[Samba] Unable to get Samba-3.6.12 to authenticate using ADS

Rowland Penny rpenny at f2s.com
Sat May 25 02:24:47 MDT 2013 

Hi, you probably haven't setup NSS etc so that your fileserver knows about
your AD users.

Have a read here:
https://wiki.samba.org/index.php/Samba_%26_Active_Directory

Then once you have understood what needs to be done, go here:
http://linuxcostablanca.blogspot.co.uk/2013/04/sssd-in-samba-40.html

The above is about using sssd instead of winbind, sssd is a lot easier to
use than winbind

There is also a page (on the sssd website) about using sssd against windows
2008 server (AD):
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

Rowland


On 24 May 2013 22:12, Lee Allen <lee at leecallen.com> wrote:

> I have a Samba-4 system running as an Active Directory server.  It's
> working great: computers are joined to it, users are logged in, etc.  Good
> job Samba developers, and thank you!
>
> But of course I am not satisfied.  Now I want to configure another server
> (well, a VM) as a file server using Samba-3.6.12.  I want it to refer to
> the Samba4 server for all user authentication.  My understanding of the
> documentation is that I set "server = ads" and join the samba3 system to my
> domain.  I do not need to create any users/accounts on the Samba3
> (fileserver) system.
>
> Am I right so far?
>
> But, it's not working -- it is not authenticating requests using the AD
> server.  There are error messages coming out of Samba that I don't
> understand (no surprise there).
>
> I have read the relevant documentation, including the Domain Membership
> section, and I have followed the instructions here:
>
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member
>
> Here are the details.
>
> AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13).
> Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17).
> A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to
> the
> domain, user "allenlan\lallen" is logged in to it, and I attempt to map a
> share on the Samba-3.6.12 system using:
> # net use L: \\192.168.0.17\Lee
> this prompts for username (it should not), I enter "allenlan\lallen" (or "
> allenlan.net\lallen"), it prompts for password, and I enter that.  The
> authentication fails - the log file is below.
>
> # cat /opt/local/etc/samba/smb.conf
> [global]
>    workgroup = ALLENLAN
>    server string = Samba %v (%h)
>    realm = allenlan.net
>    security = ads
>    password server = 192.168.0.13
>    load printers = no
>    guest account = guest
>
>    (omitting the shares)
>
> # kinit administrator at ALLENLAN.NET
> # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: administrator at ALLENLAN.NET
>
>   Issued                Expires               Principal
> May 24 19:44:08 2013  May 25 05:44:08 2013  krbtgt/
> ALLENLAN.NET at ALLENLAN.NET
>
> # net ads join -U Administrator%password
>
> # net ads testjoin
> Join is OK
>
> # net ads info
> LDAP server: 192.168.0.13
> LDAP server name: samba-ad.allenlan.net
> Realm: ALLENLAN.NET
> Bind Path: dc=ALLENLAN,dc=NET
> LDAP port: 389
> Server time: Fri, 24 May 2013 19:44:36 UTC
> KDC server: 192.168.0.13
> Server time offset: 0
>
> # /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf
> Maximum core file size limits now -3(soft) -3(hard)
> smbd version 3.6.12 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2011
> uid=0 gid=0 euid=0 egid=0
> lp_load_ex: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
> "/opt/local/etc/samba/smb.conf"
> Processing section "[global]"
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> lp_load_ex: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
> "/opt/local/etc/samba/smb.conf"
> Processing section "[global]"
> Processing section "[Lee]"
> adding IPC service
> added interface net0 ip=192.168.0.17 bcast=192.168.0.255
> netmask=255.255.255.0
> loaded services
> Initialise the svcctl registry keys if needed.
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Closed policy
> Initialise the eventlog registry keys if needed.
> Closed policy
> get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
> Successfully contacted LDAP server 192.168.0.13
> get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
> get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
> Successfully contacted LDAP server 192.168.0.13
> Connected to LDAP server samba-ad.allenlan.net
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration
> Sat, 25 May 2013 05:46:13 UTC
> reloading printcap cache
> No Printers found!!!
> reload status: error
> waiting for connections
> Allowed connection from 192.168.0.93 (192.168.0.93)
> init_oplocks: initializing messages.
> Transaction 0 of length 159 (0 toread)
> switch message SMBnegprot (pid 85924) conn 0x0
> Requested protocol [PC NETWORK PROGRAM 1.0]
> Requested protocol [LANMAN1.0]
> Requested protocol [Windows for Workgroups 3.1a]
> Requested protocol [LM1.2X002]
> Requested protocol [LANMAN2.1]
> Requested protocol [NT LM 0.12]
> Requested protocol [SMB 2.002]
> Requested protocol [SMB 2.???]
> using SPNEGO
> Selected protocol NT LM 0.12
> Transaction 1 of length 1622 (0 toread)
> switch message SMBsesssetupX (pid 85924) conn 0x0
> wct=12 flg2=0xc807
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> Doing spnego session setup
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> reply_spnego_negotiate: Got secblob of size 1476
> libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
> Decrypt integrity check failed
> libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
> Decrypt integrity check failed
> Found account name from PAC: lallen []
> Kerberos ticket principal name is [lallen at ALLENLAN.NET]
> Username ALLENLAN\lallen is invalid on this system
> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> Transaction 2 of length 1508 (0 toread)
> switch message SMBsesssetupX (pid 85924) conn 0x0
> wct=12 flg2=0xc807
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> Doing spnego session setup
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> reply_spnego_negotiate: Got secblob of size 1362
> libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
> Decrypt integrity check failed
> libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
> Decrypt integrity check failed
> Found account name from PAC: lallen []
> Kerberos ticket principal name is [lallen at ALLENLAN.NET]
> Username ALLENLAN\lallen is invalid on this system
> error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> receive_smb_raw_talloc failed for client 192.168.0.93 read error =
> NT_STATUS_CONNECTION_RESET.
> Server exit (failed to receive smb request)
>
>
> This has had me stumped for several days.  Thank you for any & all help.
>
> Lee Allen
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list