[Samba] Trying to get ADS authentication working.

Theodore Jencks tjencks at navis.com
Tue Mar 8 20:34:04 GMT 2005 

I have been trying in vain to get ADS domain authentication working.  I
can't figure out what is wrong and have read the docs and looked through
the mailing lists.  I'm not sure why better documentation hasn't been
written on the web site for the ADS feature since it's pretty
spectacular to be able join a Samba server natively to an AD domain.

I have successfully joined the samba server to the win 2k3 domain with
this commands:

Kinit adminName at HQ.NAVIS.NET
Net ads join "HQ Servers"

This seems to work just fine but when I run "wbinfo -t" I get:
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret

I have set the winbind to debug level 10 and when starting winbind I get
this in the logs:

[2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_fetch(201)
  name hqdc01.hq.navis.net#20 found.
[2005/03/08 12:13:33, 10] libsmb/namequery.c:name_status_find(188)
  name_status_find: looking up HQ#1c at 192.168.192.60
[2005/03/08 12:13:33, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = NBT/HQ#1C.20.192.168.192.60 couldn't be found
[2005/03/08 12:13:33, 5] libsmb/namecache.c:namecache_status_fetch(308)
  namecache_status_fetch: no entry for NBT/HQ#1C.20.192.168.192.60
found.
[2005/03/08 12:13:33, 10] lib/gencache.c:gencache_del(214)
  Deleting cache entry (key = NBT/HQ#1C.20.192.168.192.60)
[2005/03/08 12:13:33, 10] lib/util_sock.c:open_socket_in(717)
  bind succeeded on port 0
[2005/03/08 12:13:33, 5] libsmb/nmblib.c:send_udp(776)
  Sending a packet of len 50 to (192.168.192.60) on port 137
[2005/03/08 12:13:33, 10] lib/util_sock.c:read_udp_socket(230)
  read_udp_socket: lastip 192.168.192.60 lastport 137 read: 211
[2005/03/08 12:13:33, 10] libsmb/nmblib.c:parse_nmb(503)
  parse_nmb: packet id = 24973
[2005/03/08 12:13:33, 5] libsmb/nmblib.c:read_packet(754)

Also of interest when I run kinit username at realm I then type my password
and the command appears to have worked however running klist tickets
produces:
klist: No credentials cache found (ticket cache FILE:tickets)


Please help anyone that has any info on how I might begin diagnosing
this problem.


I have the following in my smb.conf file:

[global]
workgroup = HQ
server string = Samba 3.0.11 Test Server
security = ADS
encrypt passwords = yes
load printers = no
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
dns proxy = no

realm = HQ.NAVIS.NET
password server = hqdc01.hq.navis.net
winbind cache time = 10
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
client use spnego = yes

#============================ Share Definitions
==============================
# This one is useful for people to share files
[share]
   comment = this is a test share
   path = /test/share
   read only = no
   public = yes
   writable = yes
   printable = no
   browseable = yes
   valid users = @"Domain Users"


This is the contents of my krb5.conf:
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = HQ.NAVIS.NET
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
HQ.NAVIS.NET = {
  kdc = hqdc01.hq.navis.net:88
  admin_server = hqdc01.hq.navis.net:749
  default_domain = hq.navis.net
 }

[domain_realm]
 .hq.navis.net = HQ.NAVIS.NET
 hq.navis.net = HQ.NAVIS.NET

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

More information about the samba mailing list