Unable to authenticate with security=ADS

Fri Nov 15 00:35:01 GMT 2002

On Thu, 2002-11-14 at 16:26, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:
> > -----Original Message-----
> > From: José Alberto Patiño Limón [mailto:jalbertop at aranea.com.mx]
> > Sent: Wednesday, November 13, 2002 6:43 PM
> > To: ZINKEVICIUS,MATT " "(HP-Loveland,ex1)
> > Cc: samba-technical at lists.samba.org
> > Subject: RE: Unable to authenticate with security=ADS
> > 
> > 
> > Ok. Well I had the same problem when I was starting to setup 
> > SAMBA 3.0.
> > But I dont remember what I did to fix it.
> > 
> > I remeber that the main problem that I had was with the 
> > nss_ldap module,
> > remember that you need to have the passwd and group info available to
> > the samba daemon. I have 2 setups to get this info from 
> > Active Directory
> > and OpenLDAP. But you must be certain at least that you have 
> > a entry in
> > the /etc/passwd to get the uid data for the W2K user that you 
> > are using
> > to share the storage in Samba.
> 
> I need a local unix account for every user that can authenticate via ADS? I
> want to use ADS for authentication, not local unix accounts. That's the
> whole point.
> 
> The error looks like a problem in ticket handling anyway, so I don't think
> this has to do with not being able to find a local account to verify
> against. sigh... I guess I'll go read the active directory code now.
> 
Well I think you are right. You are having problems in this section of
code:

	if ((ret = krb5_rd_req(context, &auth_context, &packet, 
			       NULL, keytab, NULL, &tkt))) {
		DEBUG(3,("krb5_rd_req with auth failed (%s)\n", 
			 error_message(ret)));
		return NT_STATUS_LOGON_FAILURE;
	}

So the origin of the problem is in the MIT krb5_rd_req function
call......

My smb.conf file is:

bash-2.05$ cat /usr/local/samba-3.0alpha20/lib/smb.conf 
[global]
        realm = CONSUMOMS.ARANEA.COM.MX
        ads server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
        security = ads
        workgroup = CONSUMOMS

[personal]
        path = %H
        writable = yes

but I didn't see any info for realm and ads server in your smb.conf

my /etc/krb5.conf is:

[libdefaults]
        default_realm = CONSUMOMS.ARANEA.COM.MX
        egd_socket=/dev/egd-pool
        clockskew = 300
#       default_etypes_des = des-cbc-crc arcfour-hmac-md5
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc

        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc

[realms]

        CONSUMOMS.ARANEA.COM.MX = {
                kdc = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                kpasswd_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                admin_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                default_domain = CONSUMOMS.ARANEA.COM.MX
        }

[domain_realm]
        .consumoms.aranea.com.mx = CONSUMOMS.ARANEA.COM.MX
        .CONSUMOMS.ARANEA.COM.MX = CONSUMOMS.ARANEA.COM.MX

Hopes this help you!

> > Just to be sure, I assume that you /etc/krb5.conf is configured to see
> > the kerberos "realm" for Active Directory.
> 
> Yep. My krb5.conf is attached to the original email if you want to look at
> it.
> 
> > I think that the klist tickets command is supposed to be tested in the
> > W2K machine and noy in the unix box.
> 
> My W2K box doesn't seem to have klist installed (At least not in my path)

You need to download the klist command from the MS Site. Search for the
free W2K Resource Kit utilities.

Alberto