[Samba] Client accessing Samba doesn't authenticate against Active
Directory
Jonathan Johnson
jon at sutinen.com
Thu Nov 13 00:06:02 GMT 2003
When a Windows client attempts to browse shares on a Samba 3.0 server
authenticating against a Windows 2003 Active Directory domain, it
requests credentials. Typing in user name and password fails.
Basically, I can't see even see the shares.
If I give username/password for a user in smbpasswd, then I can browse
the Samba server.
Configuration info:
ADS server: LICENSE
ADS server IP: 192.168.254.201
ADS domain/realm: 3KINGSINC.LOCAL
Windows Server 2003
Samba server: DATASERVER
Samba server IP: 192.168.254.250
RedHat Linux 9, Samba 3.0.0, krb5 1.3.1
successfully joined this to ADS domain
Client: TS
Client IP: 192.168.254.202
Windows Server 2003
is a member server in ADS domain
-----
Output of wbinfo -t:
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret
-----
Output of klist:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at 3KINGSINC.LOCAL
Valid starting Expires Service principal
11/12/03 14:18:01 11/13/03 00:18:05
krbtgt/3KINGSINC.LOCAL at 3KINGSINC.LOCAL
renew until 11/13/03 14:18:01
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-----
Output of kinit administrator at 3KINGSINC.LOCAL
Password for administrator at 3KINGSINC.LOCAL:<passwd>
[root at dataserver samba]#
-----
Output of kadmin:
Authenticating as principal administrator/admin at 3KINGSINC.LOCAL with
password.
kadmin: Client not found in Kerberos database while initializing kadmin
interface
-----
Output of kadmin -p ADMINISTRATOR at 3KINGSINC.LOCAL:
Authenticating as principal ADMINISTRATOR at 3KINGSINC.LOCAL with
password.
Password for ADMINISTRATOR at 3KINGSINC.LOCAL:<passwd>
kadmin: Database error! Required KADM5 principal missing while
initializing kadmin interface
-----
Output of smbclient -L license -U Administrator
Password:<passwd>
Sharename Type Comment
--------- ---- -------
E$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
ADMIN$ Disk Remote Admin
SYSVOL Disk Logon server share
C$ Disk Default share
Server Comment
--------- -------
DATASERVER File Storage (BG Samba Server)
LICENSE
TS
Workgroup Master
--------- -------
3 KINGS 3-I1FQNAK3OL85P
3KINGSINC LICENSE
-----
Output of smbclient -L dataserver -U Administrator
Password:
session setup failed: NT_STATUS_NO_LOGON_SERVERS
-----
Output of smbclient -k -L license -UAdministrator at 3KINGS.LOCAL
[2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
-----
Interesting lines of /var/log/samba/log.192.168.254.202:
[2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
(message is repeated twice)
-----
Interesting lines of /var/log/samba/log.winbindd:
[2003/11/12 15:54:55, 1] libsmb/smb_signing.c:signing_good(227)
signing_good: SMB signature check failed on seq 1!
[2003/11/12 15:54:55, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
-----
Interesting lines of /var/log/messages:
Nov 12 15:52:43 dataserver winbindd[21960]: [2003/11/12 15:52:43, 0]
libsmb/clientgen.c:cli_receive_smb(121)
Nov 12 15:52:43 dataserver winbindd[21960]: SMB Signature
verification failed on incoming packet!
-----
Content of smb.conf:
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2003/11/12 14:18:40
# Global parameters
[global]
workgroup = 3KINGSINC
realm = 3KINGSINC.LOCAL
server string = File Storage (BG Samba Server)
security = ADS
password server = license.3kingsinc.local
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d/home/%D/%U %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind use default domain = Yes
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
-----
Interesting lines of nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins
-----
Content of krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = 3KINGSINC.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
3KINGSINC.LOCAL = {
kdc = license.3kingsinc.local:88
admin_server = license.3kingsinc.local:749
default_domain = 3KINGSINC.LOCAL
}
[domain_realm]
.3kingsinc.local = 3KINGSINC.LOCAL
3kingsinc.local = 3KINGSINC.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-----
--Jon
More information about the samba
mailing list