[SOLVED] Cannot log in with Active Directory user

samba
activedirectory

#1

Hi guys,

I’ve been having issues with logging into my work PC for the last few days. It started with the update to Samba/smbclient/libwbclient to 4.8.x.

I have a Manjaro installation, working in a Windows AD environment. I’ve set it up using the Arch Wiki page for Active Directory integration and everything worked well for a long time.

Now, I can contact the domain normally - klist, net ads, etc. commands work as expected and I can get domain user/group info no problem. I can access shares. I have a VM with Win7 running and I can log in to it. The only thing that seems to not be working is me actually logging into Manjaro.

Logging in via console just gives me “Login incorrect”. When using sudo su and running passwd, I get:

Changing password for bivanovic
(current) NT password: 
No logon servers
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged

When using passwd, journalctl says:

srp 17 09:27:27 bivanovic-pc passwd[4041]: pam_winbind(passwd:chauthtok): getting password (0x000041a8)
srp 17 09:27:30 bivanovic-pc passwd[4041]: pam_winbind(passwd:chauthtok): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTHINFO_UNAVAIL (9), NTSTATUS: NT_STATUS_NO_LOGON_SERVERS, Error message was: No logon servers are currently available to service the logon request.
srp 17 09:27:30 bivanovic-pc passwd[4041]: pam_winbind(passwd:chauthtok): internal module error (retval = PAM_AUTHINFO_UNAVAIL(9), user = 'bivanovic')

I’m at my wit’s end from googling and trying out stuff for days and I’d appreciate any insight anyone might have.

Thanks!


#2

This usually is a DNS issue but as you say it has worked and it only occured after a specific update.

So this leads me to think that you might have a configuration error after the update.

This could very well be due to a smb.conf.pacnew (not sure of the name though) check your /etc/samba and verify your configuration.

Not sure which and if this might apply to your issue.

  • Lurking from the utter back of my memory - there has been a permission issue with samba’s private folder/files.
  • Also services has been renamed.

#3

Thanks fhdk!

  • no pacnew file for smb.conf.

  • rechecked smb.conf and looks all good

  • set 700 on /var/lib/samba/private/

  • smb/nmb/winbind enabled and running

I also took a look at samba logs (log.wb-ADRIATICA, ADRIATICA being the domain I’m on):

[2018/07/17 11:04:06.852621,  3] ../source3/libsmb/cliconnect.c:1678(cli_session_setup_creds_done_spnego)
  SPNEGO login failed: The referenced account is currently disabled and cannot be logged on to.
[2018/07/17 11:04:06.852694,  1] ../source3/winbindd/winbindd_cm.c:1160(cm_prepare_connection)
  authenticated session setup to ADRDC01.adriatica.local using ADRIATICA\BIVANOVIC-PC$ failed with NT_STATUS_ACCOUNT_DISABLED
[2018/07/17 11:04:06.852836,  1] ../source3/winbindd/winbindd_cm.c:1300(cm_prepare_connection)
  Failed to prepare SMB connection to ADRDC01.adriatica.local: NT_STATUS_ACCOUNT_DISABLED

I double checked with my sys admins and, of course, my account isn’t disabled as I can log in normally from the VM and net ads status -U works with my current password, but it’s just weird that I’m getting that message.


#4

I notice that you AD your organisation is running is a .local domain.

I know that .local domain was the Microsoft default and it required extra attention during installation to change it.

It is a tricky one because .local was used and is used within the BonJour / Avahi auto detection and configuration and it is known to cause problems in mixed environments.

I think that somewhere in the configuration or maybe even coding of Samba this conflict emerge.

I cannot pinpoint it - but I will advise to - if at all possible - to restructure your AD to use a subdomain of your organisations public domain eg. local.domain.tld or what what you find appropriate.

It is doable and it will require some work - depending on the AD’s size of course.


#5

Oof, yeah, don’t think that’s an option. :slight_smile:


#6

In your smb.conf there is a reference to the domain controller.

Is that reference FQDN or just the servername?

I was thinking if it make sense to test the other possibility?

Is it a SBS setup? or a regular AD setup?

In a SBS setup all services run on the same server the SBS instance.

A regular AD setup can have services spread over several servers.


#7

That’s the FQDN. I’ve tried with just ADRDC01, as well as with the server IP, no luck. Without the domain, it just times out and with the IP, it’s the same as with the FQDN.

The AD is regular, not SBS.

Also, I’m assured by admins that no configuration was changed on the domain/servers in the last few of months.


#8

Some updates on the search.

Result of net ads info -d 3:

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
main: Unable to initialize messaging context. Must be root to do that.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
added interface enp0s25 ip=10.8.168.114 bcast=10.8.168.255 netmask=255.255.255.0
tdb(/var/cache/samba/gencache.tdb): tdb_open_ex: could not open file /var/cache/samba/gencache.tdb: Permission denied
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
Successfully contacted LDAP server 10.8.10.28
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
Successfully contacted LDAP server 10.8.10.28
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
Successfully contacted LDAP server 10.8.10.28
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.hmz1Ow. Errno Permission denied
Successfully contacted LDAP server 10.8.10.28
Connected to LDAP server ADRDC01.adriatica.local
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
Successfully contacted LDAP server 10.8.10.28
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
get_dc_list: preferred server list: ", ADRDC01.adriatica.local"
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.Vt9yYP. Errno Permission denied
Successfully contacted LDAP server 10.8.10.28
Connected to LDAP server ADRDC01.adriatica.local
tdb(/var/lib/samba/private/secrets.tdb): tdb_open_ex: could not open file /var/lib/samba/private/secrets.tdb: Permission denied
Could not open tdb: Permission denied
Failed to open /var/lib/samba/private/secrets.tdb
LDAP server: 10.8.10.28
LDAP server name: ADRDC01.adriatica.local
Realm: ADRIATICA.LOCAL
Bind Path: dc=ADRIATICA,dc=LOCAL
LDAP port: 389
Server time: uto, 17 srp 2018 13:03:43 CEST
KDC server: 10.8.10.28
Server time offset: 1
Last machine account password change: čet, 01 sij 1970 01:00:00 CET
return code = 0
tdb(/var/cache/samba/gencache.tdb): tdb_transaction_start: cannot start a transaction on a read-only or internal db

I’ve moved the whole /var/cache/samba dir so that it’s recreated and the permissions are as follows:

total 2700
drwxr-xr-x  5 root root    4096 srp  17 13:04 .
drwxr-xr-x 11 root root    4096 srp  17 12:58 ..
-rw-r--r--  1 root root  441608 srp  17 13:01 brlock.tdb
-rw-r--r--  1 root root     231 srp  17 13:03 browse.dat
-rw-r--r--  1 root root  454656 srp  17 13:04 gencache_notrans.tdb
-rw-r--r--  1 root root 1286144 srp  17 13:04 gencache.tdb
-rw-r--r--  1 root root    8888 srp  17 13:01 leases.tdb
-rw-r--r--  1 root root  441608 srp  17 13:01 locking.tdb
drwxr-xr-x  2 root root    4096 srp  17 13:04 msg.lock
-rw-------  1 root root     696 srp  17 13:04 mutex.tdb
-rw-rw----  1 root root   12288 srp  17 13:01 names.tdb
-rw-------  1 root root     696 srp  17 12:58 netsamlogon_cache.tdb
-rw-r--r--  1 root root   20480 srp  17 13:01 printer_list.tdb
drwxr-xr-x  2 root root    4096 srp  17 12:58 printing
drwxr-xr-x  2 root root    4096 srp  17 13:04 smb_krb5
-rw-------  1 root root    8888 srp  17 13:01 smbXsrv_open_global.tdb
-rw-------  1 root root    8888 srp  17 13:01 smbXsrv_session_global.tdb
-rw-------  1 root root    8888 srp  17 13:01 smbXsrv_tcon_global.tdb
-rw-------  1 root root   24576 srp  17 13:01 smbXsrv_version_global.tdb

#9

That was not the AD configuration I was thinking of - I am quite sure it is your system. But for all we know - it could as well be a bug in the Samba implementation.

Have you tried to roll back to where you know it worked?

It is quite possible you have the previous version in /var/cache/pacman/pkg/

You can roll back by doing

sudo pacman -U /var/cache/pacman/pkg/s <press tab for pkgs starting with s>

I wouldn’t be surprised if it solves the issue - however some of the errors might come from the missing sudo for your net ads info command


#10

I just noticed that your computer in not domain joined.

When a Windows computer is added to AD an account is set up for it. Essentially an user can logon from a domain joined computer. (that is if it’s a windows computer)

It is worth letting your sysadmin check if your computer has been locked out of the network.

I don’t know how I missed that. It is not your user account which is the problem it is your computer.


#11

Oh for the…

Thank you. So much.

I was joined to the domain, but turns out, at some point, one of the admins move my computer from one OU to the other which is what, turns out, was the problem.

Just did a net ads join and everything’s working as it used to.

Once again, thank you, you’ve save me a few days of troubleshooting, at least. :slight_smile:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.