AD4Unix & Samba-3.0.20b+winbind

Tue Nov 29 14:53:27 GMT 2005

Scenario:  Samba-3.0.20b domain member server on SuSE 9.3 (w/ all 
available patches applied) providing kerberos authentication through a 
Windows 2000 domain with AD4Unix services installed.

Problem(s):
1. Can only view users from one OU in Active Directory (default is: 
CN=Users, problem container is: OU=authenticated)
2. According to log.winbind and log.smbd authentication fails with 
error:   check_ntlm_password:  Authentication for user [testj] -> 
[testj] FAILED with error NT_STATUS_WRONG_PASSWORD.  Is this error due 
to falling back to NTLM authentication vs. Kerberos TGT systems?

Troubleshooting performed:
1. Used 'net ads leave' to remove from domain, updated Samba+Winbind 
from 3.0.13 to 3.0.20b
2. Manually removed machine trust account from active directory
3. Manually removed cache files for Samba prior to upgrade
4. Attempted using 3.0.21rc1 release with same results
5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS member 
server which would authenticate via Kerberos without problems.
6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o 
AD4Unix setup
7. Am in the process of upgrading Win2K domain server (in test env.) to 
provide AD4Unix services to see if it breaks.

Any help, insight into this is definately appreciated

Here is the pertinent configuration files:

[smb.conf]
[global]
        workgroup = DOMAIN
        realm = DOMAIN.COM
        server string = new-odin.domain.com
        security = ADS
        update encrypted = Yes
        encrypt passwords = yes
        password server = *
        preferred master = No
        domain master = No
        idmap uid = 500-500000
        idmap gid = 500-500000
        winbind trusted domains only = yes
        winbind separator = /
        winbind cache time = 5
        winbind use default domain = Yes
        winbind nested groups = Yes
        log level = 2
        interfaces = eth*
        bind interfaces only = yes
        socket options = IPTOS_LOWDELAY TCP_NODELAY

[images]
        comment = ODIN
        user = %S
        path = /odin/images
        inherit acls = Yes
        browseable = yes
        writeable = yes
        read only = no
        public = yes

[home]
        comment = User Home Directories
        user = %S
        path = /odin/home/%S
        inherit acls = Yes
        writeable = yes
        read only = no
        public = no
        browseable = yes

[krb5.conf]
[libdefaults]
default_realm = DOMAIN.COM
clockskew = 300

[realms]
UTAH.EDU = {
kdc = 192.168.0.10
default_domain = domain.com
admin_server = 192.168.0.10
}

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM

[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
}

[nsswitch.conf]
passwd: files winbind
shadow: files winbind
group:  files winbind

hosts:  files dns winbind
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

-- 
Jason Gerfen

"Oh I have seen alot of what
 the world can do, and its
 breaking my heart in two..."
 ~ Wild World, Cat Stevens