[Samba] 3.0 Authenticating to Win2003

Thu Oct 16 14:45:30 GMT 2003

Samba Version: 3.0.0
Linux Version:  Redhat 8
Kernel: 2.4.18-19.8.0smp
Kerberos: Mit 1.3.1
Windows Version: 2003 running in mixed mode (though we will be switching to
native mode soon)

The system was initially set up to hit the NT4 Domain and was authenticating to the domain. 
The NT 4 domain was upgraded to 2003 running in mixed mode.  The Samba server could still authenticate to the domain with security=domain set.   We will be switching the 2003 domain over to native mode soon so the the Samba server needs to be able to authenticate to the AD before we can.  

I downloaded and built MIT Kerberos v1.3.1 and then rebuilt Samba with winbind, msdfs, smbwrapper, smbmount, syslog, and utmp.

I set up the smb.conf as shown below

I configured my krb5.conf as shown below.  

I start smbd, nmbd and winbindd

The I do a kinit administrator at lfs.mydomain.org
it prompts me for and I type in my 2003 administrator password and it is happy.

klist show a valid (I think) ticket.

I then type 'net ads join'  and I get the message "Joined SRALHOME' to realm 'LFS.MYDOMAIN.ORG'

wbinfo -g and wbinfo -u return the user and group info from the 2003 domain
wbinfo -t says 'checking the trust secret via RPC calls succeeded. 

I then go to an XP box that is on the domain where I am logged in as dshare and type in % net use * \\sralhome\dshare  
It prompts me for a password I try using dshare and I get a 1326 error, logon failure: uknown username or bad password
I can find no information in the logs associated with this request.  

I try 'net use * \\sralhome\dshare /user:dshare' and get the same thing.
In the logs I see  
'getpwnam lfs.mydomian.org+dshare'
followed by 
'invalid data size key [SEQNUM/LFS]
but later on I see 
'Searh for (|(sAMAccountname=dshare) (userPrincipalName=dshare at lfs.mydomain.org)) gave 1 replies
and it apprears to find my sid and a wchache_save_name_to_sid mapping.
It does the several times but each time eventually ends with
'read 0 bytes. Need 1568 more for a full request'
read failed on sock 18, pid 7669: EOF.   
This 'read failed error always occurs after a call to nsswitch/winbindd.c:winbind_client_read(462)'  the number is always 462.  

If I do a 'net view \\sralhome' I get a 'system error 5 has occurred'  
I can find no evidence of this in the logs either.  It seems that I must specify /user in my net use command to see somthing in the log.  Of course, I don't really know what to look for other than the username that is requestin the service and this should be included as the logged in user, I think

I also am unable to connect to \\sralhome\test which allows guest access using the dshare account either.  

If I do a 'net view \\sralhome' from the 2003 AD box  (logged on as Administrator) it works.  The appreance of the logs is as above but dshare is replace with administrator and there are no 'read failed on sock' errors.

If I do a 'net use \\sralhome\test from the 2003 AD box (logged on as Administrator) it works.

If I do a 'net view \\sralhome\test /user:dshare' it prompts me for a password and then fails.  The logs show the use of NTLM CRAP authentication and a NT_STATUS_WRONG_PASSWORD (PAM:4).  There were no NTLM CRAP messages in the previous attemps.  

If I do a 'net view \\sralhome\test /user:dshare at LFS.MYDOMAIN.ORG it prompts me for a password and then fails.  The logs show the use of NTLM CRAP authentication and a NT_STATUS_NO_SUCH_USER.

Now if I go back to the XP machine and try to use the Administrator user instead
'net use \\sralhome\test /user:administrator'  The logs show the use of NTLM CRAP authentication and a NT_STATUS_WRONG_PASSWORD (PAM:4).  

It appears that it is trying to use two different types of authentication depending on where I try my net use command from and if the /user option is selected.  

I am sort of stumped on where to go now.  I am out of ideas on what to look for and where to check.  How could the 2003 mixed mode affect this?  My next step is probably to set up a 2003 server in native mode and see what happens.  

smb.conf
[global]
encrypt passwords = yes
workgroup = LFS
realm = LFS.MYDOMAIN.ORG
netbios name = SRALHOME
server string = Home Server
security = ads
client signing = yes
server signing = yes
client use spnego = yes
#winbind configuration
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/$U
template shell = /bin/bash
log level = 10
log file = /var/log/samba/log.smbd
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
delete user script = /usr/sbin/userdel
# wins support = No
# ldap ssl = no

[test]
comment = For testing only, please
path = /usr/local/samba/tmp
read only = No
guest ok = Yes

[dshare]
comment = Dale's test
path = /home/dshare
read only = No
guest ok = No
valid users = dshare     #dshare is a valid 2003 AD account

kbr5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
ticket_lifetime = 24000
default_realm = LFS.MYDOMAIN.ORG
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]

LFS.MYDOMAIN.ORG = {
kdc = AD1.LFS.MYDOMAIN.ORG
default_domain = LFS.MYDOMAIN.ORG
kpasswd_server = AD1.LFS.MYDOMAIN.ORG
admin_server = AD1.LFS.MYDOMAIN.ORG
}
[domain_realm]
.lfs.mydomain.org = LFS.MYDOMAIN.ORG
lfs.mydomain.org = LFS.MYDOMAIN.ORG

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}