[Samba] Problems authentication against ADS on a W2K3 Server
Dave Rutlidge
dave at directdataservices.co.uk
Wed Mar 23 17:57:12 GMT 2005
I'm trying to get Samba set up to use ADS authentication against a
Windows 2003 Server running in native mode. I have successfully joined
the domain, and
kinit user at MYDOMAIN.DOM
works successfully. I can also use smbclient to connect to shares on
the local machine, so Samba is basically working. However, when I try
to connect from a Windows machine I get
[C:\]net use \\unx02\pub
The password or user name is invalid for \\unx02\pub.
Enter the user name for 'unx02': user
Enter the password for unx02:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
On Unix I get:
[2005/03/23 17:17:48, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2005/03/23 17:17:48, 1]
smbd/sesssetup.c:reply_spnego_kerberos(250)
Username MYDOMAIN.DOM\user is invalid on this system
in 92.168.1.105.log, and
[2005/03/23 17:17:48, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(220)
find_response_record: response packet id 34265 received with
no matching record.
[2005/03/23 17:17:48, 0]
nmbd/nmbd_responserecordsdb.c:find_response_record(220)
find_response_record: response packet id 34266 received with
no matching record.
in nmbd.log.
I tried leaving & rejoining the AD domain but that didn't help - in fact
it may have made it worse as prior to that I didn't get the "Failed to
verify incoming ticket!" message, just "Username MYDOMAIN.DOM\user is
invalid on this system".
If I specify a different username - foo - which doesn't exist in the AD
domain I get
[2005/03/23 17:48:21, 1]
smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2005/03/23 17:48:21, 0]
auth/auth_domain.c:domain_client_validate(199)
domain_client_validate: unable to validate password for user
foo in domain MYDOM
to Domain controller \\W2K3DC. Error was
NT_STATUS_NO_SUCH_USER.
in xpclient.log so it is talking to the AD to some extent.
Interestingly and curiously with I specify an invalid name the record
gets logged in the log file based on the machine name, but where I
specify a valid name it gets logged in the log file for the IP address.
Why?
My smb.conf file is:
[global]
workgroup = MYDOM
server string = unx02
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
dns proxy = no
idmap uid = 20000000-33554431
idmap gid = 20000000-33554431
template shell = /bin/false
password server = w2k3dc.mydomain.dom
realm = MYDOMAIN.DOM
security = ADS
winbind use default domain = no
[homes]
comment = Home Directories
browseable = no
writeable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
printable = yes
[pub]
path = /var/SAMBA/public
public = yes
only guest = yes
writable = yes
printable = no
browseable = yes
And my kbr5.conf file is
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.DOM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MYDOMAIN.DOM = {
kdc = w2k3dc.mydomain.dom
admin_server = w2k3dc.mydomain.dom
default_domain = mydomain.dom
}
[domain_realm]
.mydomain.dom = MYDOMAIN.DOM
mydomain.dom = MYDOMAIN.DOM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I'm using Samba Version 3.0.10-1.4E on Centos-4, connecting to a Windows
2003 Server AD domain with all the current hotfixes & patches installed,
and I'm testing the connection from an XP Pro machine with SP2 and
subsequent patches.
Any help or pointers would really be appreciated.
More information about the samba
mailing list