[Samba] Samba ADS domain member issues

Fri Jan 12 15:14:59 GMT 2007

This is a repost.

Hi, I am having problems configuring my Centos 4 server as an ADS domain 
member of our 2003 AD.  I've followed the instructions on samba.org and 
did quite a bit of Google'ing and haven't found an answer to the problems.
Basically I used the configuration illustrated in this section of the 
howto, and of course a number of other suggestions I've found along the way: 

http://us3.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adssdm

Here's the installed software versions:
rpm -qa | grep samba
samba-common-3.0.10-1.4E
samba-swat-3.0.10-1.4E.9
samba-client-3.0.10-1.4E
samba-3.0.10-1.4E.9

rpm -qa | grep krb5
krb5-libs-1.3.4-33
krb5-devel-1.3.4-33
pam_krb5-2.1.8-1
krb5-workstation-1.3.4-33

What happens is that I am able to join the domain successfully:
net ads join -U Administrator%pass
[2006/12/12 19:16:25, 0] libads/ldap.c:ads_add_machine_acct(1368)
 ads_add_machine_acct: Host account for development already exists - 
modifying old account
Using short domain name -- B2LLC
Joined 'DEVELOPMENT' to realm 'B2LLC.LOCAL'

As far as the tests from the article go:
*wbinfo -u, and wbinfo -g seem to work fine
*getent passwd and getent group doesn't work as described in the 
article.  It simply lists my local users.  I have gotten it to work by 
modifying krb5.conf, but I can't seem to find the magic configuration 
for that as it seems to be touch and go.
*net ads info and net ads status -UAdministrator% both work fine

*When I go to the one of my domain controllers I can see the computer 
listed, but when I try to manage it and click on the shares I get a "You 
do not have permissions to see the list of shares from Windows clients" 
error.
*When I try to browse to the machine from one of the computers on the 
domain it simply prompts me for a password dialog, and none of the 
domain or machine passwords work.
*When I check the errors for the IP address of the computer I tried it 
from I usually get one of these two errors:
[2006/12/12 17:44:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(250)
 Username B2LLC\crobin01 is invalid on this system
[2006/12/12 17:44:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
 Failed to verify incoming ticket!

I've tried the exact same configuration files on multiple machines and I 
seem to get different results depending on the server even though they 
all run Centos 4 (although there could be some dot level version 
differences, I do use their most updated Samba and Kerberos packages).  
I have one machine that the config files are actually working on, 
although the rights don't work the way I would expect them to work...not 
a big deal though for my needs.

Any help would be greatly appreciated.  If I've been going down the 
wrong path altogether I'm more than happy to RTFM if someone would be so 
kind to point me in the right direction.  Thanks very much for any 
assistance.