[Samba] authentication against win2k3 server

Tom Skeren tms3 at fsklaw.net
Tue Nov 16 21:29:20 GMT 2004

Carissa Srugis wrote:

>I've been trying to setup Samba to authenticate users against accounts
>existing on a Windows 2003 Server without any backwards capability. 
>Ideally, this needs to be done without any changes to the Windows 2003
>Server.  Users will not be logging into the Samba shares at all.  This
>is merely for authentication.
OK, well, try getting a kerberos ticket first.

kinit Administrator at YOURDOMAIN.COM...
If you get a valid ticket, you can just do net ads join -U 
Administrator, no need for pw.

If no kerberos ticket, then you've got a krb5.conf issue.

Heimdal requires these lines:

default_etypes	= des-cbc-crc des-cbc-md5
 default_etypes_des = des-cbc-crc des-cbc-md5

You also might need to have the w2k3 generate a keytab for you.  If so you need this line as well.

 default_keytab-name = FILE:/etc/krb5.keytab

>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>This is my smb.conf file:
>      realm = WIN2K3.DOMAIN.LOCAL
>      security = ads
>      auth methods = winbind
>      winbind separator = +
>      encrypt passwords = yes
>      workgroup = DOMAIN.LOCAL
>      netbios name = FREEBSD_Machine
>      winbind uid = 10000-20000
>      winbind gid = 10000-20000
>      winbind enum users = yes
>      winbind enum groups = yes
>      idmap uid = 10000-20000
>      idmap gid = 10000-20000
>      password server = WIN2K3.DOMAIN.LOCAL
>So once winbindd is running, I type the following and get these results:
>freebsd_machine# net ads join member -I -U administrator
>administrator's password: *password*
>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
>  Packet send failed to ERRNO=Permission denied
>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
>  Packet send failed to ERRNO=Permission denied
>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
>  ads_connect: Permission denied
>In the winbindd log I've also gotten the following error messages at
>one point or another:
>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>Packet send failed to ERRNO=Permission denied
>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>get_trust_pw: could not fetch trust account password for my domain DOMAIN.LOCAL
>The odd part is when I try to use wbinfo to verify connections.  If I
>type "wbinfo -g" it will display the correct group listing from the
>win2k3 server.  But nothing else seems to work:
>freebsd_machine# wbinfo -t
>checking the trust secret via RPC calls failed
>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>Could not check secret
>freebsd_machine# wbinfo -u
>Error looking up domain users
>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>Name              : WIN2K3.DOMAIN.LOCAL
>Alt_Name          : DOMAIN.LOCAL
>SID               : S-0-0
>Active Directory  : No
>Native            : No
>Primary           : Yes
>Sequence          : -1
>I'm obviously missing something, but I am at a loss.  Any help is
>greatly appreciated!
>Carissa Srugis

More information about the samba mailing list