Access Denied when trying to Join Domain

Hi –

I recently reloaded my server with OpenSuSE 13.1. The network had worked fine, but now if I try to join a workstation to the Samba Domain I get the message, “Access Denied.” I suspect that there’s a switch somewhere in Samba or Netlogon or some other place that will enable a workstation to join the domain, but I can’t find it.

The server reload was relatively simple; LAMP server, file server, no games or multimedia. In the previous incarnation (OpenSuSE 12) the workstations had no problem joining the domain. Since the only change was the server, I think the problem is there.

Can somebody advise?

Thank you.

cheers,
pete

On 2014-09-05 00:36, peteclapham wrote:
>
> Hi –
>
> I recently reloaded my server with OpenSuSE 13.1. The network had
> worked fine, but now if I try to join a workstation to the Samba Domain

Domain, as in AD, Active Directory? That’s a domain in Windows parlance.

> games or multimedia. In the previous incarnation (OpenSuSE 12)

No such openSUSE version. 12.1, 12.2, 12.3, yes. All are fully different
releases…


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Not so. OpenSuSE 13.1 is now available, and I decided to make the upgrade (I almost wish I hadn’t).

When Windows wants to join a networking system, it gives you the choice of a Domain or a Workgroup. Of the two, workgroups give you access to some system resources, but not all. Domains give you all. The “Domain” is the term used by Windows, not by Linux. Linux appears not to care about the difference, but rather to make the connection happen.

We’ll need to know a few things more because you literally told us nothing except you have 13.1.

When you set-up your 13.1, you used the Samba server tool in YAST2 to create a PDC?
Have you looked at /var/log/messages and /var/lib/samba/ (multiple logs here) to see what errors occur when you try to join the domain?
Are you using .localdomain as the domain name? If so, that will not work due to Zeroconf.

That is of course /var/log/samba, not lib.

AFAIK LDAP (even on Linux) has not deprecated the term “Domain” and since AD is based on the same roots uses the term similarly.
Although I have not played around with this since it was first introduced, since SAMBA4 supports 99.9% AD, SAMBA4 should have a concept of a LDAP Domain (unlike SAMBA3 which was based on NT4 style domains).

TSU

On 2014-09-05 17:06, peteclapham wrote:
>
> Not so. OpenSuSE 13.1 is now available, and I decided to make the
> upgrade (I almost wish I hadn’t).

What is “not so”? :-?

On 2014-09-05 17:16, peteclapham wrote:

> robin_listas;2662855 Wrote:
>> Domain, as in AD, Active Directory? That’s a domain in Windows parlance.

> When Windows wants to join a networking system, it gives you the choice
> of a Domain or a Workgroup. Of the two, workgroups give you access to
> some system resources, but not all. Domains give you all. The
> “Domain” is the term used by Windows, not by Linux. Linux appears not
> to care about the difference, but rather to make the connection happen.

I know all that. I wanted confirmation that you were using what Windows
calls “a domain”.

You haven’t said yet what openSUSE version you were using previously,
because “openSUSE 12” never existed. But chances are that you were using
samba 3, whereas openSUSE 13.1 has samba 4. And, as you can see by
simply looking at the samba article in the wikipedia, «Version 4 was
released on 11 December 2012. It is a major rewrite that enables Samba
to be an Active Directory domain controller, participating fully in a
Windows Active Directory Domain. Its first technical preview (4.0.0TP1)
was released in January 2006 after 3 years of development.»

Thus simply moving over the configuration in your previous server to
this one will not work, specially regarding the “domain” configuration.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Carlos –

Thanks for your comments. As for the reference to OpenSuSE12, I’ve used 12.1, 12.2, and 12.3 successfully.

Enough of that. I set up the new installation in my server (whose name is ‘earth’) as a PDC using the Samba Server tool in YAST. From your description, I suspect strongly that my problem is that the AD relationship isn’t set up correctly. I did not set up earth as a WINS server, but rather indicated that it should link to the University’s WINS server as supplied by DHCP. Previously, this worked. Frankly, I would rather run WINS service on earth and not worry about the University’s system. Will this solve the problem? I’ve looked at the log files, and they don’t seem to be very helpful – except to suggest that there should be a WINS server.

cheers,
pete

On 2014-09-06 19:16, peteclapham wrote:
>
> Carlos –
>
> Thanks for your comments. As for the reference to OpenSuSE12, I’ve used
> 12.1, 12.2, and 12.3 successfully.
>

Ok, you used all of them. I’ll assume that your server was then using
12.3 when you “reloaded” it to 13.1

Just please be aware that they are three totally independent releases.
In openSUSE there is no such thing as the 11.x series, the 12.x series -
despite the naming. It is confusing, I agree, but knowing the exact
version you used is important.

> Enough of that. I set up the new installation in my server (whose name
> is ‘earth’) as a PDC using the Samba Server tool in YAST. From your
> description, I suspect strongly that my problem is that the AD
> relationship isn’t set up correctly. I did -not- set up earth as a WINS
> server, but rather indicated that it should link to the University’s
> WINS server as supplied by DHCP. Previously, this worked. Frankly, I
> would rather run WINS service on earth and not worry about the
> University’s system. Will this solve the problem? I’ve looked at the
> log files, and they don’t seem to be very helpful – except to suggest
> that there should be a WINS server.

Unfortunately, most of my experience has been with samba 3, not 4, and
I’m afraid that YaST doesn’t fully support it. See the release notes:

https://www.suse.com/releasenotes/i386/openSUSE/13.1/RELEASE-NOTES.en.html#idp315834436

«Samba version 4.1 shipped with openSUSE 13.1 does not include support
to operate as an Active Directory style domain controller. This
functionality is currently disabled, as it lacks integration with
system-wide MIT Kerberos.»


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

WINS has nothing to do with AD and LDAP based network security, these use Hostname based resolution only (no WINS and lmhosts files).

It’s curious that your school may point to a WINS server, but unless anyone is running NT4 style network security, it’s as useless as an appendix.

If you don’t know or are impatient about learning network security, you should just ask the proper questions and then get a recommendation how to setup.

Typical common server “roles” you can set up your Server…

  • A workgroup server. No Domain, every server maintains its own local security accounts, when a client machine connects to a workgroup server, the client passes a username/password for a User Account that exists on the Server, so you either have to have the same accounts set up on every individual server or know which accounts will work on each Server.
  • A Member Server. The Server you setup (which may or may not be running SAMBA3 or SAMBA4) are configured as members and part of an existing Domain but typically do not store network credentials locally (there are exceptions). When a client machine requests access to a network resource on the Member Server, the credentials are passed to a Domain Controller which contains a database of authorized accounts. If authorized, a token is returned which can be used to grant access to specified resources.
  • A Domain Controller of an orginal Domain. Instead of joining an existing Domain, the server is set up as the original Domain Controller of a new Domain so also has its own database of authorized Domain User accounts. Since this is an original list, this authentication and authorization ordinarily wouldn’t be valid for any other Domain including your School’s Domain. But, it may be possible to configure a Domain Trust to describe an automatic mapping of User accounts to permit your separate Domain’s Users to access resources in the other Domain (eg University).

To decide which way to setup your Server, you need to ask basic questions… like

  • Do you intend to set up your own database of User accounts?
  • Do intend to serve network resources? I’m guessing you may want to serve CIFS network shares because that’s a common reason to install SAMBA.
  • Do you intend to setup other servers?
  • Do you intend to maintain client machines?
  • Any Domain setup may require DHCP and DNS configuration as well. Are you prepared for that?

TSU

Hmmm – This seems like a perfect Catch-22. The distro includes 4.1, but it doesn’t work.

Query – Samba-3 would give you a perfectly operational NT4-type PDC. Can Samba-4 do the same thing? That would work for me. Going to the Samba website, it appears that
Samba-4 is up to Samba.4.1.11, but they appear to prefer Debian to RPM. Would it help to install the later version (can one?)?

Current samba from the standard opensuse repositories:

# smbd --version
Version 4.1.11-3.26.1-3274-SUSE-oS13.1-x86_64

Unless you’re chasing a feature that’s not available in the standard repos, you should always prefer what is most easily available. After all, that’s one of the features of openSUSE, you should ordinarily see the most recent stable versions of most common apps.

TSU

Miuku wrote:

>
> We’ll need to know a few things more because you literally told us
> nothing except you have 13.1.
<snip>

+1
Pete;
You have not provided enough information for even informed speculation. At
the very minimum you should post the contents of /etc/samba/smb.conf.
Samba4 still supports the old Samba3/NT style domain.

Are smb and nmb running?


systemctl status smb.service
systemctl status nmb.service

Are Samba Client, Samba Server and Netbios Server all allowed services in
SuSEfirewall2? (YaST > Security and Users > Firewall > Allowed Services)

Have you checked AppArmor? Turn if off and see is the problem continues.

Have you created Samba users?


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Miuku –

Thank you for your comments. I think they may point to the problem – the AppArmor configuration. We’ll see tomorrow when I get back to campus, but when I turned it off from home, I was able to get past the “Access Denied” message I’ve gotten previously.

cheers,
pete

Good good,

If it is indeed the AppArmour causing the problem, you can use the AppArmour Configuration to set Samba and other services related to it to “Complain Only” instead of Enforce, then figure out what files it needs to have access to and fix it, then return to Enforce mode.

On 2014-09-07 20:36, Miuku wrote:
>
> Good good,
>
> If it is indeed the AppArmour causing the problem, you can use the
> AppArmour Configuration to set Samba and other services related to it to
> “Complain Only” instead of Enforce, then figure out what files it needs
> to have access to and fix it,

run “aa-logprof”. Should do it.

> then return to Enforce mode.


Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Well, it looks like I lied. If I log onto a workstation, I can get a net use command to get both the read-only resources on the server and the home directories. This is an improvement, but the workstation still cannot join the domain. The tests run (below) appear to indicate that the domain and the PDC are operating. I have verified that the directories indicated in the “add machine” script exist and are writable by root. The error message I get when trying to join a workstation to the domain (ERSL) is “the specified domain either does not exist or cannot be contacted.” Given that Samba is clearly running (and working), and that the domain name is clearly ERSL, this seems strange.

Here is the smb.conf file:

smb.conf is the main Samba configuration file.

You find a full commented

version at

/usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

samba-doc package is installed.
[global]
workgroup = ERSL
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
security = user
wins support = No
idmap gid = 10000-20000
idmap uid = 10000-20000
kerberos method = secrets and keytab
netbios name = EARTH
include = /etc/samba/dhcp.conf
wins server =
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[geo323files]
comment = GCT Files
inherit acls = Yes
path = /applications/geo323files
read only = Yes

[geo423files]
comment = GEO and EVS 423 523 files
inherit acls = Yes
path = /applications/geo423files
read only = Yes

[geo425files]
comment = GEO and EVS 425 Files
inherit acls = Yes
path = /applications/geo425files
read only = Yes

[geo427files]
comment = GEO and EVS 427 Files
inherit acls = Yes
path = /applications/geo427files
read only = Yes

[images]
comment = Image Files
inherit acls = Yes
path = /applications/images
read only = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root

[testdata]
comment = Test Data Directory
inherit acls = Yes
path = /applications/testdata
read only = Yes

[testques]
comment = Test Question Repository
inherit acls = Yes
path = /applications/testques
read only = No

[ghost]
comment = GHOST files
inherit acls = Yes
path = /applications/ghost
read only = Yes

==========================================================

Here is the result of systemctl -l status smb.service

smb.service

  • LSB: Samba SMB/CIFS file and print server [LEFT] Loaded: loaded (/etc/init.d/smb)[/LEFT] [LEFT] Active: active (running) since Mon 2014-09-08 15:24:37 EDT; 6min ago[/LEFT] [LEFT] Process: 22069 ExecStop=/etc/init.d/smb stop (code=exited, status=0/SUCCESS)[/LEFT] [LEFT] Process: 21092 ExecReload=/etc/init.d/smb reload (code=exited, status=0/SUCCESS)[/LEFT] [LEFT] Process: 22079 ExecStart=/etc/init.d/smb start (code=exited, status=0/SUCCESS)[/LEFT] [LEFT] CGroup: /system.slice/smb.service[/LEFT] [LEFT] 22090 /usr/sbin/smbd -D -s /etc/samba/smb.conf[/LEFT] [LEFT] 22091 /usr/sbin/smbd -D -s /etc/samba/smb.conf[/LEFT] [LEFT] 22093 /usr/sbin/smbd -D -s /etc/samba/smb.conf[/LEFT] [LEFT]
    [/LEFT] [LEFT]Sep 08 15:24:37 earth smb[22079]: Starting Samba SMB daemon …done
    [/LEFT] [LEFT]Sep 08 15:24:37 earth systemd[1]: Started LSB: Samba SMB/CIFS file and print server.[/LEFT] [LEFT]Sep 08 15:25:55 earth smbd[22120]: [2014/09/08 15:25:55.467021, 0] …/source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3)
    [/LEFT] [LEFT]Sep 08 15:25:55 earth smbd[22120]: _netr_ServerAuthenticate3: failed to get machine password for account ORINOCO$: NT_STATUS_NONE_MAPPED[/LEFT] [LEFT]Sep 08 15:25:55 earth smbd[22120]: [2014/09/08 15:25:55.468923, 0] …/source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3)[/LEFT] [LEFT]Sep 08 15:25:55 earth smbd[22120]: _netr_ServerAuthenticate3: failed to get machine password for account ORINOCO$: NT_STATUS_NONE_MAPPED[/LEFT] [LEFT]Sep 08 15:30:26 earth smbd[22151]: [2014/09/08 15:30:26.754747, 0] …/source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3)[/LEFT] [LEFT]Sep 08 15:30:26 earth smbd[22151]: _netr_ServerAuthenticate3: failed to get machine password for account GREYBULL$: NT_STATUS_NONE_MAPPED[/LEFT] [LEFT]Sep 08 15:30:26 earth smbd[22151]: [2014/09/08 15:30:26.756827, 0] …/source3/rpc_server/netlogon/srv_netlog_nt.c:975(_netr_ServerAuthenticate3)[/LEFT] [LEFT]Sep 08 15:30:26 earth smbd[22151]: _netr_ServerAuthenticate3: failed to get machine password for account GREYBULL$: NT_STATUS_NONE_MAPPED

========================================================
[/LEFT]Here is the result of systemctl -l status nmb.service

[LEFT]nmb.service - LSB: Samba NetBIOS naming service over IP
[/LEFT] [LEFT] Loaded: loaded (/etc/init.d/nmb)[/LEFT] [LEFT] Active: active (running) since Mon 2014-09-08 15:24:41 EDT; 5min ago
[/LEFT] [LEFT] Process: 22096 ExecStop=/etc/init.d/nmb stop (code=exited, status=0/SUCCESS)
[/LEFT] [LEFT] Process: 20329 ExecReload=/etc/init.d/nmb reload (code=exited, status=3)[/LEFT] [LEFT] Process: 22106 ExecStart=/etc/init.d/nmb start (code=exited, status=0/SUCCESS)[/LEFT] [LEFT] CGroup: /system.slice/nmb.service[/LEFT] [LEFT] 22115 /usr/sbin/nmbd -D -s /etc/samba/smb.conf[/LEFT] [LEFT]
[/LEFT] [LEFT]Sep 08 15:24:41 earth systemd[1]: Starting LSB: Samba NetBIOS naming service over IP…[/LEFT] [LEFT]Sep 08 15:24:41 earth nmb[22106]: Starting Samba NMB daemon …done[/LEFT] [LEFT]Sep 08 15:24:41 earth systemd[1]: Started LSB: Samba NetBIOS naming service over IP.
[/LEFT]
[LEFT]
[/LEFT]

On 9/8/2014 2:56 PM, peteclapham wrote:
>
> Well, it looks like I lied. If I log onto a workstation, I can get a
> net use command to get both the read-only resources on the server and
> the home directories. This is an improvement, but the workstation still
> cannot join the domain. The tests run (below) appear to indicate that
> the domain and the PDC are operating. I have verified that the
> directories indicated in the “add machine” script exist and are writable
> by root. The error message I get when trying to join a workstation to
> the domain (ERSL) is “the specified domain either does not exist or
> cannot be contacted.” Given that Samba is clearly running (and
> working), and that the domain name is clearly ERSL, this seems strange.
>
>
> Here is the smb.conf file:
>
<snip>
>
Pete;

I did not spot any obvious errors in your smb.conf. If the clients are Windows 7 or higher there is a registry hack
that needs to be done when joining an NT style domain. Have you done this?

http://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains


P.V.
“We’re all in this together, I’m pulling for you” Red Green

I was under the impression (from my days of working with Windows), that “Workgroup” and “Domain (as in AD)” were two different entities. If I am right, “ERSL” is a Workgroup, not a Domain. My two cents worth.Hope that might help.