[Samba] Windows 2003 Active Directory - Cannot access Samba shares

James Gardiner james at groovytrain.com
Fri Feb 25 12:38:59 GMT 2005 

Hello,

I've spent the last couple of days following the HOW-TO's on how to make a
Linux server running Samba part of a Windows 2003 Active Directory, and a
lot of supplemental research from these groups and elsewhere, but now I'm
totally stuck and I can't seem to find the answer anywhere.

Basically, most of the configuration seems to be working:

- The Linux box is showing up in "Active Directory Users and Computers".

- "getent group" and "getent passwd" also show the Active Directory groups
and users.

- "kinit" appears to run OK, it asks for the password of the specified user
and then finishes with no further messages or errors displayed.

- "klist" shows the following:

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: <username removed>@OFFICE.GROOVYTRAIN.COM

    Valid starting     Expires            Service principal
    02/22/05 20:21:42  02/23/05 06:21:27
kbtgt/OFFICE.GROOVYTRAIN.COM at OFFICE.GROOVYTRAIN.COM

- "net ads join" runs successfully:
  
    [2005/02/23 11:43:54, 0] libads/ldap.c:ads_add_machine_acct(1405)
    ads_add_machine_acct: Host account for eastlondon already exists -
modifying old account
    Using short domain name -- OFFICE
    Joined 'EASTLONDON' to realm 'OFFICE.GROOVYTRAIN.COM'

- "wbinfo -g" returns the list of Active Directory groups.

- "wbinfo -u" returns the list of Active Directory users.

- I can use "smbclient -k" to connect to shares on the Windows machines
without requiring a username and password.

However, I can't access the Samba shares from the Windows machines (both
Windows 2000 and Windows 2003).

Using "c:\>net use W: \\eastlondon\www" produces the following output:

  The password or user name is invalid for \\eastlondon\www.

  Enter the user name for 'eastlondon': jamesg at office.groovytrain.com
  Enter the password for eastlondon:
  System error 1326 has occurred.

  Logon failure: unknown user name or bad password.

And creates the following entries in "log.smbd":

  [2005/02/23 11:50:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
    Username OFFICE+<username removed> is invalid on this system

And in "log.winbindd":

  [2005/02/23 12:00:32, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
    user '<username removed>' does not exist

Using "c:\>net use W: \\<ip address removed>\www" produces the following
output:

  Enter the user name for '<ip address removed>': jamesg
  Enter the password for <ip address removed>:
  System error 1311 has occurred.

  There are currently no logon servers available to service the logon
request.

It creates nothing in "log.smbd", but creates the following entries in
"log.winbindd":

  [2005/02/23 12:12:00, 0] libsmb/smb_signing.c:signing_good(240)
    signing_good: BAD SIG: seq 1
  [2005/02/23 12:12:00, 0] libsmb/clientgen.c:cli_receive_smb(121)
    SMB Signature verification failed on incoming packet!

The following error is generated in the System Log on the Active Directory
controller:

  While processing a TGS request for the target server
  host/eastlondon.groovytrain.com, the account
  EASTLONDON$@OFFICE.GROOVYTRAIN.COM did not have a suitable key for
  generating a Kerberos ticket (the missing key has an ID of 8). The
  requested etypes were 16.  The accounts available etypes were 3 1.

I'm using Samba 3.0.11 and MIT Kerberos 1.2.7 on Redhat 9.

My krb5.conf is as follows:

  [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

  [libdefaults]
   ticket_lifetime = 24000
   default_realm = OFFICE.GROOVYTRAIN.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   default_tkt_enctypes = DES-CBC-MD5
   default_tgs_enctypes = DES-CBC-MD5

  [realms]
   OFFICE.GROOVYTRAIN.COM = {
    kdc = circle.office.groovytrain.com
    admin_server = circle.office.groovytrain.com
    default_domain = office.groovytrain.com
   }

  [domain_realm]
   .office.groovytrain.com = OFFICE.GROOVYTRAIN.COM
   office.groovytrain.com = OFFICE.GROOVYTRAIN.COM

  [kdc]
   profile = /var/kerberos/krb5kdc/kdc.conf

  [appdefaults]
   pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false
   }

My smb.conf is as follows:

  [global]
  workgroup = OFFICE
  netbios name = EASTLONDON
  realm = OFFICE.GROOVYTRAIN.COM
  security = ADS
  password server = circle

  winbind separator = +
  winbind cache time = 10
  template shell = /bin/bash
  template homedir = /home/%D/%U
  idmap uid = 10000-20000
  idmap gid = 10000-20000

  client use spnego = yes

  [www]
  path = /usr/local/www
  comment = Web content
  valid users = "OFFICE\Domain Users"

If anyone can shed any light on what might be the problem, I'd be most
grateful. If you'd require any further information about my setup, please
let me know.

Many thanks,

James

More information about the samba mailing list