authentication issue with samba4 as a member server
Jean Raby
jraby at inverse.ca
Fri Jun 28 15:41:55 MDT 2013
Hi all,
Once again, I'm trying to join samba4 to a w2k3 domain as a member server and
I'm having authentication issues. Basically, after the machine is joined to the
domain, wbinfo -a username and wbinfo -t both fail (See below for output).
I know winbind4 is not exactly finished, but should these command work or I'm
trying to do something that's not implemented yet? I'm testing with samba 4.0.6
built from source on ubuntu 12.04. The DC is running windows 2003 x64 sp2.
Here's a transcript of the commands I do to test this:
# remove smb.conf and erase private/*
# samba-tool domain provision --server-role=member --domain=OPENCHANGE
--realm=OPENCHANGE.LOCAL --machinepass='OpenChange1$'
Administrator password will be set randomly!
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.56.4
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=SOGO
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Admin password: kKzpZXB+FY8]K#
Server Role: member server
Hostname: sogo
NetBIOS Domain: SOGO
DNS Domain: openchange.local
DOMAIN SID: S-1-5-21-2786861960-3008803771-58985728
# cat >>/usr/local/samba/etc/smb.conf <<EOF
### Configuration required by OpenChange server ###
dcerpc endpoint servers = +epmapper, +mapiproxy
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
### Configuration required by OpenChange server ###
EOF
# samba-tool domain join OPENCHANGE MEMBER -UOPENCHANGE\\administrator
--realm=OPENCHANGE.LOCAL --machinepass='OpenChange1$'
Password for [OPENCHANGE\administrator]:
Joined domain OPENCHANGE (S-1-5-21-922290279-342772473-2598553093)
# openchange_provision --openchangedb
# samba -d5 -Msingle -i
# wbinfo -t
checking the trust secret for domain OPENCHANGE via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
Could not check secret
# wbinfo -a sogo1
Enter sogo1's password:
plaintext password authentication failed
Could not authenticate user sogo1 with plaintext password
Enter sogo1's password:
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
Could not authenticate user sogo1 with challenge/response
On the DC, I see this in the netlogon logs:
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO on
account SOGO$ (Negot: 610fffff)
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password 0 for
SOGO on account SOGO$
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Failed to
authenticate SOGO on account SOGO$
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate entered: SOGO on
account SOGO$ (Negot: 600fffff)
06/28 17:29:41 [CRITICAL] OPENCHANGE: NetrServerAuthenticate: Bad password 0 for
SOGO on account SOGO$
06/28 17:29:41 [SESSION] OPENCHANGE: NetrServerAuthenticate returns Success:
SOGO on account SOGO$ (Negot: 600fffff)
06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\SOGO$
from SOGO (via SOGO) Entered
06/28 17:29:41 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\SOGO$
from SOGO (via SOGO) Returns 0xC0000022
06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1
from SOGO (via SOGO) Entered
06/28 17:30:21 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1
from SOGO (via SOGO) Returns 0xC0000022
06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1
from (via SOGO) Entered
06/28 17:30:22 [LOGON] OPENCHANGE: SamLogon: Network logon of OPENCHANGE\sogo1
from (via SOGO) Returns 0xC0000022
I'd really appreciate it if someone could confirm that these should work (or not).
Also, for more background on this, see this thread:
http://marc.info/?l=samba-technical&m=134633869726341&w=2
Thanks.
--
Jean
More information about the samba-technical
mailing list