Unable to authenticate with security=ADS

José Alberto Patiño Limón jalbertop at aranea.com.mx
Fri Nov 15 00:35:01 GMT 2002

On Thu, 2002-11-14 at 16:26, ZINKEVICIUS,MATT (HP-Loveland,ex1) wrote:
> > -----Original Message-----
> > From: José Alberto Patiño Limón [mailto:jalbertop at aranea.com.mx]
> > Sent: Wednesday, November 13, 2002 6:43 PM
> > To: ZINKEVICIUS,MATT " "(HP-Loveland,ex1)
> > Cc: samba-technical at lists.samba.org
> > Subject: RE: Unable to authenticate with security=ADS
> > 
> > 
> > Ok. Well I had the same problem when I was starting to setup 
> > SAMBA 3.0.
> > But I dont remember what I did to fix it.
> > 
> > I remeber that the main problem that I had was with the 
> > nss_ldap module,
> > remember that you need to have the passwd and group info available to
> > the samba daemon. I have 2 setups to get this info from 
> > Active Directory
> > and OpenLDAP. But you must be certain at least that you have 
> > a entry in
> > the /etc/passwd to get the uid data for the W2K user that you 
> > are using
> > to share the storage in Samba.
> I need a local unix account for every user that can authenticate via ADS? I
> want to use ADS for authentication, not local unix accounts. That's the
> whole point.
> The error looks like a problem in ticket handling anyway, so I don't think
> this has to do with not being able to find a local account to verify
> against. sigh... I guess I'll go read the active directory code now.
Well I think you are right. You are having problems in this section of

	if ((ret = krb5_rd_req(context, &auth_context, &packet, 
			       NULL, keytab, NULL, &tkt))) {
		DEBUG(3,("krb5_rd_req with auth failed (%s)\n", 

So the origin of the problem is in the MIT krb5_rd_req function

My smb.conf file is:

bash-2.05$ cat /usr/local/samba-3.0alpha20/lib/smb.conf 
        ads server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
        security = ads
        workgroup = CONSUMOMS

        path = %H
        writable = yes

but I didn't see any info for realm and ads server in your smb.conf
my /etc/krb5.conf is:

        default_realm = CONSUMOMS.ARANEA.COM.MX
        clockskew = 300
#       default_etypes_des = des-cbc-crc arcfour-hmac-md5
        default_etypes = des-cbc-crc
        default_etypes_des = des-cbc-crc

        default_tkt_enctypes = des-cbc-crc
        default_tgs_enctypes = des-cbc-crc


                kdc = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                kpasswd_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                admin_server = MSKDC1.CONSUMOMS.ARANEA.COM.MX
                default_domain = CONSUMOMS.ARANEA.COM.MX

        .consumoms.aranea.com.mx = CONSUMOMS.ARANEA.COM.MX

Hopes this help you!

> > Just to be sure, I assume that you /etc/krb5.conf is configured to see
> > the kerberos "realm" for Active Directory.
> Yep. My krb5.conf is attached to the original email if you want to look at
> it.
> > I think that the klist tickets command is supposed to be tested in the
> > W2K machine and noy in the unix box.
> My W2K box doesn't seem to have klist installed (At least not in my path)

You need to download the klist command from the MS Site. Search for the
free W2K Resource Kit utilities.


More information about the samba-technical mailing list