[Samba] Samba 3.0.1-rc2 ADS security mode problems

Peter pstlpete at spuncookie.com
Sat Dec 13 13:59:40 GMT 2003 

I've attempted to create a Windows Server 2003 Native AD/Samba3 hybrid
network (for curiosity's sake). Read extensively through all resources I
could find and from what I can tell, I've set everything up as it should
be.

The Samba3 server properly authenticates to the Windows Server 2003 kdc,
pull down users and groups via winbind, and is able to view the Win2K3
shares via smbclient. Likewise, the Samba3 server is able to view itself
via smbclient. The Win2K3 server is unable to view the Samba3 server,
nor mount any Samba shares. WinXP clients have the same problem. Linux
clients are unable to view the Samba3 server via smbclient
(NT_STATUS_LOGON_FAILURE) BUT... they are able to mount the shares:

mount -t smbfs -o username=aduser,password=password //samba3/pub
/tmp/pub

I've verified that this is authenticating to the Win2K3 server because
only valid AD users are able to mount (I'm unable to discern which
entries in Windows' Security Logs match these auths) and these users do
not exist on the Samba server locally. One quirk I noticed here is that
using syntax DOMAIN\aduser does not work and returns

29965: session setup failed: ERRDOS - ERRnoaccess (Access denied.)

I've tried both Samba3's default winbind separator '\' and '+' which is
offered in the official docs (I'm unsure of why there's this
discrepency), both with same results. Another quirk is that from a
Windows client using + as the separator is not possible.

At this point I'm questioning whether my expectation of this
functionality is correct - the ability to use AD to authenticate users
on a Samba3 server and do away entirely with smbpasswd file and local
Linux users. Based on the successful mount from a Linux workstation it
appears I'm correct. I'm also unsure of the use of Win2K3 as there's
virtually no specific documentation in it's regard.

Any ideas would be appreciated

smb.conf

# Global parameters
[global]
	workgroup = DOMAIN
	realm = DOMAIN.COM
	security = ADS
	auth methods = winbind
	encrypt passwords = Yes
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	template homedir = /home/%U
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind separator = \

# Shares
[public]
	comment = Public Data Repository
	path = /pub/
	read only = No

krb5.conf

[libdefaults]
        ticket_lifetime = 24000
        default_realm = DOMAIN.COM
        default_tkt_enctypes = des-cbc-crc des-cbc-md5
        default_tgs_enctypes = des-cbc-crc des-cbc-md5
        forwardable = true
        proxiable = true
        dns_lookup_realm = true
        dns_lookup_kdc = true

[realms]
        DOMAIN.COM = {
        kdc = WIN2K3.DOMAIN.COM:88
        default_domain = DOMAIN.COM
        }

[domain_realm]
        .domain.com = DOMAIN.COM
        domain.com = DOMAIN.COM

log.winbindd

[2003/12/13 12:55:12, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)

More information about the samba mailing list