[Samba] Auth errors with winbind on member server with Native AD

John Stile john at stilen.com
Mon Apr 18 17:54:56 GMT 2005

So many people have posted this problem! 
The steps to debug need to be in a FAQ.

The short question is:
   Can there be a disconnect between the short and long REALM names,
leading to winbind-to-AD authentication errors? and How do I fix it?

I can access windows shares or join a AD Domain with: 
   mount -t smbfs -o username=johns,workgroup=ms //library/Source_Safe tmp/
   net ads join -Ujohns -Wms
but I can't authenticate with my samba server
   smbclient -L localhost -Ujohns -d10 
   <error snip>
        SPNEGO login failed: Logon failure
        session setup failed: NT_STATUS_LOGON_FAILURE'
     * Detailed log at http://www.stilen.com/smbclient_debug.txt
     ==> /var/log/samba/log.subversion01 <== 
        [2005/04/18 10:29:41, 0] auth/pampass.c:smb_pam_account(573)
          smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management for User: MS\johns
        [2005/04/18 10:29:41, 0] auth/pampass.c:smb_pam_accountcheck(781)
          smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User MS\johns!
   And winbind log (in debug mode)
This command tells me the real realm is MS.MSLI.COM
   net ads info
        LDAP server:
        LDAP server name: stan
        Realm: MS.MSLI.COM
        Bind Path: dc=MS,dc=MSLI,dc=COM
        LDAP port: 389
        Server time: Wed, 13 Apr 2005 13:15:37 GMT
        KDC server:
        Server time offset: 0
When I communicate with the KDC, it assumes the full realm:
   kinit johns
        Password for johns at MS.MSLI.COM:
        <finish without error>

How I got my self into this mess.
Debian testing
  samba 	3.0.10-1
  winbind	3.0.10-1
  krb5-config	1.6
  krb5-user	1.3.6-2
# Install the Debian way
aptitude install winbind samba smbfs samba-client smbclient 
        Workgroup/Domain Name?  			ms 
        Use password encryption?			<yes>
        Modify smb.conf to use WINS settings from DHCP? <no>
        How do you want to run Samba?			daemons
        Create samba password database, /var/lib/samba/passdb.tdb? <yes>
# Stop smb/nmb/winbind
   /etc/init.d/samba stop
   /etc/init.d/winbind stop 
# Remove old files
   find / -name '*.tdb' |xargs rm -rf 
# Edit my files nsswitch.conf, smb.conf, and krb5.conf
   < see Files section below >
# Join that ADS domain
   net ads join -Ujohns
        johns's password:
        [2005/04/13 20:17:56, 0]
          ads_add_machine_acct: Host account for subversion01 already
        exists - modifying old account
        Using short domain name -- MS
        Joined 'SUBVERSION01' to realm 'MS.MSLI.COM'
# Look for newly created tdb files.
   find / -name "*.tdb"
# Start winbind in debug mode
   winbindd -S -i -F -d 8 -Y
        Log at: http://www.stilen.com/winbind_log.txt 
# Look for newly created tdb files.
   find / -name "*.tdb"
# Names retrieved from AD do not begin with MS+ ?
   wbinfo -u
   wbinfo -g
        Domain Admins
        Domain Users
        Domain Guests
        Domain Computers
# Valid member of the domain.
   wbinfo -t
        checking the trust secret via RPC calls succeeded
# I can authenticat to the KDC
   kinit johns
        Password for johns at MS.MSLI.COM:
        <finish without error>
# When I try list the samba shares without a password, it works
   smbclient -L localhost
        Anonymous login successful
        Domain=[MS] OS=[Unix] Server=[Samba 3.0.10-Debian]
                Sharename       Type      Comment
                ---------       ----      -------
                print$          Disk      Printer Drivers
                IPC$            IPC       IPC Service (subversion01)
                ADMIN$          IPC       IPC Service (subversion01)
        Anonymous login successful
        Domain=[MS] OS=[Unix] Server=[Samba 3.0.10-Debian]
                Server               Comment
                ---------            -------
                SUBVERSION01         subversion01
                Workgroup            Master
                ---------            -------
                MS                   STAN
# When I try to list the samba shares with authenticaiton, it fails.
   smbclient -L library -ujohns -wms
        session setup failed: NT_STATUS_LOGON_FAILURE'
This has been a popular problem, without solutions, so the problem may
be quite complex. This post tells me many people have problems with
  http://lists.samba.org/archive/samba/2004-May/085923.htmlThis person
This person seems to have the same issues:

        passwd: compat winbind
        group:  compat winbind
        hosts:  files dns winbind
         default = FILE:/var/log/krb5libs.log
          kdc = FILE:/var/log/krb5kdc.log
           admin_server = FILE:/var/log/kadmind.log
                default_realm = MS.MSLI.COM
               krb4_config = /etc/krb.conf
                krb4_realms = /etc/krb.realms
                kdc_timesync = 1
                ccache_type = 4
                forwardable = true
                proxiable = true
                MS.MSLI.COM = {
                        kdc =
                        admin_server =
                        default_domain = ms.msli.com
                ms = MS.MSLI.COM
                .ms = MS.MSLI.COM
                .msli.com = MS.MSLI.COM
                msli.com = MS.MSLI.COM
                ms.msli.com = MS.MSLI.COM
                .ms.msli.com = MS.MSLI.COM
                krb4_convert = true
                krb4_get_tickets = true
       realm = MS.MSLI.COM
      idmap uid = 10000-20000
      idmap gid = 10000-20000
      winbind enum users = yes
      winbind enum groups = yes
       workgroup = MS
       security = ADS
       password server = *
       wins support = yes
       wins server =
       server string = subversion01
       dns proxy = no
       log file = /var/log/samba/log.%m
       max log size = 1000
       syslog = 0
       panic action = /usr/share/samba/panic-action %d
       encrypt passwords = true
       passdb backend = tdbsam guest
       obey pam restrictions = yes
       invalid users = root daemon bin sys adm lp listen noaccess
       passwd program = /usr/bin/passwd %u
       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
    	load printers = no
       socket options = TCP_NODELAY
       comment = Home Directories
       browseable = no
       writable = no
       create mask = 0700
       directory mask = 0700
       valid users = %S
       comment = All Printers
       browseable = no
       path = /tmp
       printable = yes
       public = no
       writable = no
       create mode = 0700
       comment = Printer Drivers
       path = /var/lib/samba/printers
       browseable = yes
       read only = yes
       guest ok = no

|   \0/    John Stile |
| UniX Administration |
|   / \  510-305-3800 |     
|     john at stilen.com |

More information about the samba mailing list