[Samba] wbinfo -a not working

Rutger Beyen sylvester_rutger at hotmail.com
Sat Feb 16 16:00:07 GMT 2008 

 
Hello,
 
I'm trying to connect my Debian 4 samba box to my Windows 2003Server Active
Directory.
I successfully joined the domain, with net ads join. Wireshark captures a
lot of packets going over the wire, and I get the message "joined the domain
successfully". In my AD, under 'computers', the samba box appeared. So that
all works.
Asking a kerberos ticket for a user with kinit is also successful. So
kerberos is working fine.
 
Wbinfo -u gives me all the users I have in my AD, and wbinfo -g does the
same with all the groups. wbinfo -t also working fine.
But when I try wbinfo -a rutger%rutger, I get 
 
        plaintext password authentication failed
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user rutger%rutger with plaintext password
    challenge/response password authentication failed
    error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
    error messsage was: No such user
    Could not authenticate user rutger with challenge/response
 
Same result with wbinfo -K. It says the user does not exist, but it is there
when I do a wbinfo -u.
 
Same output with ntlm_auth and with --diagnostics:
 
          ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
     password:
     NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
 

project:/etc# ntlm_auth --request-nt-key --domain=PROJECT --username=rutger
--diagnostics
password:
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test LM and NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLM in LM failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLM in both failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLMv2 and LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test LMv2 failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLMv2 and LMv2, LMv2 broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test NTLM and LM, LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test Plaintext failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test Plaintext LM broken failed!
No such user (0xc0000064)
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test Plaintext NT only failed!
No such user (0xc0000064)
[2008/02/16 16:42:05, 1]
utils/ntlm_auth_diagnostics.c:diagnose_ntlm_auth(597)
  Test Plaintext LM only failed!
 

The wbinfo -a and ntlm_auth result in NO data send over the wire. Is wbinfo
not correcty using Kerberos? Why are no packages send over the wire when I
do wbinfo -a? The ip of the AD is in /etc/hosts
 
 
Thanks a lot for your help, I'm really desperate!
Rutger
 
 
Here are the smb.conf and krb5.conf files:
 
--smb.conf--
project:/etc# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
[global]
        workgroup = PROJECT
        realm = PROJECT.LOCAL
        server string = %h server
        security = ADS
        obey pam restrictions = Yes
        password server = project-ad.project.local
        passdb backend = tdbsam
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/bash
        invalid users = root
 
[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No
 
[printers]
        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        browseable = No
 
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers
 
 
 
--krb5.conf--
 
[logging]
default = FILE:/war/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
        default_realm = PROJECT.LOCAL
#       dns_lookup realm = false
#       dns_lookup_kdc = false
 
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
 
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
 
#       default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
#       permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
 
# The following libdefaults parameters are only for Heimdal Kerberos.
        v4_instance_resolve = false
        v4_name_convert = {
                host = {
                        rcmd = host
                        ftp = ftp
                }
                plain = {
                        something = something-else
                }
        }
        fcc-mit-ticketflags = true
 
[realms]
 
        PROJECT.LOCAL = {
                    kdc = PROJECT-AD.PROJECT.LOCAL
        }
                        
[domain_realm]
        .project.local = PROJECT.LOCAL
        project.local = PROJECT.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
}
 
[login]
        krb4_convert = true
        krb4_get_tickets = false

More information about the samba mailing list