[Samba] AD authentication almost but not quite

Foster, Mark Foster.M at portseattle.org
Wed May 11 17:43:30 GMT 2005 

Client is a centos-3.4 box, Server (DC) is Windows 2K AD.
I'm able to see user and group accounts on the DC but not able to authenticate against it.
wbinfo -a does not rely on pam module, correct?

[root at linux04 root]# net ads testjoin
Join is OK

[root at linux04 root]# net ads info
LDAP server: 172.16.100.202
LDAP server name: p69ms101
Realm: PORTSEATTLE.ORG
Bind Path: dc=PORTSEATTLE,dc=ORG
LDAP port: 389
Server time: Wed, 11 May 2005 10:32:31 GMT
KDC server: 172.16.100.202
Server time offset: 0

[root at linux04 root]# getent passwd mf1
mf1:x:15975:10003:Foster, Mark:/users/home/mf1:/bin/bash

[root at linux04 root]# wbinfo -u | grep mf1
mf1

[root at linux04 root]# wbinfo -a mf1%therealpwd
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user mf1%therealpwd with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user mf1 with challenge/response

Packet trace with ethereal shows...
 91.572982 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=455514 TSER=0 WS=0
 91.573133 172.16.100.202 -> 172.16.100.94 TCP microsoft-ds > 1342 [SYN, ACK] Seq=0 Ack=1 Win=17520 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
 91.573177 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=455514 TSER=0
 91.592542 172.16.100.94 -> 172.16.100.202 SMB Negotiate Protocol Request
 91.593035 172.16.100.202 -> 172.16.100.94 SMB Negotiate Protocol Response
 91.593062 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK] Seq=184 Ack=187 Win=5840 Len=0 TSV=455516 TSER=22298322
 91.595984 172.16.100.94 -> 172.16.100.202 KRB5 AS-REQ
 91.598025 172.16.100.202 -> 172.16.100.94 KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
 91.599655 172.16.100.94 -> 172.16.100.202 KRB5 AS-REQ
 91.602616 172.16.100.202 -> 172.16.100.94 KRB5 AS-REP
 91.605000 172.16.100.94 -> 172.16.100.202 KRB5 TGS-REQ
 91.608069 172.16.100.202 -> 172.16.100.94 KRB5 TGS-REP
 91.609311 172.16.100.94 -> 172.16.100.202 SMB Session Setup AndX Request
 91.611536 172.16.100.202 -> 172.16.100.94 SMB Session Setup AndX Response
 91.612501 172.16.100.94 -> 172.16.100.202 SMB Tree Connect AndX Request, Path: \\P69MS101\IPC$
 91.612875 172.16.100.202 -> 172.16.100.94 SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED
 91.612992 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [FIN, ACK] Seq=1510 Ack=373 Win=5840 Len=0 TSV=455518 TSER=22298322
 91.613125 172.16.100.202 -> 172.16.100.94 TCP microsoft-ds > 1342 [FIN, ACK] Seq=373 Ack=1511 Win=17520 Len=0 TSV=22298322 TSER=455518
 91.613148 172.16.100.94 -> 172.16.100.202 TCP 1342 > microsoft-ds [ACK] Seq=1511 Ack=374 Win=5840 Len=0 TSV=455518 TSER=22298322

[/etc/krb5.conf]
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = PORTSEATTLE.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 default_tgs_enctypes = des-cbc-crc



[realms]
 PORTSEATTLE.ORG = {
  kdc = p69ms101.portseattle.org:88
  #admin_server = p69ms101.portseattle.org:749
  default_domain = portseattle.org
  kpasswd_server = p69ms101.portseattle.org
 }

[domain_realm]
 .portseattle.org = PORTSEATTLE.ORG
 portseattle.org = PORTSEATTLE.ORG

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
 }

Mark D Foster -+- <foster.m at portseattle.org> 
Linux System Administrator -+- Port of Seattle  
206-728-3613 (desk) -+- 206-390-2612 (cell)

More information about the samba mailing list