Iam running Centos 7 which is successfully join into a Active Directory via SSSD. Furthermore Samba is configured to allow access for domain user to certain shares which is only working from windows but neither linux nor android machines.
What is working:
- login via shell or ssh using the DOMAINUSER
- getent DOMAINUSER, getent DOMAINUSER@DOMAIN.LOCAL, getent DOMAIN\\DOMAINUSER
- Accessing samba shares from windows computers using DOMAIN\\DOMAINUSER
- smbclient -L centos.domain.local -U user@domain.local
- smbclient -L centos.domain.local -U user
- smbclient -L centos.domain.local -U DOMAIN\\user
What is not working:
- sudo mount -t cifs -o username=user,domain=domain.local //centos.domain.local/SHARE /mnt/SHARE
- sudo mount -t cifs -o username=user //centos.domain.local/SHARE /mnt/SHARE
- sudo mount -t cifs -o username=user,domain=DOMAIN //centos.domain.local/SHARE /mnt/SHARE
Trying to mount the share leads to a simple "permission denied"
The samba log shows the following:
Code: Select all
[2019/09/09 20:15:32.592560, 3] ../source3/auth/auth.c:189(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user []\[USER]@[] with the new password interface
[2019/09/09 20:15:32.592635, 3] ../source3/auth/auth.c:192(auth_check_ntlm_password)
check_ntlm_password: mapped user is: []\[USER]@[]
[2019/09/09 20:15:32.592839, 2] ../source3/auth/auth.c:332(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [USER] -> [USER] FAILED with error NT_STATUS_LOGON_FAILURE, authoritative=1
[2019/09/09 20:15:32.593006, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user []\[USER] at [Mo, 09 Sep 2019 20:15:32.592943 CEST] with [NTLMv2] status [NT_STATUS_LOGON_FAILURE] workstation [] remote host [ipv4:10.0.0.3:40940] mapped to []\[USER]. local host [ipv4:10.10.10.$
[2019/09/09 20:15:32.593104, 3] ../auth/auth_log.c:591(log_no_json)
log_no_json: JSON auth logs not available unless compiled with jansson
[2019/09/09 20:15:32.593340, 3] ../source3/smbd/smb2_server.c:3171(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:137
[2019/09/09 20:15:32.729974, 3] ../source3/smbd/server_exit.c:236(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
/etc/sssd/sssd.conf
Code: Select all
[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam
domains = domain.local
[domain/domain.local]
id_provider = ad
; ad_server = dc1.domain.local, dc2.domain.local
override_homedir = /home/DOMAIN/%u
default_shell = /bin/bash
create_homedir = true
remove_homedir = true
Code: Select all
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = yes
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = dc1.domain.local
kdc = dc2.domain.local
admin_server = dc1.domain.local
default_domain = domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
Code: Select all
[global]
bind interfaces only = yes
interfaces = eno1
workgroup = INTERN
realm = intern.waigel.eu
kerberos method = system keytab
security = ads
server string = %h server (Samba, Centos)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
idmap config * : backend = tdb
encrypt passwords = yes
unix charset = UTF-8
dos charset = CP932
[SHARE]
path = /mnt/Storage/NAS/NAS
writable = yes
browsable = yes
guest ok = no
#create mode = 0777
#directory mode = 0777
valid users = @"domain users@domain.local"