[Samba] Help with ADS authentication from Windoze

Jason Brown jason.brown at mscsoftware.com
Tue Aug 30 14:53:04 GMT 2005 

Here is my situation:

I have an AIX 4.3.3 machine, that I have compiled open-ldap, kerberos5 
(1.3..6), and Samba 3.0.20. 

Here is my smb.conf file:

[global]

realm = REGION.DOMAIN.COM
security = ADS
password server =  randomdc.region.domain.com
workgroup = REGION
client use spnego = yes
;winbind separator = \


[homes]
   comment = Home Directories
   read only = no
   create mode = 0750
   browseable = no

[styx]
   comment = Styx
   path = /styx
   public = yes

[styx1]
  comment = Styx1
  path = /styx1
  public = yes


Here is my krb5.conf 

[libdefaults]
        default_realm = REGION.DOMAIN.COM
        default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
[realms]
        REGION.DOMAIN.COM = {
        kdc = randomdc.REGION.DOMAIN.COM
        }


I was able to add this machine to the active directory (by the way, we are 
running 2003 ADS). 

I am also able to get info from wbinfo -u and wbinfo -g.

Here is where it becomes a problem:

I cannot authenticate from my Windoze box to this AIX machine running 
Samba.

Here is the error message in log.smbd:

[2005/08/30 07:46:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:06, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:07, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username REGION\jbrown is invalid on this system
[2005/08/30 07:46:16, 1] smbd/sesssetup.c:reply_spnego_kerberos(263)
  Username REGION\jbrown is invalid on this system


However, I also see this in the log too:

[2005/08/30 05:46:35, 1] smbd/service.c:close_cnum(835)
  pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:46:59, 1] smbd/service.c:make_connection_snum(662)
  pitcairn (172.16.64.92) connect to service styx initially as user nobody 
(uid=
-2, gid=-2) (pid 18016)
[2005/08/30 05:47:11, 1] smbd/service.c:close_cnum(835)
  pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:47:34, 1] smbd/service.c:make_connection_snum(662)
  pitcairn (172.16.64.92) connect to service styx initially as user nobody 
(uid=
-2, gid=-2) (pid 18016)
[2005/08/30 05:47:46, 1] smbd/service.c:close_cnum(835)
  pitcairn (172.16.64.92) closed connection to service styx
[2005/08/30 05:48:10, 1] smbd/service.c:make_connection_snum(662)
  pitcairn (172.16.64.92) connect to service styx initially as user nobody 
(uid=
-2, gid=-2) (pid 18016)

Here is some interesting stuff in log.nmbd (probably not related):


[2005/08/30 07:47:43, 0] nmbd/nmbd_namequery.c:query_name_response(101)
  query_name_response: Multiple (3) responses received for a query on 
subnet 172
.16.64.91 for name NA<1d>.
  This response was from IP 172.16.65.19, reporting an IP address of 
172.16.65.1
9.


Here is winbindd log file:

[2005/08/29 21:01:33, 1] nsswitch/winbindd.c:main(935)
  winbindd version 3.0.20 started.
  Copyright The Samba Team 2000-2004
[2005/08/29 21:01:33, 0] nsswitch/winbindd_util.c:winbindd_param_init(766)
  winbindd: idmap uid range missing or invalid
[2005/08/29 21:01:33, 0] nsswitch/winbindd_util.c:winbindd_param_init(767)
  winbindd: cannot continue, exiting.
[2005/08/29 21:01:33, 1] nsswitch/winbindd.c:main(968)
  Could not init idmap -- netlogon proxy only



Any suggestions ? Any one else come across this ?

Thank you.

Jason Brown

More information about the samba mailing list