[Samba] W2000 AD - Samba-3.0.23d authorization problem

Dmitry Panoff panovdu at land.ru
Fri Nov 17 20:07:38 GMT 2006 

*This message was transferred with a trial version of CommuniGate(r) Pro*
Greetings, All

There's simple AD, running on Win2000 (realm - 0905.DN.STA, workgroup - SGNI)
and samba-3.0.23d installed on FreeBSD-5.3 with
ADS/LDAP/WINBIND/PAM/SYSLOG/QUOTAS/ACL. Also heimdal-0.6.3 installed.
I need to join samba to domain as a AD member (with help of kerberos auth).
Let's start with config files:
/etc/krb5.conf
===
[libdefaults]
default_realm = 0905.DN.STA
dns_lookup_realm = false
dns_lookup_kdc = false
krb4_get_tickets = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5

[appdefaults]
proxiable = true
ticket_lifetime = 24h
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false

[realms]
0905.DN.STA = {
kdc = zeon.0905.dn.sta
admin_server = zeon.0905.dn.sta
default_domain = 0905.dn.sta
}

[domain_realm]
.0905.dn.sta = 0905.DN.STA
0905.dn.sta = 0905.DN.STA

[kdc]
enable-kerberos4 = false

[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
===

smb.conf
===
[global]
	dos charset = 866
	unix charset = KOI8-U
	workgroup = SGNI
	realm = 0905.DN.STA
	server string = Test
	interfaces = 10.5.9.0/24
	security = ADS
	encrypt passwords = Yes
	auth methods = winbind
	allow trusted domains = No
	obey pam restrictions = Yes
	password server = *
	private dir = /etc/samba
	passdb backend = tdbsam:/etc/samba/passdb.tdb
	unix password sync = Yes
	client plaintext auth = No
	log level = 10
	log file = /var/log/samba/samba.log
	max log size = 0
	client signing = Yes
	server signing = Yes
	deadtime = 360
	fam change notify = No
	paranoid server security = No
	max open files = 100000
	load printers = No
	show add printer wizard = No
	os level = 8
	preferred master = Yes
	ldap ssl = no
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes
	hosts allow = 10.5.9.
	map acl inherit = Yes
	case sensitive = No
	hide unreadable = Yes

[pub]
	comment = For sysadmins
	path = /pub
	guest ok = Yes
===

nsswitch.conf
===
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns wins

bootparams: nisplus [NOTFOUND=return] files

ethers: db files
netmasks: files
networks: files dns
protocols: db files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus
===
In hosts, lmhosts server and samba addresses exists.

Everything seems to be good: 'kinit srvadmin at 0905.DN.STA' (srvadmin - domain
admin) receives ticket, klist shows tickets, 'net ads join' joins to domain -
computer account appears in AD, 'wbinfo -ug' shows domain users and groups,
'wbinfo -tp' - also OK, only 'id any_domain_user' gives error.
When I'm trying to access computer from Win-client it gives me window with
prompt of login/password. Entering ANY user (domain or local on samba) is
rejected. Such strings appears in log:
===
 Finding user SGNI\srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is sgni\srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(83)
  Trying _Get_Pwnam(), username as given is SGNI\srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(93)
  Trying _Get_Pwnam(), username as uppercase is SGNI\SRVADMIN
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in sgni\srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [SGNI\srvadmin]!
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_alloc(131)
  Finding user srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(93)
  Trying _Get_Pwnam(), username as uppercase is SRVADMIN
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in srvadmin
[2006/11/17 11:29:23, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [srvadmin]!
[2006/11/17 11:29:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(310)
  Username SGNI\srvadmin is invalid on this system
[2006/11/17 11:29:23, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
===
User can't be found. So, the first question is: why user can't be found?
What's wrong?
Second question is: do I have to edit PAM-module 'login'? In Samba-HOWTO I've
read, that if 'encrypt passwords = Yes' then samba (smbd) don't need PAM
modules for authentication. Is it correct, or I something misunderstood?

Great thanks for quick help :)

===
Network administrator
Donetsk, Ukraine.

More information about the samba mailing list