[Samba] Winbind not using kerberos

Tom Alessi tom.alessi at gmail.com
Mon Oct 11 14:18:06 GMT 2004

I am having a problem with Winbind and kerberos:

OS: Solaris8
Samba: 3.0.7
MIT Kerberos: 1.3.5
OpenLDAP: 2.2.17
Windows: Active Directory on Windows Server 2003

I have Samba compiled with openldap, kerberos and PAM support and
everything is working fine as far as access.  The problem is that when
I login to the Solaris system using SSH and I check the security logs
on the Windows domain controller performing the authentication I see
that kerberos is not being used.  Instead,
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 is used.  This is the event log
related to this logon event:

 Logon account:	<Windows username>
 Source Workstation:	\\<hostname>
 Error Code:	0x0

Additionally, the event just prior to this one every time is this:

Pre-authentication failed:
 	User Name:	<hostname>$
 	User ID:		<domain>\<hostname>$
 	Service Name:	krbtgt/<kerberos realm>
 	Pre-Authentication Type:	0x0
 	Failure Code:	0x19
 	Client Address:	<IP Address>

  workgroup = <upper case netbios domain name>
  netbios name = <hostname>
  winbind separator = +
  winbind use default domain = yes
  winbind trusted domains only = yes
  security = ads
  encrypt passwords = yes
  realm = <upper case realm name>
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  log file = /local/samba/log/log.%m
  log level = 10
  max log size = 5000

login   auth required           /usr/lib/security/pam_winbind.so
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
rlogin  auth sufficient         /usr/lib/security/pam_winbind.so
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
dtlogin auth requisite          pam_authtok_get.so.1
dtlogin auth required           pam_dhkeys.so.1
dtlogin auth required           pam_unix_auth.so.1
other   auth sufficient         /usr/lib/security/pam_winbind.so
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1

login   account requisite               pam_roles.so.1
login   account required                pam_projects.so.1
login   account required                pam_unix_account.so.1

dtlogin account requisite               pam_roles.so.1
dtlogin account required                pam_projects.so.1
dtlogin account required                pam_unix_account.so.1

other   account sufficient              /usr/lib/security/pam_winbind.so
other   account requisite               pam_roles.so.1
other   account required                pam_projects.so.1
other   account required                pam_unix_account.so.1

other   session required                pam_unix_session.so.1

other   password required               pam_dhkeys.so.1
other   password requisite              pam_authtok_get.so.1
other   password requisite              pam_authtok_check.so.1
other   password required               pam_authtok_store.so.1
dtsession       auth requisite          pam_authtok_get.so.1
dtsession       auth required           pam_dhkeys.so.1
dtsession       auth required           pam_unix_auth.so.1

ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth    required                pam_dial_auth.so.1
ppp     account requisite               pam_roles.so.1
ppp     account required                pam_projects.so.1
ppp     account required                pam_unix_account.so.1
ppp     session required                pam_unix_session.so.1
passwd  auth required           pam_passwd_auth.so.1
cron    account required                pam_unix_account.so.1


Additional information:
-I have /etc/krb5.conf setup correctly and kinit works just fine. 

-If I setup a group policy to deny LM and NTLM and only allow NTLMv2
authentication in Active Directory, then SSH login to this system
completely fails.  SMB sharing to this system, however, works ok in
this situation.

-I have the exact same setup on RedHat Fedora and Solaris9 and both
exhibit the exact same behavior.

Thanks in advance for any help.

More information about the samba mailing list