[Samba] Client accessing Samba doesn't authenticate against Active Directory

Thu Nov 13 00:06:02 GMT 2003

When a Windows client attempts to browse shares on a Samba 3.0 server
authenticating against a Windows 2003 Active Directory domain, it
requests credentials. Typing in user name and password fails.
Basically, I can't see even see the shares.

If I give username/password for a user in smbpasswd, then I can browse
the Samba server.

Configuration info:

ADS server: LICENSE
ADS server IP: 192.168.254.201
ADS domain/realm: 3KINGSINC.LOCAL
Windows Server 2003

Samba server: DATASERVER
Samba server IP: 192.168.254.250
RedHat Linux 9, Samba 3.0.0, krb5 1.3.1
successfully joined this to ADS domain

Client:	TS
Client IP: 192.168.254.202
Windows Server 2003
is a member server in ADS domain

-----
Output of wbinfo -t:
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret

-----
Output of klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at 3KINGSINC.LOCAL

Valid starting     Expires            Service principal
11/12/03 14:18:01  11/13/03 00:18:05
krbtgt/3KINGSINC.LOCAL at 3KINGSINC.LOCAL
        renew until 11/13/03 14:18:01

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

-----
Output of kinit administrator at 3KINGSINC.LOCAL
Password for administrator at 3KINGSINC.LOCAL:<passwd>
[root at dataserver samba]#

-----
Output of kadmin:
Authenticating as principal administrator/admin at 3KINGSINC.LOCAL with
password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface

-----
Output of kadmin -p ADMINISTRATOR at 3KINGSINC.LOCAL:
Authenticating as principal ADMINISTRATOR at 3KINGSINC.LOCAL with
password.
Password for ADMINISTRATOR at 3KINGSINC.LOCAL:<passwd>
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface

-----
Output of smbclient -L license -U Administrator
Password:<passwd>

        Sharename      Type      Comment
        ---------      ----      -------
        E$             Disk      Default share
        IPC$           IPC       Remote IPC
        NETLOGON       Disk      Logon server share
        ADMIN$         Disk      Remote Admin
        SYSVOL         Disk      Logon server share
        C$             Disk      Default share

        Server               Comment
        ---------            -------
        DATASERVER           File Storage (BG Samba Server)
        LICENSE
        TS

        Workgroup            Master
        ---------            -------
        3 KINGS              3-I1FQNAK3OL85P
        3KINGSINC            LICENSE

-----
Output of smbclient -L dataserver -U Administrator
Password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS

-----
Output of smbclient -k -L license -UAdministrator at 3KINGS.LOCAL
[2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!

-----
Interesting lines of /var/log/samba/log.192.168.254.202:

[2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!
     (message is repeated twice)

-----
Interesting lines of /var/log/samba/log.winbindd:
[2003/11/12 15:54:55, 1] libsmb/smb_signing.c:signing_good(227)
  signing_good: SMB signature check failed on seq 1!
[2003/11/12 15:54:55, 0] libsmb/clientgen.c:cli_receive_smb(121)
  SMB Signature verification failed on incoming packet!

-----
Interesting lines of /var/log/messages:
Nov 12 15:52:43 dataserver winbindd[21960]: [2003/11/12 15:52:43, 0]
libsmb/clientgen.c:cli_receive_smb(121)
Nov 12 15:52:43 dataserver winbindd[21960]:   SMB Signature
verification failed on incoming packet!

-----
Content of smb.conf:
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2003/11/12 14:18:40

# Global parameters
[global]
        workgroup = 3KINGSINC
        realm = 3KINGSINC.LOCAL
        server string = File Storage (BG Samba Server)
        security = ADS
        password server = license.3kingsinc.local
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/sbin/useradd -d/home/%D/%U %u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groupdel %g
        dns proxy = No
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = Yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

-----
Interesting lines of nsswitch.conf:
passwd:     files winbind
shadow:     files winbind
group:      files winbind
hosts:      files dns wins

-----
Content of krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = 3KINGSINC.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 3KINGSINC.LOCAL = {
  kdc = license.3kingsinc.local:88
  admin_server = license.3kingsinc.local:749
  default_domain = 3KINGSINC.LOCAL
 }

[domain_realm]
 .3kingsinc.local = 3KINGSINC.LOCAL
 3kingsinc.local = 3KINGSINC.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

-----

--Jon