[Samba] Authenticating to AD server fails.

Ray Van Dolson rvandolson at esri.com
Fri Sep 7 06:23:51 GMT 2007 

I'm trying to configure a Fedora 7 machine to authenticate access to
shares via AD.  This works fine on other RHEL machines, but the same
configuration on Fedora maddeningly does not.

I've tried oodles of different configurations, and am currently using
something based on:

  http://wiki.samba.org/index.php/Samba_&_Active_Directory

Here is my krb5.conf file:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ESRI.COM
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 ESRI.COM = {
  kdc = dc1.esri.com:88
  admin_server = dc1.esri.com:749
  default_domain = esri.com
  kdc = dc1.esri.com
 }

[domain_realm]
 .esri.com = ESRI.COM
 esri.com = ESRI.COM

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

I am able to kinit just fine and to net ads join.  wbinfo -a and more
works just fine.  I can use smbclient to view shares on other members
of the domain with and without -k perfectly.  winbind appears to be
running without issue.  

# net ads testjoin
Join is OK

Now, my smb.conf:

[global]
   workgroup = AVWORLD
   realm = ESRI.COM
   preferred master = no
   server string = Linux Test Machine
   security = ADS
   encrypt passwords = yes
   log level = 3
   log file = /var/log/samba/%m
   max log size = 500
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   ;winbind separator = +
   idmap uid = 10000-9999999999
   idmap gid = 10000-9999999999
   ;template primary group = "Domain Users"
   template shell = /bin/bash

   ; Some things that may or may not be useful.
   ;passdb backend = tdbsam
   ;idmap backend = ad
   ;winbind nss info = rfc2307

[public]
   comment = gumnut public read-only share
   path = /home/public
   public = yes

However, when trying to access this machine (GUMNUT) from a Windows
client or using smbclient from the local machine, I get a failure --
smbclient says NT_STATUS_LOGON_FAILURE and the corresponding Samba
logfile says:

[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
  Finding user AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(83)
  Trying _Get_Pwnam(), username as given is AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
  Trying _Get_Pwnam(), username as uppercase is AVWORLD\RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [AVWORLD\ray5147]!
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
  Finding user ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
  Trying _Get_Pwnam(), username as uppercase is RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [ray5147]!
[2007/09/06 23:19:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username AVWORLD\ray5147 is invalid on this system
[2007/09/06 23:19:54, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

Given the command:

  smbclient -L GUMNUT -U ray5147 -W AVWORLD

At this point I am stumped.  I believe we are running Windows 2003 AD
servers and it's just not clear to me why the above is failing.

Where can I look to begin troubleshooting this?

Thanks!
Ray

More information about the samba mailing list