[Samba] Problem authenticating against Active Directory (samba
3.0.9 / fedora core 3)
Bill Bradford
mrbill at gmail.com
Thu Dec 2 23:43:55 GMT 2004
I've spent all day on this, and I can't, for the life of me, get Samba
3.0.9 (updated RPM for Fedora Core 3) to authenticate properly against
Active Directory.
(I've edited out the actual domain name, username, etc)
I've synced up time (to within a half-second) with the domain controller.
Kerberos works:
[root at printshop samba]# kinit username at AD.DOMAIN.COM
Password for username at AD.DOMAIN.COM:
Joining the domain works:
[root at printshop samba]# net ads join -U 'username%password'
[2004/12/02 17:29:26, 0] libads/ldap.c:ads_add_machine_acct(1474)
Warning: ads_set_machine_sd: Unexpected information received
Using short domain name -- AD
Joined 'PRINTSHOP' to realm 'AD.DOMAIN.COM'
but then I can't get a list of shares:
[root at printshop samba]# smbclient -L localhost -U username
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
Here's my /etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = AD.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AD.DOMAIN.COM = {
kdc = DC01.AD.DOMAIN.COM:88
admin_server = dc01.ad.domain.com:749
default_domain = ad.domain.com
}
[domain_realms]
.domain.com = .DOMAIN.COM
domain.com = DOMAIN.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Here's my /etc/samba/smb.conf:
[global]
realm = AD.DOMAIN.COM
workgroup = AD
password server = dc01.ad.domain.com
security = ADS
encrypt passwords = yes
server string = Print Server
load printers = yes
printing = cups
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = yes
writable = no
printable = yes
public = yes
(yes, the only thing I'm trying to share is printers)
In the logfiles, I'm seeing a ton of this:
[2004/12/02 16:32:59, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2004/12/02 16:45:39, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2004/12/02 16:57:20, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2004/12/02 17:33:51, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
The same username/password works fine authenticating directly against the DC.
Any suggestions? I've been working on this literally all day, and all
I want to do is share three printers with our Windows users..
Thanks.
Bill
More information about the samba
mailing list