I can initially join a linux box to the domain with these commands:
sudo kinit administrator@WINDOWS.CORP.SPRINGVENTUREGROUP.COM
sudo net ads join -k
After a few hours or the next day, this happens:
user@host:~$ sudo wbinfo -a administrator
Enter administrator's password:
plaintext password authentication failed
Could not authenticate user administrator with plaintext password
Enter administrator's password:
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
Could not authenticate user administrator with challenge/response
These commands work as expected all the time:
sudo wbinfo -t
sudo wbinfo -u
sudo wbinfo -g
sudo wbinfo -i administrator
Samba Version 4.2.5-SerNet-Ubuntu-8.trusty, here is my smb.conf
[global]
workgroup=WINDOWS
security=ads
realm=WINDOWS.x.x.COM
domain master=no
local master=no
preferred master=no
load printers=no
printing=bsd
printcap name=/dev/null
disable spoolss=yes
idmap backend=tdb
idmap uid=10000-99999
idmap gid=10000-99999
idmap config WINDOWS:backend=rid
idmap config WINDOWS:range=10000-9999
winbind enum users=yes
winbind enum groups=yes
winbind use default domain=yes
winbind nested groups=yes
winbind refresh tickets=yes
winbind offline logon=yes
template shell=/bin/false
client use spnego=yes
client ntlmv2 auth=yes
encrypt passwords=yes
restrict anonymous=2
log file=/var/log/samba/samba.log
log level=2
dcerpc endpoint servers=remote
Nothing useful in the logs :(
[2015/11/25 15:26:23.524927, 2] ../source3/libsmb/cliconnect.c:1306(cli_session_setup_kerberos_send)
Doing kerberos session setup
[2015/11/25 15:26:23.532756, 2] ../source3/winbindd/winbindd_pam.c:2016(winbind_dual_SamLogon)
NTLM CRAP authentication for user [WINDOWS]\[administrator] returned NT_STATUS_ACCESS_DENIED
Any help appreciated
