1 – QAS needs to be in a healthy state for authentication to take place. Use the following command to ensure QAS is in a healthy state:
2- Run the following script to ensure smb.conf and vas.conf configuration files are correct:
Also if you said yes to Obey Pam restriction, ensure pam files are setup correctly. You can do the following command to setup the pam file:
/opt/quest/bin/vastool configure pam samba
/opt/quest/bin/vastool configure pam smbd
3 - Run the following commands to check if Samba is properly joined:
net ads testjoin
net rpc testjoin
These two command will confirm that Samba is correctly joined both using the Kerberos/AD and the NTLM/RPC protocols.
If the rpc testjoin takes a long time, or fails, you may need to set the wins server parameter in smb.conf. It should be set to the hostname of a nearby domain controller.
If net ads testjoin fails, try synchronizing the /etc/opt/quest/vas/host.keytab and Samba's secrets.tdb with the following command:
/opt/quest/bin/vastool -q -u host/ passwd -r -o| /opt/quest/libexec/vas-set-samba-password
The vas-set-samba-password script and the vas-samba-config script is part of the Quest Identity mapper.
Please note: Technical Support only supports Authentication Services and Identity Mapper setup. We do not support Samba.
4 - Run the following command to check the smb.conf parameter names are correct:
8 - As a User run the following directly on the samba server:
Ensure it shows a valid Kerberos ticket for the user which is needed to connect then run:
$ smbclient -k //server-fqdn/username
where server-fqdn is the fully-qualified hostname of your server, and username is your username.
This will let you browse your home directory. (It is assumed that you have not modified the default [homes] section in the Samba configuration file. Use any other share you have configured, otherwise.)
9 – Check to see if Samba, Winbindd and Identity Mapper are running. Please note samba process names may differ on the version you are running. Also vasidmapd only works when winbindd is running.
ps –ef | grep vasidmapd
ps –ef | grep smb
ps –ef |grep samba
ps –ef | grep nmbd
ps –ef |grep winbindd
Winbindd is not always needed. It is needed if you are using users that are not unix enabled. It is also needed if you want to modify permissions from the windows side.
10 - Ensure the user has a valid Kerberos ticket either on the windows’s client or the unix client.
On windows the user hits Control-Alt-Delete, then lock and unlock their workstation. For unix users, they should run vastool kdestroy followed by vastool kinit.
11 – Other things to try are restarting samba service, check that port 445 and port 139 is not blocked by firewall. Check that it is not being blocked by selinux policy.
12 – With newer operating system such as Windows 7 and Windows 2008, older samba versions will not work. Be sure you are running Samba Version 3.3.16 or higher. You will also probably need to install a newer Quest Identity Mapper which you can download from https://github.com/topics/rc-quest-com.
13 - In Windows 2012 SMB1 is disabled, you can enable it ( see Microsoft for instructions) or you can upgrade QAS to version 220.127.116.1139 or higher which support SMB2 after setting vas.conf settings. After upgrading, run the following command to set the /etc/opt/quest/vas/vas.conf setting to enable SMB2:/opt/quest/bin/vastool configure vas libvas smb-dialect-range 2.1-3
14 - If it is still not resolved, you should enable samba debug to collect more information,
a) Edit the smb.conf change the following settings
log level = 99
Set max log size = 0 - this is set so that the log file is not rotated and written over
b) Restart Samba services
c) Recreate the issue by trying to access the share or waiting until the behavior occurs
d) Open up a service request and send the samba log file
e) Change the smb.conf back to its previous state and restart the services again