authentication issue with samba4 as a member server

Jean Raby jraby at inverse.ca
Fri Jun 28 15:41:55 MDT 2013 

Hi all,

Once again, I'm trying to join samba4 to a w2k3 domain as a member server and 
I'm having authentication issues. Basically, after the machine is joined to the 
domain, wbinfo -a username and wbinfo -t both fail (See below for output).

I know winbind4 is not exactly finished, but should these command work or I'm 
trying to do something that's not implemented yet? I'm testing with samba 4.0.6 
built from source on ubuntu 12.04. The DC is running windows 2003 x64 sp2.

Here's a transcript of the commands I do to test this:

# remove smb.conf and erase private/*
# samba-tool domain provision --server-role=member  --domain=OPENCHANGE 
--realm=OPENCHANGE.LOCAL --machinepass='OpenChange1$'

Administrator password will be set randomly!
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.56.4
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=SOGO
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at 
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        kKzpZXB+FY8]K#
Server Role:           member server
Hostname:              sogo
NetBIOS Domain:        SOGO
DNS Domain:            openchange.local
DOMAIN SID:            S-1-5-21-2786861960-3008803771-58985728

# cat >>/usr/local/samba/etc/smb.conf <<EOF
   ### Configuration required by OpenChange server ###
   dcerpc endpoint servers = +epmapper, +mapiproxy
   dcerpc_mapiproxy:server = true
   dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
   ### Configuration required by OpenChange server ###
EOF

# samba-tool domain join OPENCHANGE  MEMBER  -UOPENCHANGE\\administrator 
--realm=OPENCHANGE.LOCAL --machinepass='OpenChange1$'
Password for [OPENCHANGE\administrator]:
Joined domain OPENCHANGE (S-1-5-21-922290279-342772473-2598553093)

# openchange_provision --openchangedb
# samba -d5 -Msingle -i
# wbinfo -t
checking the trust secret for domain OPENCHANGE via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret

# wbinfo -a sogo1
Enter sogo1's password:
plaintext password authentication failed
Could not authenticate user sogo1 with plaintext password
Enter sogo1's password:
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
Could not authenticate user sogo1 with challenge/response

On the DC, I see this in the netlogon logs:
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO on 
account SOGO$ (Negot: 610fffff)
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password 0 for 
SOGO on account SOGO$
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Failed to 
authenticate SOGO on account SOGO$
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO on 
account SOGO$ (Negot: 600fffff)
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password 0 for 
SOGO on account SOGO$
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate returns Success: 
SOGO on account SOGO$ (Negot: 600fffff)
06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\SOGO$ 
from SOGO (via SOGO) Entered
06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\SOGO$ 
from SOGO (via SOGO) Returns 0xC0000022
06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1 
from SOGO (via SOGO) Entered
06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1 
from SOGO (via SOGO) Returns 0xC0000022
06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1 
from  (via SOGO) Entered
06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1 
from  (via SOGO) Returns 0xC0000022


I'd really appreciate it if someone could confirm that these should work (or not).
Also, for more background on this, see this thread: 
http://marc.info/?l=samba-technical&m=134633869726341&w=2

Thanks.

-- 
Jean

More information about the samba-technical mailing list