[Samba] [SOLVED] Re: Active Directory authentication no longer works

Dan O'Brien dobrien at xanboo.com
Tue May 22 21:41:23 GMT 2007 

After days of banging my head against my desk we've managed to find the
cause of the issue.
The problem was in the group policy on the domain controllers, under
"Default Domain Controller Security Settings" -> Local Policies ->
Security Options":
Allow anonymous SID/Name translation:  Was set to disabled
Do not allow anonymous enumeration of SAM accounts and Shares: Was Enabled

once we changed these (and disabled the "No Override" bit on the default
 domain policy). Everything started working again.

Hope this helps someone else.

Regards,
Dan

Dan O'Brien wrote:
> Hello all,
> 
> I have 3 Linux boxes all authenticating against 2 Windows 2003 domain
> controllers. Each Linux box is running a different Linux and samba version:
> 
> Box1: CentOS 3.4 3.0.25-7
> Box2: CentOS 4.4 3.0.10-1
> Box3: CentOS 5   3.0.23c-2
> 
> Their smb.conf and krb5.conf files are all identical (below). A few days
> ago authentication stopped working and my /var/log/messages fills up
> with "signing_good: BAD SIG: seq 1" and "SMB Signature verification
> failed on incoming packet!" errors. When someone tries to log into one
> of the machines i get an "internal module error" and
> "NT_STATUS_LOGON_TYPE_NOT_GRANTED" messages.
> 
> I've been on this for 2 full days now, I've tried everything I could
> think of. Any help would be appreciated.
> 
> 
> Regards,
> Dan O'Brien
> 
> (conf files and messaeges below)
> 
> 
> 
> /var/log/messages
> ...
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/smb_signing.c:signing_good(240)
> May 21 16:58:13 scandium winbindd[14882]:   signing_good: BAD SIG: seq 1
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/clientgen.c:cli_receive_smb(121)
> May 21 16:58:13 scandium winbindd[14882]:   SMB Signature verification
> failed on incoming packet!
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/smb_signing.c:signing_good(240)
> May 21 16:58:13 scandium winbindd[14882]:   signing_good: BAD SIG: seq 1
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/clientgen.c:cli_receive_smb(121)
> May 21 16:58:13 scandium winbindd[14882]:   SMB Signature verification
> failed on incoming packet!
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/smb_signing.c:signing_good(240)
> May 21 16:58:13 scandium winbindd[14882]:   signing_good: BAD SIG: seq 1
> May 21 16:58:13 scandium winbindd[14882]: [2007/05/21 16:58:13, 0]
> libsmb/clientgen.c:cli_receive_smb(121)
> May 21 16:58:13 scandium winbindd[14882]:   SMB Signature verification
> failed on incoming packet!
> May 21 16:58:13 scandium pam_winbind[17827]: request failed:
> NT_STATUS_LOGON_TYPE_NOT_GRANTED, PAM error was 4, NT error was
> NT_STATUS_LOGON_TYPE_NOT_GRANTED
> May 21 16:58:13 scandium pam_winbind[17827]: internal module error
> (retval = 4, user = `user'
> 
> 
> krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = MYDOMAIN.COM
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
> 
> [realms]
>  MYDOMAIN.COM = {
>   kdc = mydomain.com
>   admin_server = dc1.mydomain.com
>   default_domain = mydomain.com
>   kdc = dc1.mydomain.com
>   kdc = dc2.mydomain.com
>  }
> 
> [domain_realm]
>  .mydomain.com = MYDOMAIN.COM
>  mydomain.com = MYDOMAIN.COM
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> smb.conf
> [global]
> 
>    realm = MYDOMAIN.COM
>    workgroup = mydomain
>    server string = Scandium
>    security = ADS
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
> 
>    template shell = /bin/bash
>    template homedir = /home/%U
>    winbind use default domain = yes
>    printcap name = /etc/printcap
>    load printers = yes
>    cups options = raw
>    log level = 9
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    password server = dc2.mydomain.com dc2.mydomain.com
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>    local master = no
>    domain master = no
>    preferred master = no
>    dns proxy = no
>

More information about the samba mailing list