init_group_from_ldap: > Entry found for group: 100000 Adding homes service for user 'user1' > using home directory: '/posta/user1' adding home's share [user1] for > user 'user1' at '/data/osobni/%S' Allowed connection from X.X.X.X > (X.X.X.X) Connect path is '/tmp' for service [IPC$] Initialising > default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] > NT4MEMBER (ipv4:X.X.X.X:40494) connect to service IPC$ initially as > user user1 (uid=10010, gid=513) (pid 7874) get_referred_path: |share1| > in dfs path \NT4MEMBER\share1 is not a dfs root. > smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] > status[NT_STATUS_NOT_FOUND] || at ../source3/smbd/smb2_ioctl.c:312 > NT4MEMBER (ipv4:X.X.X.X:40494) closed connection to service IPC$ > Allowed connection from X.X.X.X (X.X.X.X) Connect path is > '/samba1/664' for service [share1] Initialising default vfs hooks > Initialising custom vfs hooks from [/[Default VFS]/] Initialising > custom vfs hooks from [recycle] load_module_absolute_path: Module > '/usr/lib64/samba/vfs/recycle.so' loaded NT4MEMBER > (ipv4:X.X.X.X:40494) connect to service share1 initially as user user1 > (uid=10010, gid=513) (pid 7874) winbind log: [ 9238]: request > interface version (version = 30) [ 9238]: request location of > privileged pipe sids_to_xids sam_sid_to_name sam_sid_to_name > sam_sid_to_name StartTLS issued: using a TLS connection > smbldap_open_connection: connection opened ldap_connect_system: > successful connection to the LDAP server | > I can provide more details (config parameters etc.) later if it is > necessary. I played with all winbind parameters, idmap config > parameters but no success. Can anyone please help me to solve this > problem? > > Please find more logs. wbinfo -i user1 (without prepending domain) > should show NT4DOMAIN\user1 not NT4MEMBER\user1. The same should be > for wbinfo -i NT4DOMAIN\\user1. > |# wbinfo -i user1 NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false > winbindd log: [ 9747]: request interface version (version = 30) [ > 9747]: request location of privileged pipe getpwnam user1 > sam_name_to_sid name_to_sid: user1 for domain init_sam_from_ldap: > Entry found for user: user1 name_to_sid: user1 for domain > init_sam_from_ldap: Entry found for user: user1 sam_rids_to_names for > NT4MEMBER sam_sid_to_name # wbinfo -i NT4MEMBER\\user1 > NT4MEMBER\user1:*:10010:513::/posta/user1:/bin/false winbindd log: [ > 9744]: request interface version (version = 30) [ 9744]: request > location of privileged pipe getpwnam NT4MEMBER\user1 sam_name_to_sid > name_to_sid: NT4MEMBER\user1 for domain NT4MEMBER init_sam_from_ldap: > Entry found for user: user1 name_to_sid: NT4MEMBER\user1 for domain > NT4MEMBER init_sam_from_ldap: Entry found for user: user1 > sam_rids_to_names for NT4MEMBER sam_sid_to_name # wbinfo -i > NT4DOMAIN\\user1 Could not get info for user NT4DOMAIN\user1 winbindd > log: [ 9746]: request interface version (version = 30) [ 9746]: > request location of privileged pipe getpwnam NT4DOMAIN\user1 > sam_name_to_sid name_to_sid: NT4DOMAIN\user1 for domain NT4DOMAIN > name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED name_to_sid: > NT4DOMAIN\user1 for domain NT4DOMAIN name_to_sid: failed to lookup > name: NT_STATUS_NONE_MAPPED | > wbinfo -u should list all users from NT4DOMAIN but list nothing. > wbinfo -u --domain="NT4MEMBER" list all users which are from ldap - > they are NT4DOMAIN users. > |# wbinfo -u winbindd log: [ 9754]: request interface version (version > = 30) [ 9754]: request location of privileged pipe [ 9754]: request > interface version (version = 30) [ 9754]: request misc info [ 9754]: > request netbios name [ 9754]: request domain name [ 9754]: domain_info > [NT4DOMAIN] list_users NT4DOMAIN samr: sequence number # wbinfo -u > --domain="NT4MEMBER" NT4MEMBER\dovecot NT4MEMBER\root NT4MEMBER\nobody > NT4MEMBER\user1 winbindd log: [ 9756]: request interface version > (version = 30) [ 9756]: request location of privileged pipe list_users > NT4MEMBER samr_query_user_list smbldap_search_paged: base => > [ou=Users,dc=intranet,dc=xx], filter => > [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => > [1000] smbldap_search_paged: search was successful samr: sequence > number sam_rids_to_names for NT4MEMBER | > Mirek >