[Samba] Windows 2003 Active Directory - Cannot authenticate
James Gardiner
james at groovytrain.com
Tue Mar 1 12:09:36 GMT 2005
I've been checking the authentication with "wbinfo -a
<username>%<password>", which is failing with the following error:
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user <username>%<password> with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user <username> with challenge/response
Strangely, "wbinfo -g" and "wbinfo -u" seem to work, as mentioned in my
previous post.
Logging winbindd, at level 10, during this process, shows the following
(apologies for length):
[2005/02/28 13:24:27, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 19
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn INTERFACE_VERSION
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(261)
[14536]: request interface version
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
[14536]: request location of privileged pipe
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(569)
client_write: need to write 35 extra data bytes.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 35 bytes.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(558)
client_write: client_write: complete response written.
[2005/02/28 13:24:27, 6] nsswitch/winbindd.c:new_connection(356)
accepted socket 20
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2005/02/28 13:24:27, 5]
nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 19, pid 14536: EOF
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn PAM_AUTH
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
[14536]: pam auth <username>
[2005/02/28 13:24:27, 8] lib/util.c:is_myname(1810)
is_myname("EASTLONDON") returns 1
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth(259)
Authentication for domain EASTLONDON (local domain to this server)
not supported at this stage
[2005/02/28 13:24:27, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user <username> returned
NT_STATUS_NO_SUCH_USER (PAM: 10)
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn INFO
[2005/02/28 13:24:27, 3] nsswitch/winbindd_misc.c:winbindd_info(248)
[14536]: request misc info
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn DOMAIN_NAME
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_misc.c:winbindd_domain_name(273)
[14536]: request domain name
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 1824 bytes. Need 0 more for a full request.
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:process_request(321)
process_request: request fn AUTH_CRAP
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(465)
[14536]: pam auth crap domain: OFFICE user: <username>
[2005/02/28 13:24:27, 8] lib/util.c:is_myname(1810)
is_myname("OFFICE") returns 0
[2005/02/28 13:24:27, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
Using cleartext machine password
[2005/02/28 13:24:27, 10]
libsmb/conncache.c:check_negative_conn_cache(72)
check_negative_conn_cache: cache entry expired for OFFICE, CIRCLE
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
IPC$ connections done anonymously
[2005/02/28 13:24:27, 10] passdb/secrets.c:secrets_named_mutex(702)
secrets_named_mutex: got mutex for CIRCLE
[2005/02/28 13:24:27, 6] lib/util_sock.c:write_socket(449)
write_socket(19,183)
[2005/02/28 13:24:27, 6] lib/util_sock.c:write_socket(452)
write_socket(19,183) wrote 183
[2005/02/28 13:24:27, 10]
lib/util_sock.c:read_smb_length_return_keepalive(505)
got smb length of 187
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(464)
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(474)
size=187
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=14522
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 8 (0x8)
smb_vwv[ 1]=12815 (0x320F)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]= 0 (0x0)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]= 499 (0x1F3)
smb_vwv[11]=52864 (0xCE80)
smb_vwv[12]=39786 (0x9B6A)
smb_vwv[13]=39091 (0x98B3)
smb_vwv[14]=50461 (0xC51D)
smb_vwv[15]= 1 (0x1)
smb_vwv[16]= 0 (0x0)
smb_bcc=118
[2005/02/28 13:24:27, 10] lib/util.c:dump_data(1990)
[000] D2 6C 43 23 3F 9B 94 44 91 55 27 5C 13 74 38 0F .lC#?..D
.U'\.t8.
[010] 60 64 06 06 2B 06 01 05 05 02 A0 5A 30 58 A0 30 `d..+...
...Z0X.0
[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H.
.......*
[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H......
..*.H...
[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+.
....7...
[050] A3 24 30 22 A0 20 1B 1E 63 69 72 63 6C 65 24 40 .$0". ..
circle$@
[060] 4F 46 46 49 43 45 2E 47 52 4F 4F 56 59 54 52 41 OFFICE.G
ROOVYTRA
[070] 49 4E 2E 43 4F 4D IN.COM
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(464)
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(474)
size=187
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=14522
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]= 8 (0x8)
smb_vwv[ 1]=12815 (0x320F)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]= 0 (0x0)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]= 499 (0x1F3)
smb_vwv[11]=52864 (0xCE80)
smb_vwv[12]=39786 (0x9B6A)
smb_vwv[13]=39091 (0x98B3)
smb_vwv[14]=50461 (0xC51D)
smb_vwv[15]= 1 (0x1)
smb_vwv[16]= 0 (0x0)
smb_bcc=118
[2005/02/28 13:24:27, 10] lib/util.c:dump_data(1990)
[000] D2 6C 43 23 3F 9B 94 44 91 55 27 5C 13 74 38 0F .lC#?..D
.U'\.t8.
[010] 60 64 06 06 2B 06 01 05 05 02 A0 5A 30 58 A0 30 `d..+...
...Z0X.0
[020] 30 2E 06 09 2A 86 48 82 F7 12 01 02 02 06 09 2A 0...*.H.
.......*
[030] 86 48 86 F7 12 01 02 02 06 0A 2A 86 48 86 F7 12 .H......
..*.H...
[040] 01 02 02 03 06 0A 2B 06 01 04 01 82 37 02 02 0A ......+.
....7...
[050] A3 24 30 22 A0 20 1B 1E 63 69 72 63 6C 65 24 40 .$0". ..
circle$@
[060] 4F 46 46 49 43 45 2E 47 52 4F 4F 56 59 54 52 41 OFFICE.G
ROOVYTRA
[070] 49 4E 2E 43 4F 4D IN.COM
[2005/02/28 13:24:27, 5]
nsswitch/winbindd_cm.c:cm_prepare_connection(305)
connecting to CIRCLE from EASTLONDON with kerberos principal
[EASTLONDON$@OFFICE.GROOVYTRAIN.COM]
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(708)
Doing spnego session setup (blob length=118)
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 48018 1 2 2
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 2 840 113554 1 2 2 3
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(733)
got OID=1 3 6 1 4 1 311 2 2 10
[2005/02/28 13:24:27, 3]
libsmb/cliconnect.c:cli_session_setup_spnego(740)
got principal=circle$@OFFICE.GROOVYTRAIN.COM
[2005/02/28 13:24:27, 2]
libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2005/02/28 13:24:27, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(318)
Ticket in ccache[MEMORY:cliconnect] expiration Mon, 28 Feb 2005
23:23:33 GMT
[2005/02/28 13:24:27, 10] libsmb/clikrb5.c:ads_krb5_mk_req(408)
ads_krb5_mk_req: Ticket (circle$@OFFICE.GROOVYTRAIN.COM) in ccache
(MEMORY:cliconnect) is valid until: (Mon, 28 Feb 2005 23:23:33 GMT -
1109633013)
[2005/02/28 13:24:27, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(509)
Got KRB5 session key of length 8
[2005/02/28 13:24:27, 5]
libsmb/smb_signing.c:set_smb_signing_real_common(128)
Mandatory SMB signing enabled!
[2005/02/28 13:24:27, 5]
libsmb/smb_signing.c:set_smb_signing_real_common(132)
SMB signing enabled!
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:cli_simple_set_signing(471)
cli_simple_set_signing: user_session_key
[2005/02/28 13:24:27, 10] lib/util.c:dump_data(1990)
[000] A7 13 04 B5 B0 92 49 5D ......I]
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:cli_simple_set_signing(479)
cli_simple_set_signing: NULL response_data
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 0
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:client_sign_outgoing_message(334)
client_sign_outgoing_message: sent SMB signature of
[2005/02/28 13:24:27, 10] lib/util.c:dump_data(1990)
[000] 82 0D ED F9 F7 85 A4 E6 ........
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:store_sequence_for_reply(74)
store_sequence_for_reply: stored seq = 1 mid = 2
[2005/02/28 13:24:27, 6] lib/util_sock.c:write_socket(449)
write_socket(19,1268)
[2005/02/28 13:24:27, 6] lib/util_sock.c:write_socket(452)
write_socket(19,1268) wrote 1268
[2005/02/28 13:24:27, 10]
lib/util_sock.c:read_smb_length_return_keepalive(505)
got smb length of 167
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(464)
[2005/02/28 13:24:27, 5] lib/util.c:show_msg(474)
size=167
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51205
smb_tid=0
smb_pid=14522
smb_uid=40961
smb_mid=2
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 167 (0xA7)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 26 (0x1A)
smb_bcc=124
[2005/02/28 13:24:27, 10] lib/util.c:dump_data(1990)
[000] A1 18 30 16 A0 03 0A 01 00 A1 0B 06 09 2A 86 48 ..0.....
.....*.H
[010] 82 F7 12 01 02 02 A2 02 04 00 D2 57 00 69 00 6E ........
...W.i.n
[020] 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 00 72 .d.o.w.s .
.S.e.r
[030] 00 76 00 65 00 72 00 20 00 32 00 30 00 30 00 33 .v.e.r.
.2.0.0.3
[040] 00 20 00 33 00 37 00 39 00 30 00 00 00 57 00 69 . .3.7.9
.0...W.i
[050] 00 6E 00 64 00 6F 00 77 00 73 00 20 00 53 00 65 .n.d.o.w
.s. .S.e
[060] 00 72 00 76 00 65 00 72 00 20 00 32 00 30 00 30 .r.v.e.r .
.2.0.0
[070] 00 33 00 20 00 35 00 2E 00 32 00 00 .3. .5..
.2..
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:get_sequence_for_reply(87)
get_sequence_for_reply: found seq = 1 mid = 2
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 1
[2005/02/28 13:24:27, 5]
libsmb/smb_signing.c:client_check_incoming_message(389)
client_check_incoming_message: BAD SIG: wanted SMB signature of
[2005/02/28 13:24:27, 5] lib/util.c:dump_data(1990)
[000] 83 B2 DD B5 D5 07 6D A7 ......m.
[2005/02/28 13:24:27, 5]
libsmb/smb_signing.c:client_check_incoming_message(392)
client_check_incoming_message: BAD SIG: got SMB signature of
[2005/02/28 13:24:27, 5] lib/util.c:dump_data(1990)
[000] 54 93 FD E6 5B B7 3A E9 T...[.:.
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 4294967292
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 4294967293
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 4294967294
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 4294967295
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 0
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 1
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 2
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 3
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 4
[2005/02/28 13:24:27, 10]
libsmb/smb_signing.c:simple_packet_signature(267)
simple_packet_signature: sequence number 5
[2005/02/28 13:24:27, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/02/28 13:24:27, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
[2005/02/28 13:24:27, 4]
nsswitch/winbindd_cm.c:cm_prepare_connection(314)
failed kerberos session setup with Undetermined error
[2005/02/28 13:24:27, 10]
passdb/secrets.c:secrets_named_mutex_release(714)
secrets_named_mutex: released mutex for CIRCLE
[2005/02/28 13:24:27, 10]
libsmb/conncache.c:add_failed_connection_entry(131)
add_failed_connection_entry: added domain OFFICE (CIRCLE) to
failed conn cache
[2005/02/28 13:24:27, 10]
libsmb/conncache.c:check_negative_conn_cache(83)
check_negative_conn_cache: returning negative entry for OFFICE,
CIRCLE
[2005/02/28 13:24:27, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
Using cleartext machine password
[2005/02/28 13:24:27, 10]
libsmb/namequery.c:internal_resolve_name(1028)
internal_resolve_name: looking up circle.office.groovytrain.com#20
[2005/02/28 13:24:27, 10] lib/gencache.c:gencache_get(263)
Returning valid cache entry: key =
NBT/CIRCLE.OFFICE.GROOVYTRAIN.COM#20, value = xxx.xxx.xxx.195:0, timeout =
Mon Feb 28 13:31:18 2005
[2005/02/28 13:24:27, 5] libsmb/namecache.c:namecache_fetch(201)
name circle.office.groovytrain.com#20 found.
[2005/02/28 13:24:27, 10] libsmb/namequery.c:name_status_find(188)
name_status_find: looking up OFFICE#1c at xxx.xxx.xxx.195
[2005/02/28 13:24:27, 10] lib/gencache.c:gencache_get(285)
Cache entry with key = NBT/OFFICE#1C.20.xxx.xxx.xxx.195 couldn't
be found
[2005/02/28 13:24:27, 5]
libsmb/namecache.c:namecache_status_fetch(308)
namecache_status_fetch: no entry for
NBT/OFFICE#1C.20.xxx.xxx.xxx.195 found.
[2005/02/28 13:24:27, 10] lib/gencache.c:gencache_del(214)
Deleting cache entry (key = NBT/OFFICE#1C.20.xxx.xxx.xxx.195)
[2005/02/28 13:24:27, 10] lib/util_sock.c:open_socket_in(717)
bind succeeded on port 0
[2005/02/28 13:24:27, 5] libsmb/nmblib.c:send_udp(776)
Sending a packet of len 50 to (xxx.xxx.xxx.195) on port 137
[2005/02/28 13:24:27, 10] lib/util_sock.c:read_udp_socket(230)
read_udp_socket: lastip xxx.xxx.xxx.195 lastport 137 read: 301
[2005/02/28 13:24:27, 10] libsmb/nmblib.c:parse_nmb(503)
parse_nmb: packet id = 22087
[2005/02/28 13:24:27, 5] libsmb/nmblib.c:read_packet(754)
Received a packet of len 301 from (xxx.xxx.xxx.195) port 137
[2005/02/28 13:24:27, 4] libsmb/nmblib.c:debug_nmb_packet(109)
nmb packet from xxx.xxx.xxx.195(137) header: id=22087
opcode=Query(0) response=Yes
header: flags: bcast=No rec_avail=No rec_des=No trunc=No
auth=Yes
header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
answers: nmb_name=OFFICE<1c> rr_type=33 rr_class=1 ttl=0
answers 0 char .CIRCLE hex
08434952434C45202020202020202020
answers 10 char ...OFFICE hex
0004004F464649434520202020202020
answers 20 char ...OFFICE hex
20200084004F46464943452020202020
answers 30 char ...CIRCLE hex
202020201C8400434952434C45202020
answers 40 char ..OFFICE hex
2020202020202004004F464649434520
answers 50 char ...OFFIC hex
20202020202020201B04004F46464943
answers 60 char E ...OFF hex
452020202020202020201E84004F4646
answers 70 char ICE .... hex
4943452020202020202020201D040001
answers 80 char .__MSBROWSE__... hex
025F5F4D5342524F5753455F5F020184
answers 90 char .....h.......... hex
0000B0D0F0680E000000000000000000
answers a0 char ................ hex
00000000000000000000000000000000
answers b0 char ............... hex
000000000000000000000000000000
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
CIRCLE#00: flags = 0x04
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
OFFICE#00: flags = 0x84
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
OFFICE#1c: flags = 0x84
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
CIRCLE#20: flags = 0x04
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
OFFICE#1b: flags = 0x04
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
OFFICE#1e: flags = 0x84
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
OFFICE#1d: flags = 0x04
[2005/02/28 13:24:27, 10] libsmb/namequery.c:parse_node_status(70)
__MSBROWSE__#01: flags = 0x84
[2005/02/28 13:24:27, 10] libsmb/namequery.c:name_status_find(227)
name_status_find: name found, name CIRCLE ip address is
xxx.xxx.xxx.195
[2005/02/28 13:24:27, 10]
libsmb/conncache.c:check_negative_conn_cache(83)
check_negative_conn_cache: returning negative entry for OFFICE,
CIRCLE
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_cm.c:new_cm_connection(755)
Could not open a connection to OFFICE for \PIPE\NETLOGON
(NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/02/28 13:24:27, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(526)
could not open handle to NETLOGON pipe (error:
NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
[2005/02/28 13:24:27, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(642)
NTLM CRAP authentication for user [OFFICE]\[<username>] returned
NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
[2005/02/28 13:24:27, 10] nsswitch/winbindd.c:client_write(524)
client_write: wrote 1300 bytes.
[2005/02/28 13:24:27, 10]
nsswitch/winbindd.c:winbind_client_read(470)
client_read: read 0 bytes. Need 1824 more for a full request.
[2005/02/28 13:24:27, 5]
nsswitch/winbindd.c:winbind_client_read(477)
read failed on sock 20, pid 14536: EOF
[root at eastlondon samba]#
Maybe this will shed some light on the problem? Any ideas?
James
-----Original Message-----
From: James Gardiner
Sent: 25 February 2005 12:39
To: 'samba at lists.samba.org'
Subject: [Samba] Windows 2003 Active Directory - Cannot access Samba shares
Hello,
I've spent the last couple of days following the HOW-TO's on how to make a
Linux server running Samba part of a Windows 2003 Active Directory, and a
lot of supplemental research from these groups and elsewhere, but now I'm
totally stuck and I can't seem to find the answer anywhere.
Basically, most of the configuration seems to be working:
- The Linux box is showing up in "Active Directory Users and Computers".
- "getent group" and "getent passwd" also show the Active Directory groups
and users.
- "kinit" appears to run OK, it asks for the password of the specified user
and then finishes with no further messages or errors displayed.
- "klist" shows the following:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <username removed>@OFFICE.GROOVYTRAIN.COM
Valid starting Expires Service principal
02/22/05 20:21:42 02/23/05 06:21:27
kbtgt/OFFICE.GROOVYTRAIN.COM at OFFICE.GROOVYTRAIN.COM
- "net ads join" runs successfully:
[2005/02/23 11:43:54, 0] libads/ldap.c:ads_add_machine_acct(1405)
ads_add_machine_acct: Host account for eastlondon already exists -
modifying old account
Using short domain name -- OFFICE
Joined 'EASTLONDON' to realm 'OFFICE.GROOVYTRAIN.COM'
- "wbinfo -g" returns the list of Active Directory groups.
- "wbinfo -u" returns the list of Active Directory users.
- I can use "smbclient -k" to connect to shares on the Windows machines
without requiring a username and password.
However, I can't access the Samba shares from the Windows machines (both
Windows 2000 and Windows 2003).
Using "c:\>net use W: \\eastlondon\www" produces the following output:
The password or user name is invalid for \\eastlondon\www.
Enter the user name for 'eastlondon': jamesg at office.groovytrain.com
Enter the password for eastlondon:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
And creates the following entries in "log.smbd":
[2005/02/23 11:50:39, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
Username OFFICE+<username removed> is invalid on this system
And in "log.winbindd":
[2005/02/23 12:00:32, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
user '<username removed>' does not exist
Using "c:\>net use W: \\<ip address removed>\www" produces the following
output:
Enter the user name for '<ip address removed>': jamesg
Enter the password for <ip address removed>:
System error 1311 has occurred.
There are currently no logon servers available to service the logon
request.
It creates nothing in "log.smbd", but creates the following entries in
"log.winbindd":
[2005/02/23 12:12:00, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2005/02/23 12:12:00, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
The following error is generated in the System Log on the Active Directory
controller:
While processing a TGS request for the target server
host/eastlondon.groovytrain.com, the account
EASTLONDON$@OFFICE.GROOVYTRAIN.COM did not have a suitable key for
generating a Kerberos ticket (the missing key has an ID of 8). The
requested etypes were 16. The accounts available etypes were 3 1.
I'm using Samba 3.0.11 and MIT Kerberos 1.2.7 on Redhat 9.
My krb5.conf is as follows:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = OFFICE.GROOVYTRAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
[realms]
OFFICE.GROOVYTRAIN.COM = {
kdc = circle.office.groovytrain.com
admin_server = circle.office.groovytrain.com
default_domain = office.groovytrain.com
}
[domain_realm]
.office.groovytrain.com = OFFICE.GROOVYTRAIN.COM
office.groovytrain.com = OFFICE.GROOVYTRAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
My smb.conf is as follows:
[global]
workgroup = OFFICE
netbios name = EASTLONDON
realm = OFFICE.GROOVYTRAIN.COM
security = ADS
password server = circle
winbind separator = +
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%D/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
client use spnego = yes
[www]
path = /usr/local/www
comment = Web content
valid users = "OFFICE\Domain Users"
If anyone can shed any light on what might be the problem, I'd be most
grateful. If you'd require any further information about my setup, please
let me know.
Many thanks,
James
More information about the samba
mailing list