[Samba] Help with ADS authentication from Windoze
Jason Brown
jason.brown at mscsoftware.com
Tue Aug 30 14:53:04 GMT 2005
Here is my situation:
I have an AIX 4.3.3 machine, that I have compiled open-ldap, kerberos5
(1.3..6), and Samba 3.0.20.
Here is my smb.conf file:
[global]
realm = REGION.DOMAIN.COM
security = ADS
password server = randomdc.region.domain.com
workgroup = REGION
client use spnego = yes
;winbind separator = \
[homes]
comment = Home Directories
read only = no
create mode = 0750
browseable = no
[styx]
comment = Styx
path = /styx
public = yes
[styx1]
comment = Styx1
path = /styx1
public = yes
Here is my krb5.conf
[libdefaults]
default_realm = REGION.DOMAIN.COM
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
REGION.DOMAIN.COM = {
kdc = randomdc.REGION.DOMAIN.COM
}
I was able to add this machine to the active directory (by the way, we are
running 2003 ADS).
I am also able to get info from wbinfo -u and wbinfo -g.
Here is where it becomes a problem:
I cannot authenticate from my Windoze box to this AIX machine running
Samba.
Here is the error message in log.smbd:
[2005/08/30 07:46:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:07, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
Username REGION\jbrown is invalid on this system
However, I also see this in the log too:
[2005/08/30 05:46:35, 1] smbd/service.c:close_cnum(835)
pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:46:59, 1] smbd/service.c:make_connection_snum(662)
pitcairn (172.16.64.92) connect to service styx initially as user nobody
(uid=
-2, gid=-2) (pid 18016)
[2005/08/30 05:47:11, 1] smbd/service.c:close_cnum(835)
pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:47:34, 1] smbd/service.c:make_connection_snum(662)
pitcairn (172.16.64.92) connect to service styx initially as user nobody
(uid=
-2, gid=-2) (pid 18016)
[2005/08/30 05:47:46, 1] smbd/service.c:close_cnum(835)
pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:48:10, 1] smbd/service.c:make_connection_snum(662)
pitcairn (172.16.64.92) connect to service styx initially as user nobody
(uid=
-2, gid=-2) (pid 18016)
Here is some interesting stuff in log.nmbd (probably not related):
[2005/08/30 07:47:43, 0] nmbd/nmbd_namequery.c:query_name_response(101)
query_name_response: Multiple (3) responses received for a query on
subnet 172
.16.64.91 for name NA<1d>.
This response was from IP 172.16.65.19, reporting an IP address of
172.16.65.1
9.
Here is winbindd log file:
[2005/08/29 21:01:33, 1] nsswitch/winbindd.c:main(935)
winbindd version 3.0.20 started.
Copyright The Samba Team 2000-2004
[2005/08/29 21:01:33, 0] nsswitch/winbindd_util.c:winbindd_param_init(766)
winbindd: idmap uid range missing or invalid
[2005/08/29 21:01:33, 0] nsswitch/winbindd_util.c:winbindd_param_init(767)
winbindd: cannot continue, exiting.
[2005/08/29 21:01:33, 1] nsswitch/winbindd.c:main(968)
Could not init idmap -- netlogon proxy only
Any suggestions ? Any one else come across this ?
Thank you.
Jason Brown
More information about the samba
mailing list