[Samba] Domain Account Lock

EMOTO Masahiko emo at nifs.ac.jp
Mon Feb 5 23:43:04 GMT 2007 

When a certain user tries to access shared folder provided by Samba,
his account is always locked. I can't figure out where the problem is.
Please help.

--Masahiko

Detail:
We're using Active Directory by Windows 2000 Servers and use it
for samba's authentication.
When a certain domain user, say, MYDOMAIN\user1, tries to access to
the remote resource \\LINUX1\user1 on a Linux server from his
Windows XP PC (PC1), a pop-up window shows up and he types
his account and password, but he always fails to access due to
the account lock.

His account was not locked when he tried to access to the remote resource,
but now his account is locked. I'm sure his account and password are
correct.

I look for the logs stored in /var/log/samba, but I can't find any
access log
from PC1.

However,
1) MYDOMAIN\user1 can access to PC1 using ssh or ftp
2) MYDOMAIN\user1 can access to shared folders \\PC2\shared or etc, in
Windows Servers (PC2)
3) MYDOMAIN\user1 can access \\LINUX1\user1 from another PC (PC3)
4) Another user MYDOMAIN\user2 can use remote resource from PC1.

In short, it causes problem only when MYDOMAIN\user1 tries to access
from PC1 to the remote resources
provided by samba.

Enviroment:

Dc1, dc2: windows 2000 server
Linux1 : Fedora Core 4 (x86_64) + kernel 2.6.17 + samba 3.0.22c
PC2 : Windows 2000 Server
PC1, PC3 : Windows XP SP2

=====================
Smb.conf
=====================
[global]

netbios name = LINUX1
workgroup = MYDOMAIN
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
security = ads
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dns proxy = no
idmap uid = 10000000-20000000
idmap gid = 10000000-20000000
idmap backend = idmap_rid:MYDOMAIN=10000000-20000000
allow trusted domains = No
template shell = /bin/bash
password server = dc1 dc2
winbind use default domain = no
realm = MYDOMAIN
[homes]
comment = Home Directories
browseable = no
writable = yes

===================
/etc/krb5.conf
=====================
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

MYDOMAIN = {
kdc = dc2
kdc = dc1
}

[domain_realm]
.mydomain = .MYDOMAIN
mydomain.com = MYDOMAIN

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

More information about the samba mailing list