[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS

Andrew Masterson Andrew.Masterson at nuvistaenergy.com
Wed Jul 23 14:36:13 GMT 2008

I may have a deficiency in understanding the procedure for ADS
authentication with samba, but most of the server setup works so far.  I
have bound a Red Hat Enterprise 5 server to our windows domain, it shows
up in DNS and ADS, I can ping it, but I can't get samba shares to be
accessible to users, or even get the smbclient to return shares


wbinfo -g returns the domain groups properly

wbinfo -u return the domain users properly


[root at solar samba]# wbinfo -a 'DNAME\uname'%secret 

plaintext password authentication succeeded

challenge/response password authentication succeeded


[root at solar samba]# wbinfo -K 'DNAME\uname'%secret 

plaintext kerberos password authentication for [DNAME\uname%secret]
succeeded (requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0


[root at solar samba]# wbinfo -t

checking the trust secret via RPC calls succeeded


So that all works fine.  smbclient chokes though:


[root at solar samba]# smbclient -L solar -U 'DNAME\uname'


session setup failed: NT_STATUS_LOGON_FAILURE


[root at solar samba]# smbclient -L solar -U uname


session setup failed: NT_STATUS_LOGON_FAILURE


or if I even use a samba user that I have setup with smbpasswd


[root at solar samba]# smbclient -L solar -U sambaname


session setup failed: NT_STATUS_LOGON_FAILURE


The only log file in /var/log/samba that shows any changes is log.nmbd


[2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)

  query_name_response: Multiple (2) responses received for a query on
subnet for name DNAME<1d>.

  This response was from IP, reporting an IP address of


Here is my smb.conf


# Samba config file created using SWAT

# from (

# Date: 2008/07/17 09:25:15



   workgroup = DNAME

   realm = DNAME.LOCAL

   netbios aliases = solar.dname.local, solar.dname.com

   server string = Samba %v %h

   interfaces =

   security = ADS

#  security = user

   auth methods = winbind

   use kerberos keytab = Yes

   encrypt passwords = yes

   winbind enum users = Yes

   winbind enum groups = Yes

   preferred master = No

   local master = No

   domain master = No

   ldap ssl = no

   idmap domains = DNAME

   idmap uid = 10000-20000

   idmap gid = 10000-20000



   writeable = yes

   valid users = sambaname,'DNAME\uname'

   public = yes

   path = /data/T_drive


Here is krb5.conf



default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



default_realm = DNAME.LOCAL




   default_domain =

   kdc = nvautil01.DNAME.local:

   admin_server = nvadom01:




dname.local = DNAME.LOCAL


pam.d directory samba file


[root at solar samba]# more /etc/pam.d/samba


auth    sufficient      pam_krb5afs.so

account sufficient      pam_krb5afs.so

auth    sufficient      pam_winbind.so

account sufficient      pam_winbind.so

session sufficient      pam_krb5afs.so

password       sufficient  pam_krb5afs.so

auth     required       pam_unix.so

account  required       pam_unix.so

session sufficient      pam_winbind.so

password       sufficient  pam_winbind.so

More information about the samba mailing list