Troubleshoot the Samba Integration

  1. Check firewall ports are open for Samba. Make sure that at least the following ports are open for use by Samba:
    • 137/udp: used by nmbd
    • 138/udp: used by nmbd
    • 139/tcp: used by smbd
    • 445/tcp: used by smbd
  2. Check the folder permissions of the share.
  3. Verify that the machine password in secrets.tdb is up to date by running: net ads testjoin. A successful result will look like this: Join is OK.
  4. Test user authentication locally with smbclient: smbclient -L -U DEMO\\pbisadmin.

Net ADS Testjoin Failed

If there is an issue, manually compare the machine password that is stored in secrets.tdb (location varies across the Linux distributions) with the machine password that is used by AD Bridge.

Use tdbtool to check the machine password in secrets.tdb:

# cd /var/lib/samba/private/; ls
msg.sock passdb.tdb secrets.ldb secrets.tdb
# tdbtool
tdb> open secrets.tdb
tdb> dump

To list AD Bridge password run: /opt/pbis/bin/lsa ad-get-machine password.

The passwords must match. If they do not, resolve the mismatch by re-running the AD Bridge Samba interop tool. The tool resynchronizes the machine password in secrets.tdb with the machine password AD Bridge set in Active Directory. Samba will need to be restarted for the change to take effect. Make sure machine password timeout = 0 is set to prevent this from occurring.

Authentication Failure - NT_STATUS_LOGON_FAILURE

If smbclient returns NT_STATUS_LOGON_FAILURE as in the below results:

[root@cen73 ~]# smbclient -L -U pbisadmin
Enter DEMO\pbisadmin's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Make sure that the SAM account name exactly matches the first component of the UPN used Samba, as shown in the following examples.

  1. Check the SAM account name by running:
    [root@cen73 ~]# /opt/pbis/bin/lsa ad-get-machine account | grep SAM
    SAM Account Name: CEN1234-SU1AY3B$
  2. Compare the SAM account name with the first component of the UPN used by Samba in the logs:
    [root@cen73 ~]# tail -f log.smbd | grep kerberos_kinit_password
    kerberos_kinit_password CEN123456789123456789$@DEMO.COM failed: Client not found in Kerberos database

If the SAM account name and the first component of the UPN do not match, resolve the mismatch by doing the following:

  1. Make sure the host name is 15 characters or less.
  2. Make sure there are no computer accounts in AD that have the same SAM account name but a different DNS suffix.
  3. Leave the domain with --deleteAccount.
  4. Rejoin the domain.
  5. Try smbclient test again.

Fix Error Code 40022: Failed to Refresh Machine TGT

If you get an error in the log that looks something like the following entries (the time stamps and the machine name have been removed), you must add the machine password timeout option to the global section of smb.conf and set it to 0 to integrate AD Bridge with Samba:

lsassd[1722]: 0x7fafc3ff7700:Error:
Failed to refresh machine TGT [Error code: 40022]
lsassd[1722]: 0x7fafc3ff7700:Error:
Failed to refresh machine TGT [Error code: 40022]

If the machine password option is not added to the smb.conf and set to 0, Samba will change the machine account password without notifying the AD Bridge authentication service, leaving AD Bridge unable to connect to the domain.