[Samba] Samba AD member and connections from non-AD systems

Markus Iturriaga Woelfel miturria at eecs.utk.edu
Sun Apr 17 17:02:07 MDT 2011 

Hi - I've scoured the mailing list archives as well as other help sources online and haven't figured out what my problem is or what I'm doing wrong. Any help would be greatly appreciated.

Scenario:

I have a samba 3.5.5 server running on CentOS 5.5. This system is a member of an Active Directory domain. FYI, I am not the domain administrator, but I am an OU admin and can create machine accounts inside a OU. This system is not meant to provide winbind type services to the Unix sude but simply allow sharing of Unix file systems to Windows systems while authenticating against the AD. Usernames in Linux and in the AD are translated via a username map script.

If I understand the instructions at https://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP correctly, I don't have to run winbind in this scenario, however, I've tried this with both winbind running and not running.

Connecting to services from AD member Windows systems works without any problems. I can map Unix home areas and other shares and even the username translation works fine. However, if I want to connect to the samba server from a non-AD system, e.g. from another Linux system via smbclient or from a Mac, I get a variety of errors. This leads me to believe there could be a problem with the kerberos setup on the samba server.

If I don't run winbind, the error I get is:

session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If I do start winbind, the error is:

session setup failed: NT_STATUS_ACCESS_DENIED

My smb.conf file is:

workgroup = UTK
server string = Samba %v
netbios name = SAMBA
client schannel = no
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts hosts bcast
local master = yes
domain master = no
preferred master = no
enhanced browsing = yes
username map script = /etc/samba/netid_to_eecs.pl
client use spnego = no
security = ads
passdb backend = tdbsam
realm = UTK.TENNESSEE.EDU
password server = *
load printers = no

My /etc/krb5.conf file looks like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UTK.TENNESSEE.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 UTK.TENNESSEE.EDU = {
 kdc = a.b.c.d
 kdc = e.f.g.h

(list of AD domain controller IP addresses)

 }

[domain_realm]
 .kerberos.server = UTK.TENNESSEE.EDU
 .utk.tennessee.edu = UTK.TENNESSEE.EDU
 utk.tennessee.edu = UTK.TENNESSEE.EDU

The kinit command appears to succeed and the system appears to be properly joined to the domain:  
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: miturria at UTK.TENNESSEE.EDU

Valid starting     Expires            Service principal
04/17/11 13:29:20  04/17/11 23:29:22  krbtgt/UTK.TENNESSEE.EDU at UTK.TENNESSEE.EDU
        renew until 04/18/11 13:29:20, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

samba ~ # net ads info
LDAP server: a.b.c.d
LDAP server name: domain.controller.name
Realm: UTK.TENNESSEE.EDU
Bind Path: dc=UTK,dc=TENNESSEE,dc=EDU
LDAP port: 389
Server time: Sun, 17 Apr 2011 18:57:44 EDT
KDC server: 160.36.76.183
Server time offset: 0

I'd be happy to post any log file excerpts that would help. Many of the samba config file directives were put in because of similar-sounding problems (e.g. client schannel and spnego). Here is a small excerpt of what happens if I try this with winbind running. 

[2011/04/17 18:52:35.141821,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [UTK]\[miturria]@[KILKENNY]
[2011/04/17 18:52:35.141859,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.141884,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/04/17 18:52:35.141915,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.145914,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.145932,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [miturria] -> [miturria] FAILED with error NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146031,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146635,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.146664,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to 
[2011/04/17 18:52:35.146911,  3] smbd/server.c:902(exit_server_common)
  Server exit (failed to receive smb request)

Any help would be greatly appreciated!
---
Markus A. Iturriaga Woelfel, IT Administrator
Electrical Engineering and Computer Science
University of Tennessee
203 Claxton Complex / 1122 Volunteer Blvd.
Knoxville, TN 37996-3450
miturria at eecs.utk.edu / (865) 974-3837
http://twitter.com/UTKEECSIT

More information about the samba mailing list