Ubuntu 16.04.2
samba 4.3.11+dfsg-0ubuntu0.16.04.6
sssd 1.13.4-1ubuntu1.2
Windows Server 2008 R2 Standard
Have 2 sites with the above setup.
Each site has 1 ubuntu/samba server authenticating to 1 Windows Server 2008 R2 server
running Active Directory
Site 1 works as expected. Traditional linux service, like ssh, auth to AD as expected. So
do the samba shares.
Site 2 partially works. Linux services like ssh work but samba shares fail to auth,
session setup failed: NT_STATUS_NO_LOGON_SERVERS
connect_to_domain_password_server: unable to open the domain client session to machine
DC-1.CORP.DOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2017/04/20 01:49:28.902051,
0] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate:
Domain password server not available.
I have double checked site1 smb.conf, sssd.conf, krb5.conf against site2 configuration and
they are the "same".
I don't understand why ssh can authenticate but not samba.
It seems like the problem is on DC-1 but do not know where to start on the debugging of
Windows!
sssd.conf
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
# debug_level = 7
[pam]
reconnection_retries = 3
# debug_level = 7
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam, pac
config_file_version = 2
domains =
CORP.DOMAIN.COM
debug_level = 7
[
domain/CORP.DOMAIN.COM]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
cache_credentials = true
debug_level = 7
# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so
override_homedir = /var/samba/users/%u
smb.conf
[global]
workgroup = CORP
realm =
CORP.DOMAIN.COM
preferred master = no
wins server = 192.168.110.249
server string = samba-2
security = ADS
encrypt passwords = true
obey pam restrictions = yes
kerberos method = secrets and keytab
syslog = 0
log file = /var/log/samba/%m.log
max xmit = 16384
# NO roaming profiles
http://melecio.org/node/5
logon path =
logon home =
logon script = %U.bat
idmap config CORP : backend = ad
idmap uid = 600-20000
idmap gid = 600-20000
template shell = /bin/bash
template homedir = /var/samba/users/%U
server signing = auto
client signing = auto
client use spnego = yes
client ntlmv2 auth = yes
restrict anonymous = 2
load printers = no