[Samba] Winbind ADS Issues w/ *TONS* of Pre-Research
William R. Lorenz
wrl at express.org
Thu May 13 22:18:59 GMT 2004
Samba Team,
I've been trying to get my Samba server to authenticate users against a
Windows 2000 Active Directory domain controller, and it just doesn't work.
I've encountered a TREMENDOUS amount of postings from people who have run
into the same issue, and there's never any responses with a resolution.
I must have viewed more than 500 postings over the course of the day.
I have a seemingly valid Samba configuration file. All of the `wbinfo
-u`, `wbinfo -g`, `getent passwd`, and `getent group` commands work just
fine. Howver, `wbinfo -t` and `wbinfo -a` don't work, and I can't
authenticate users against the domain controller. As an example:
[root at nasone samba]# net ads join -U Administrator
Administrator's password:
[2004/05/13 17:49:30, 0] libads/ldap.c:ads_add_machine_acct(1006)
Host account for nasone already exists - modifying old account
Using short domain name -- ECHUDSON
Joined 'NASONE' to realm 'HUDSON-OFFICE.ECEDIINC.COM'
[root at nasone samba]# net rpc join -U Administrator
Password:
Joined domain ECHUDSON.
[root at nasone samba]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_UNSUCCESSFUL (0xc0000001)
Could not check secret
[root at nasone samba]#
After trying to do the `wbinfo -t`, I see the following in 'winbindd.log':
[2004/05/13 17:49:41, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/05/13 17:49:41, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
rpc_auth_pipe: wrong schannel auth len 24
[2004/05/13 17:49:41, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
cli_nt_setup_creds: request challenge failed
[2004/05/13 17:49:41, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned NT_STATUS_UNSUCCESSFUL
I am using Samba 3.0.4, as distributed in Fedora Core 1 RPM format on the
main Samba website @ http://www.samba.org/. Here's the details:
[root at nasone samba]# rpm -qa | grep ^samba
samba-common-3.0.4-2
samba-client-3.0.4-2
samba-3.0.4-2
[root at nasone samba]# rpm -qa | grep ^krb5
krb5-libs-1.3.1-6
krb5-workstation-1.3.1-6
[root at nasone samba]#
The output of `wbinfo -a` produces the following:
[root at nasone samba]# wbinfo -a Administrator
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user Administrator with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user Administrator with challenge/response
[root at nasone samba]#
And this results in the following in 'winbindd.log':
[2004/05/13 17:53:04, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(535)
Doing kerberos session setup
[2004/05/13 17:53:04, 0] rpc_client/cli_pipe.c:rpc_auth_pipe(336)
rpc_auth_pipe: wrong schannel auth len 24
[2004/05/13 17:53:04, 0]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(249)
cli_nt_setup_creds: request challenge failed
[2004/05/13 17:53:04, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(612)
NTLM CRAP authentication for user [ECHUDSON]\[Administrator] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
NTLM CRAP authentication is right -- this just doesn't want to work! ;)
Here's the contents of my '/etc/samba/smb.conf' configuration file:
[root at nasone samba]# grep -v ^\; /etc/samba/smb.conf
[global]
workgroup = ECHUDSON
realm = HUDSON-OFFICE.LOCAL
server string = NASONE
hosts allow = 10.0.0.0/24
load printers = no
security = ads
auth methods = winbind
password server = ARIEL
name resolve order = bcast wins host
wins server = 10.0.0.150 10.0.0.151
log level = 2
log file = /var/log/samba/samba-global.log
log file = /var/log/samba/%m.log
max log size = 0
winbind separator = +
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 15
template shell = /sbin/nologin
template homedir = /dev/null/%D/%U
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 10.0.0.180/24 10.0.1.180/24
os level = 33
local master = no
domain master = no
preferred master = no
domain logons = no
wins support = no
dns proxy = no
[volume01]
comment = volume01
path = /mnt/volumes/lv01
public = no
writable = no
printable = no
valid users = @"ECHUDSON+Domain Admins"
write list = @"ECHUDSON+Domain Admins"
create mask = 0664
directory mask = 0775
nt acl support = yes
[root at nasone samba]#
Here's a one example of other people having the same issue (I searched
long and hard for any resolutions many of these had found, to no avail!):
http://lists.samba.org/archive/samba-technical/2003-July/030983.html
I'd grab others, but I've already closed lots of browser windows. ;)
Here's some additional Kerberos information this is probably pertinent:
[root at nasone root]# kinit administrator at HUDSON-OFFICE.LOCAL
Password for administrator at HUDSON-OFFICE.LOCAL:
[root at nasone root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at HUDSON-OFFICE.LOCAL
Valid starting Expires Service principal
05/13/04 18:13:23 05/14/04 04:14:36
krbtgt/HUDSON-OFFICE.ECEDIINC.COM at HUDSON-OFFICE.LOCAL
renew until 05/14/04 18:13:23
05/13/04 18:15:33 05/14/04 04:14:36 ariel$@HUDSON-OFFICE.LOCAL
renew until 05/14/04 18:13:23
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at nasone root]#
And finally, let's get in a good test of Kerberos with the -k flag:
[root at nasone root]# smbclient -U Administrator -k //10.0.0.150/GENSRVNT
OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> ls
. D 0 Thu Apr 1 15:37:04 2004
.. D 0 Thu Apr 1 15:37:04 2004
[ADDITIONAL DIRECTORY LISTING TRIMMED]
smb: \> quit
[root at nasone root]#
Does anyone have any ideas?!?!
-- _
__ __ ___ _| | William R. Lorenz <wrl at express.org>
\ V V / '_| | http://www.clevelandlug.net/ ; "Every revolution was
\./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson
More information about the samba
mailing list