[Samba] NT_STATUS_ACCESS_DENIED with ADS + Kerberos
Wil Cooley
wcooley at nakedape.cc
Fri Jan 14 20:31:03 GMT 2005
I'm trying to setup Samba in ADS security mode so I can run winbind for
NSS and Kerberos for user authentication, chiefly for shell accounts for
developers. These hosts will not provide any file or printer services,
at least in the near-term.
My hosts are CentOS 3 (a free RHEL3 clone) and my ADS servers are Windows 2000
(not 2003), in hybid mode. I am using stock RPMs for both Kerberos and Samba;
krb5-libs-1.2.7-31 (et al) and samba-3.0.9-1.3E.2 (et al).
I have been successful using Kerberos authentication with the W2k servers
and pam_krb5 (with local users in /etc/passwd). I can use Kerberized telnet
between Linux hosts. I've also configured OpenLDAP-based IdMap, which after
a little tweaking so uidNumbers match the manual maps I'd created, works fine.
I can also get winbind to work as expected using 'security = domain' and I
suppose I could leave it at that, but I'm a curious sort.
I joined the realm by running 'kinit -p my_admin_account at MYDOMAIN.COM' and then
'net join ads'. Kerberos keytab has been created with 'net ads keytab CREATE;
'klist -k' shows a full list of keys--about 72 of them.
However, 'wbinfo' commands have problems:
# wbinfo -u
and
# wbinfo -g
work consistently. (I've run them in a loop which checks the line counts
between runs.)
# wbinfo -n Name
works inconsistently (for users and groups). Errors are
similar to below but the connection is to \PIPE\lsarpc.
wbinfo -t never works:
# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret
winbind log looks like this when running this command:
...
[2005/01/14 11:58:08, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(745)
got principal=fileserver$@MYDOMAIN.COM
[2005/01/14 11:58:08, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(538)
Doing kerberos session setup
[2005/01/14 11:58:08, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(319)
Ticket in ccache[MEMORY:cliconnect] expiration Fri, 14 Jan 2005
21:58:06 GMT
[2005/01/14 11:58:08, 1] nsswitch/winbindd_cm.c:cm_open_connection(333)
failed tcon_X with NT_STATUS_ACCESS_DENIED
[2005/01/14 11:58:08, 3] nsswitch/winbindd_cm.c:new_cm_connection(499)
Could not open a connection to MYDOMAIN for \PIPE\NETLOGON
(NT_STATUS_ACCESS_DENIED)
[2005/01/14 11:58:08, 3]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
could not open handle to NETLOGON pipe
[2005/01/14 11:58:08, 2]
nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
Checking the trust account password returned NT_STATUS_ACCESS_DENIED
Here's one of the smb.conf's (the more minimal):
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
security = ADS
use kerberos keytab = Yes
log level = 3 ads:20 auth:10 sam:10 rpc:20
ldap admin dn = cn=Manager,dc=mydomain,dc=COM
ldap idmap suffix = ou=Idmap
ldap suffix = dc=mydomain,dc=COM
idmap backend = ldap:ldap://ldap-server
idmap uid = 150000-550000
idmap gid = 150000-550000
template homedir = /home/%U
template shell = /bin/bash
winbind separator = +
winbind cache time = 1
winbind use default domain = Yes
--
Wil Cooley wcooley at nakedape.cc
Naked Ape Consulting http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
More information about the samba
mailing list