[Samba] ADS Trouble authorizing users.

Chris Bolton cbolton at rarr.org.uk
Thu Aug 28 12:55:34 GMT 2008 

Hi all,

I've set up a CentOS machine with samba version 3.0.28-1.el5_2.1 to join a
Windows 2003 ADS.  Everything seemed to go fine while joining the domain:

[root at mailserver ~]# net ads join -U administrator
administrator's password:
Using short domain name -- MYDOMAIN
Joined 'MAILSERVER' to realm 'MYDOMAIN.LOCAL'

The trouble I'm having is authorizing users.

When connecting the the CentOS machine from a windows XP machine it pops up
a username and password dialog.  Entering in my details just pops it up
again as it would if I'd entered them incorrectly.  Nothing is recored in
the logs on the CentOS machine (either in /var/log/messages or
/var/log/samba/smbd.log) and I am unable to procced.

If I try a username in the dialog box that does not exist on the domain I
get an error in /var/log/messages:

Aug 28 12:58:06 mailserver smbd[23786]: [2008/08/28 12:58:06, 0]
auth/auth_domain.c:domain_client_validate(260)
Aug 28 12:58:06 mailserver smbd[23786]:   domain_client_validate: unable to
validate password for user dave in domain MYDOMAIN to Domain controller
MANS01.MYDOMAIN.LOCAL. Error was NT_STATUS_NO_SUCH_USER.


I'm guessing its a problem with the way the CentOS machine is passing on the
logon details but without an error message I'm a bit stuck.  Any help would
be greatful.

Cheers.

Config files below:

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
MYDOMAIN.LOCAL = {
  kdc = mans01
  admin_server = mans01
  default_domain = mydomain.local
 }

[domain_realm]
 .mydomain.local = MYDOMAIN.LOCAL
 mydomain.local = MYDOMAIN.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/smaba/smb.conf

[global]

workgroup = MYDOMAIN
netbios name = mailserver
server string = Samba Server 3.0
security = ads
realm = MYDOMAIN.LOCAL
password server = mans01
encrypt passwords = yes
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = no
preferred master = no
dns proxy = no

#============================ Share Definitions
==============================

[public]
  comment = Share
  path = /home/public
  public = yes
  writable = yes
  printable = no

More information about the samba mailing list