authentication issue with samba4 as a member server
Davor Vusir
davor.vusir at live.se
Sun Jul 7 09:38:41 MDT 2013
Hi Jean!
Is the NetBIOS name of the Windows 2003 AD 'OPENCHANGE'? And its dns
domain/realm name is openchange.local?
The output from your domain provision states that the NetBIOS name of the
domain is 'SOGO', not 'OPENCHANGE' which you passed as an argument. Is this
right?
Is the domain sid you get from the domain provision the same as the Windows
2003 AD? Check it out with PSGetSID.exe. Here's an old goodie that might
help you:
https://lists.samba.org/archive/samba-ntdom/2001-November/020829.html.
Later you join the domain 'OPENCHANGE'; samba-tool tells you that it was a
successful domain join and also shows the SID belonging to the domain
joined. This SID differs from the domain provisioned earlier. Is this SID
belonging to the Windows 2003 AD?
You extend the Samba4 AD Schema with OpenChange Schema and do an initial
test which fails.
The user account test also fails. Is this an account belonging to the Samba4
AD or Windows 2003 AD?
The netlogon log clearly says that there isn't a match between the password
for the computer account in the Windows 2003 AD(?) and the stored password
on server sogo.openchange.local. Does the computer account 'sogo' exist? In
which domain?
Does smb.conf and krb5.conf correlate with the Windows 2003 AD or with the
Samba 4 AD?
Which name server is sogo.openchange.local using? Correct me if I'm wrong
but not stating a DNS-backend during domain provision, isn't that the same
as '--dns-backend=SAMBA_INTERNAL'? Maybe you should use
'--dns-backend=NONE'.
I'm actually quite surprised that it's possible to provision a domain with
the parameter '--server-role' set to 'MEMBER'. A member server cannot act as
a domain controller and yet you are able to provision a domain. Both
Jonathan Buzzard (mail from 20130701) and Ricky Nance (mail from 20130702)
explains the differences very well.
As I see it you have sucessfully provisioned a Samba4 AD, added OpenChange
Schema and joined a domain called 'OPENCHANGE'. Which one? The server
sogo.openchange.local is a member server that has a copy of an OpenChange
extended Samba4 AD but only shares netlogon and sysvol. But does not act as
a domain controller. Or you do actually have got two (2) Active Directories,
the defunct(?) Samba 4 AD and the Windows 2003 AD, with the same NetBIOS-
and realmname.
I don't think that you ever will get this configuration to work. The
original AD (Windows 2003 AD) has to be extended with the OpenChange Schema
and the Samba AD DS has to be joined to the domain as an additional domain
controller (or vice versa). But it is quite an interesting setup, though. It
resembles the concept of resource domains. If OpenChange permits, I think
you should explore that; one or more domains with user accounts with a trust
to the (resource) OpenChange-domain.
Regards
Davor
--------------------------------------------------
From: "Jean Raby" <jraby at inverse.ca>
Sent: Friday, June 28, 2013 11:41 PM
To: <samba-technical at lists.samba.org>
Subject: authentication issue with samba4 as a member server
> Hi all,
>
> Once again, I'm trying to join samba4 to a w2k3 domain as a member server
> and I'm having authentication issues. Basically, after the machine is
> joined to the domain, wbinfo -a username and wbinfo -t both fail (See
> below for output).
>
> I know winbind4 is not exactly finished, but should these command work or
> I'm trying to do something that's not implemented yet? I'm testing with
> samba 4.0.6 built from source on ubuntu 12.04. The DC is running windows
> 2003 x64 sp2.
>
> Here's a transcript of the commands I do to test this:
>
> # remove smb.conf and erase private/*
> # samba-tool domain
> provision --server-role=member --domain=OPENCHANGE --realm=OPENCHANGE.LOCAL
> --machinepass='OpenChange1$'
>
> Administrator password will be set randomly!
> Looking up IPv4 addresses
> More than one IPv4 address found. Using 192.168.56.4
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=SOGO
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Once the above files are installed, your Samba4 server will be ready to
> use
> Admin password: kKzpZXB+FY8]K#
> Server Role: member server
> Hostname: sogo
> NetBIOS Domain: SOGO
> DNS Domain: openchange.local
> DOMAIN SID: S-1-5-21-2786861960-3008803771-58985728
>
> # cat >>/usr/local/samba/etc/smb.conf <<EOF
> ### Configuration required by OpenChange server ###
> dcerpc endpoint servers = +epmapper, +mapiproxy
> dcerpc_mapiproxy:server = true
> dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
> exchange_ds_rfr
> ### Configuration required by OpenChange server ###
> EOF
>
> # samba-tool domain join OPENCHANGE
> MEMBER -UOPENCHANGE\\administrator --realm=OPENCHANGE.LOCAL --machinepass='OpenChange1$'
> Password for [OPENCHANGE\administrator]:
> Joined domain OPENCHANGE (S-1-5-21-922290279-342772473-2598553093)
>
> # openchange_provision --openchangedb
> # samba -d5 -Msingle -i
> # wbinfo -t
> checking the trust secret for domain OPENCHANGE via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
>
> # wbinfo -a sogo1
> Enter sogo1's password:
> plaintext password authentication failed
> Could not authenticate user sogo1 with plaintext password
> Enter sogo1's password:
> challenge/response password authentication failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> error message was: Access denied
> Could not authenticate user sogo1 with challenge/response
>
> On the DC, I see this in the netlogon logs:
> 06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO
> on account SOGO$ (Negot: 610fffff)
> 06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password
> 0 for SOGO on account SOGO$
> 06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Failed to
> authenticate SOGO on account SOGO$
> 06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO
> on account SOGO$ (Negot: 600fffff)
> 06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password
> 0 for SOGO on account SOGO$
> 06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate returns
> Success: SOGO on account SOGO$ (Negot: 600fffff)
> 06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\SOGO$ from SOGO (via SOGO) Entered
> 06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\SOGO$ from SOGO (via SOGO) Returns 0xC0000022
> 06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\sogo1 from SOGO (via SOGO) Entered
> 06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\sogo1 from SOGO (via SOGO) Returns 0xC0000022
> 06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\sogo1 from (via SOGO) Entered
> 06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of
> OPENCHANGE\sogo1 from (via SOGO) Returns 0xC0000022
>
>
> I'd really appreciate it if someone could confirm that these should work
> (or not).
> Also, for more background on this, see this thread:
> http://marc.info/?l=samba-technical&m=134633869726341&w=2
>
> Thanks.
>
> --
> Jean
>
More information about the samba-technical
mailing list