[Samba] NT_STATUS_ACCESS_DENIED with ADS + Kerberos

Wil Cooley wcooley at nakedape.cc
Fri Jan 14 20:31:03 GMT 2005

I'm trying to setup Samba in ADS security mode so I can run winbind for
NSS and Kerberos for user authentication, chiefly for shell accounts for
developers.  These hosts will not provide any file or printer services,
at least in the near-term.

My hosts are CentOS 3 (a free RHEL3 clone) and my ADS servers are Windows 2000
(not 2003), in hybid mode.  I am using stock RPMs for both Kerberos and Samba;
krb5-libs-1.2.7-31 (et al) and samba-3.0.9-1.3E.2 (et al).

I have been successful using Kerberos authentication with the W2k servers
and pam_krb5 (with local users in /etc/passwd).  I can use Kerberized telnet
between Linux hosts.  I've also configured OpenLDAP-based IdMap, which after
a little tweaking so uidNumbers match the manual maps I'd created, works fine.

I can also get winbind to work as expected using 'security = domain' and I
suppose I could leave it at that, but I'm a curious sort.

I joined the realm by running 'kinit -p my_admin_account at MYDOMAIN.COM' and then
'net join ads'.  Kerberos keytab has been created with 'net ads keytab CREATE;
'klist -k' shows a full list of keys--about 72 of them.

However, 'wbinfo' commands have problems:

# wbinfo -u 
# wbinfo -g 

work consistently.  (I've run them in a loop which checks the line counts
between runs.)

# wbinfo -n Name 

works inconsistently (for users and groups).  Errors are
similar to below but the connection is to \PIPE\lsarpc.

wbinfo -t never works:
# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

winbind log looks like this when running this command:

[2005/01/14 11:58:08, 3]
  got principal=fileserver$@MYDOMAIN.COM
[2005/01/14 11:58:08, 2]
  Doing kerberos session setup
[2005/01/14 11:58:08, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
  Ticket in ccache[MEMORY:cliconnect] expiration Fri, 14 Jan 2005
21:58:06 GMT
[2005/01/14 11:58:08, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
  failed tcon_X with NT_STATUS_ACCESS_DENIED
[2005/01/14 11:58:08, 3] nsswitch/winbindd_cm.c:new_cm_connection(499)
  Could not open a connection to MYDOMAIN for \PIPE\NETLOGON
[2005/01/14 11:58:08, 3]
  could not open handle to NETLOGON pipe
[2005/01/14 11:58:08, 2]
  Checking the trust account password returned NT_STATUS_ACCESS_DENIED

Here's one of the smb.conf's (the more minimal):

        workgroup = MYDOMAIN
        realm = MYDOMAIN.COM
        security = ADS
        use kerberos keytab = Yes
        log level = 3 ads:20 auth:10 sam:10 rpc:20
        ldap admin dn = cn=Manager,dc=mydomain,dc=COM
        ldap idmap suffix = ou=Idmap
        ldap suffix = dc=mydomain,dc=COM
        idmap backend = ldap:ldap://ldap-server
        idmap uid = 150000-550000
        idmap gid = 150000-550000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 1
        winbind use default domain = Yes

Wil Cooley                                 wcooley at nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *

More information about the samba mailing list