Error Was Nt_status_cant_access_domain_info
Contents |
integrated server Issues related to configuring your network Post Reply Print view Search Advanced search 2 posts • Page 1 of 1 andreiv3103 Posts: get_schannel_session_key: could not fetch trust account password for domain 12 Joined: 2009/10/26 10:21:14 Samba on AD integrated server Quote Postby andreiv3103
Net_rpc_join_ok: Failed To Get Schannel Session Key From Server
» 2014/09/24 10:33:53 I followed this tutorial http://jhrozek.livejournal.com/3581.html to join my CentOS 6.5 server to a Windows 2008 unable to open the domain client session to machine R2 AD domain.It worked perfectly, I can do su domain_user or log in through ssh with domain account.But samba seems to be unable to authenticate users through sssd.I installed samba samba server signing = auto and created a minimal smb.conf like this:[global]workgroup = localdomainserver string = Samba Server Version %vsecurity = domainencrypt passwords = yespassdb backend = tdbsamrealm = localdomain.com# Not interested in printersload printers = nocups options = rawprintcap name = /dev/null# logs split per machinelog file = /var/log/samba/log.%m# max 50KB per log file, then rotatemax log size = 50# ############ THE SHARES ############
Cli_rpc_pipe_open_schannel: Failed To Get Schannel Session Key From Server
#[homes]comment = Home Directoriesbrowseable = nowritable = yesThis samba config works perfectly with centos 7 and realmd, but it seems not to work with centos 6.5 and the method mentioned above.Could it be the samba version?On Centos 6.5 is Version 3.6.9-169.el6_5On Centos 7 is Version 4.1.1The error is:connect_to_domain_password_server: unable to open the domain client session to machine DC.LOCALDOMAIN.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.Thanks. Top andreiv3103 Posts: 12 Joined: 2009/10/26 10:21:14 Re: Samba on AD integrated server Quote Postby andreiv3103 » 2014/09/24 11:44:14 I just solved my problem.Added the following line to smb.conf: kerberos method = secrets and keytabAnd now it works! I don't really know why, but this makes it work. Top Display posts from previous: All posts1 day7 days2 weeks1 month3 months6 months1 year Sort by AuthorPost timeSubject AscendingDescending Post Reply Print view 2 posts • Page 1 of 1 Return to “CentOS 6 - Networking Support” Jump to CentOS General Purpose CentOS - FAQ & Readme First Announcements CentOS Social User Comments Website Problems CentOS 7 CentOS 7 - General Support
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the nt_status_no_trust_sam_account company Business Learn more about hiring developers or posting ads with us Super User Questions domain_client_validate domain password server not available Tags Users Badges Unanswered Ask Question _ Super User is a question and answer site for computer enthusiasts and power users. Join
Net Ads Join
them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Access Samba share from Windows up http://www.centos.org/forums/viewtopic.php?t=48630 vote 3 down vote favorite I have a samba share set up on a linux box which is only accessible from Windows if they turn off Microsoft network client: Digitally sign communications (always) They would like me to configure the linux end of things to allow them to connect with this setting enabled. What is the minimum I need to do for the windows users to access this share without turning down/off any of http://superuser.com/questions/707676/access-samba-share-from-windows the security options on their end? Possibly relevant info: Linux box is running SLES 11 SP2 and Samba 3.6.3 Windows box is running Windows Server 2008 with Active Directory This is my smb.conf: # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. # Date: 2012-02-03 [global] workgroup = $WINDOWS_DOMAIN_NAME passdb backend = tdbsam map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = No domain master = No security = domain idmap gid = 10000-20000 idmap uid = 10000-20000 wins support = No wins server = encrypt passwords = yes [$shareName] comment = linux share inherit acls = Yes path = /home/$user/$shareName read only = No available = yes browseable = yes public = yes writable = yes When they attempt to access the share currently, the errors in /var/log/messages are like: linux smbd[3336]: [2014/01/24 11:23:25.214046, 0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common) linux smbd[3336]: get_schannel_session_key: could not fetch trust account password for domain '$WINDOWS_DOMAIN_NAME' linux smbd[3336]: [2014/01/24 11:23:25.216148, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) linux smbd[3336]: cli_rpc_pipe_open_schannel: failed to get schannel session key from server $DOMAIN_CONTROLLER for domain $WINDOWS_DOMAIN_NAME. linux smbd[3336]: [2014/01/24 11:23:
I also failed to get this working according to the guide. With the newer versions of winbind, you don't need kerberos http://www.linux.iastate.edu/pipermail/redhat/2007-June/000405.html or ldap. You can use winbind to do nss lookups and authentication https://blog.hqcodeshop.fi/archives/64-Samba-4-ldaps-server-functionality.html with NTLM via pam_winbind. Here is my complete smb.conf, with lines changed from the guide marked with *: [global] workgroup = IASTATE.EDU realm = IASTATE.EDU server string = Samba 3 server security = ADS password server = windc1.iastate.edu, windc2.iastate.edu username map = /etc/samba/smbusers log file = /var/log/samba/%m.log failed to max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No wins server = 129.186.142.179, 129.186.142.189 idmap uid = 100000-200000 idmap gid = 100000-200000 *winbind separator = + *winbind enum users = no *winbind enum groups = no winbind use default domain = yes *winbind trusted domains only = no template homedir = /home/%U template shell failed to get = /bin/bash # Some useful Windows-isms wins support = no map hidden = no map archive = no map system = no # The following option is often useful. It turns off file caching # on the client which can be a problem for some applications. oplocks = no Note that this will result in usernames/groups with a 'IASTATE+' prefix. I ended up using hesiod and kerberos instead because of this. You may also need to add the machine to the domain. My supervisor added the machine to AD, and then I was able to add it to the domain using this command: net ads join -S windc1.iastate.edu -U SOMEUSER -w IASTATE.EDU after entering my password. The user specified with -U needs to be someone with permission to add machines to the domain. If you play around a lot with the settings, you may need to delete the id maps (probably in /var/lib/samba). wbinfo, id, and getent are useful for debugging, although I'm not sure getent works with enumeration disabled. The Samba-HOWTO has a decent s
version 3 smb.conf had issues. See my article about getting Samba to use LDAP as userbase backend. The obvious problem was, that it didn't work. A log entry from the failue: ../source3/lib/smbldap.c:575(smbldap_start_tls) Failed to issue the StartTLS instruction: Connect error../source3/passdb/pdb_ldap.c:6531(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.../source3/passdb/pdb_interface.c:177(make_pdb_method_name) pdb backend ldapsam:ldap://my.server did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) I confirmed the existing settings: passdb backend = ldapsam:ldap://my.serverldap ssl = start tls After a nice while of reading manual pages, an attempt to fix: passdb backend = ldapsam:ldaps://my.serverldap ssl = off Yielded an improvement: ../source3/lib/smbldap.c:998(smbldap_connect_system) failed to bind to server ldaps://my.server with dn="uid=root,ou=People,dc=my,dc=domain" Error: Can't contact LDAP server TLS error -8179:Peer's Certificate issuer is not recognized.../source3/passdb/pdb_ldap.c:6531(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it.../source3/passdb/pdb_interface.c:177(make_pdb_method_name) pdb backend ldapsam:ldaps://my.server did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) This, however, was an easy fix. It was a simple SElinux issue: semanage fcontext -a -t cert_t /etc/openldap/cacertsrestorecon -R -v /etc/openldap/cacerts To my amazement SElinux context does not change on a local unix-socket request. When Samba makes the request to get user information, the LDAPd certificate store needs to have proper SElinux type for the directory. OpenLDAP does not make such checks and works fully. Also allowing requests to home directories too: setsebool -P samba_enable_home_dirs 1 After all this, I was happy to get my Samba-shares working again. CUPS-printing does not. But I'll fix that on some day. by Jari Turkia in Lin