[Samba] AD authentication problem

Jim Mintha j.t.mintha at uva.nl
Tue Sep 16 01:38:04 GMT 2003

I'm having a problem authenticating to Active Directory.  I can join
the machine to the domain, wbinfo -g/-u will list the groups and users
and I can map a drive using: smbclient -k //s-lorentz.s-res.uva.nl/c\$
However when I try to get the linux machine to authenticate a user
it doesn't work giving the error NT_STATUS_NO_LOGON_SERVERS
(0xc000005e).  Looking further in the logs it fails at:

[2003/09/16 03:20:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493)
  Doing kerberos session setup
[2003/09/16 03:20:22, 5] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(625)
  cm_get_netlogon_cli: Using short for of domain name [S-RES.UVA.NL] for netlogon rpc bind
[2003/09/16 03:20:22, 3] rpc_client/cli_pipe.c:rpc_api_pipe(457)
  Bind NACK received on pipe 8003!
[2003/09/16 03:20:22, 2] rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1578)
  rpc bind to \PIPE\NETLOGON failed
[2003/09/16 03:20:22, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(312)
  could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/09/16 03:20:22, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379)
  NTLM CRAP authentication for user [S-RES.UVA.NL]\[jmintha1 at S-RES.UVA.NL] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4)

On the windows side I see the error:
Pre-authentication failed:
	User Name:			gnowee$
	User ID:			S-RES\gnowee$
	Service Name:			krbtgt/S-RES.UVA.NL
	Pre-Authentication Type:	0x0
	Failure Code:			0x19

I've tried everything I can thing of (I'm using the debian package
3.0rc4, but I've tried compiling my own too) but can't figure out what
I've missed.  Anyone else have an idea?

Thanks for any help,

Details on what I have done:
(s-lorentz.s-res.uva.nl - AD Domain Controller
 admin - Domain Admin for AD
 jim - regular user
 gnowee.ic.uva.nl - Linux machine)

# initialize kerberos sucessfully with:

% kinit admin at S-RES.UVA.NL
Password for admin at S-RES.UVA.NL: gandalf

# Join the machine to active directory

% net ads join -U admin at S-RES.UVA.NL
admin at S-RES.UVA.NL password: gandalf
Using short domain name -- S-RES.UVA.NL
Joined 'GNOWEE' to realm 'S-RES.UVA.NL'

# try out wbinfo

% wbinfo -g

# Try to authenticate a user

% wbinfo -a jim at S-RES.UVA.NL%wizard
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user jim at S-RES.UVA.NL%wizard with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user jim at S-RES.UVA.NL with challenge/response

# /etc/krb5.conf:
  default_realm = S-RES.UVA.NL

  S-RES.UVA.NL = {
  kdc = s-lorentz.s-res.uva.nl

# smb.conf
workgroup = S-RES.UVA.NL
netbios name = gnowee
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
log level = 3 passdb:5 auth:10 winbind:10
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
realm = S-RES.UVA.NL
encrypt passwords = true
password server = s-lorentz.s-res.uva.nl
security = ADS
socket options = TCP_NODELAY
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes 

Jim Mintha                                       Email: j.t.mintha at uva.nl
System Administrator                              Work: +31 20 525-4919
Informatiseringscentrum                      	  Home: +31 20 662-3892
University of Amsterdam               Debian GNU/Linux: jmintha at debian.org
_There are always Possibilities_                  http://www.mintha.com

More information about the samba mailing list