[Samba] cant authenticate Samba -> AD trying to map to shares
on samba server
Dale Schroeder
dale at BriannasSaladDressing.com
Wed Dec 27 19:11:38 GMT 2006
I recommend
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 and
http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1
as excellent references for ADS setup.
One thing that I do notice is, if "realm = XHOSPITALS.A.B", then
"workgroup = XHOSPITALS" is the proper syntax.
Good luck,
Dale
PAGE Kelley (RF4) BHR Hospital wrote:
> I have read through previous posts but still cant connect to samba shares - any help much appreciated.
>
> Running Samba 3.0.10-1 on fedora Core 2. Dont know anything about AD as it's looked after by the big boys and they wont share their secrets with the linux team. I do know the server I need to authenticate with is acting as some sort of time server so I assume that is not an issue.
>
> wbinfo -u - produces users list
> wbinfo -g - produces user groups
> wbinfo -t - checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
>
> SMB.conf
>
> workgroup = hospitals
> realm = XHOSPITALS.A.B
> hosts allow = 10.
> security = ADS
> password server = 10.x.y.z
> encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
> wins server = 10.x.y.z
> netbios name = oncology
> smb ports = 139
>
> krb5.conf
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = XHOSPITALS.A.B
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
>
> [realms]
> XHOSPITALS.A.B = {
> kdc = astolat.xhospitals.a.b:88
> admin_server = astolat.xhospitals.a.b:749
> default_domain = xhospitals.a.b
> }
>
> [domain_realm]
> .kerberos.server = XHOSPITALS.A.B
> .xhospitals.a.b = XHOSPITALS.A.B
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 604800
> forwardable = true
> krb4_convert = false
>
>
> winbindd error log
>
> [2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup_spnego(745)
> got principal=astolat$@XHOSPITALS.A.B
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
> Got challenge flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x62890215
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
> NTLMSSP: Set final flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2006/12/27 13:54:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60080215
> [2006/12/27 13:54:19, 3] libsmb/cliconnect.c:cli_session_setup(868)
> SPNEGO login failed: Logon failure
> [2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
> cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/12/27 13:54:19, 3] nsswitch/winbindd_cm.c:cm_open_connection(366)
> schannel refused - continuing without schannel (NT_STATUS_ACCESS_DENIED)
> [2006/12/27 13:54:19, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
> cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/12/27 13:54:19, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(68)
> could not open handle to NETLOGON pipe
> [2006/12/27 13:54:19, 2] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(98)
> Checking the trust account password returned NT_STATUS_ACCESS_DENIED
>
> Anyone had a similiar problem? How did you sort it? Any tips gretly appreciated.
>
> Thanks.
>
> Kelley
>
>
More information about the samba
mailing list