[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Jul 23 16:58:28 GMT 2008 

Try using the following in your smb.conf

client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no

idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000

And for troubleshooting try taking a look at the 
/var/log/samba/log.idmap* logs for UID/GID to SID mapping

Or you can use
%> wbinfo -i <USER>
%> wbinfo -n <USER>
%> wbinfo -s <USER>

Hope that helps some.

Andrew Masterson wrote:
> I may have a deficiency in understanding the procedure for ADS
> authentication with samba, but most of the server setup works so far.  I
> have bound a Red Hat Enterprise 5 server to our windows domain, it shows
> up in DNS and ADS, I can ping it, but I can't get samba shares to be
> accessible to users, or even get the smbclient to return shares
> properly.
> 
>  
> 
> wbinfo -g returns the domain groups properly
> 
> wbinfo -u return the domain users properly
> 
>  
> 
> [root at solar samba]# wbinfo -a 'DNAME\uname'%secret 
> 
> plaintext password authentication succeeded
> 
> challenge/response password authentication succeeded
> 
>  
> 
> [root at solar samba]# wbinfo -K 'DNAME\uname'%secret 
> 
> plaintext kerberos password authentication for [DNAME\uname%secret]
> succeeded (requesting cctype: FILE)
> 
> credentials were put in: FILE:/tmp/krb5cc_0
> 
>  
> 
> [root at solar samba]# wbinfo -t
> 
> checking the trust secret via RPC calls succeeded
> 
>  
> 
> So that all works fine.  smbclient chokes though:
> 
>  
> 
> [root at solar samba]# smbclient -L solar -U 'DNAME\uname'
> 
> Password:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>  
> 
> [root at solar samba]# smbclient -L solar -U uname
> 
> Password:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>  
> 
> or if I even use a samba user that I have setup with smbpasswd
> 
>  
> 
> [root at solar samba]# smbclient -L solar -U sambaname
> 
> Password:
> 
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
>  
> 
> The only log file in /var/log/samba that shows any changes is log.nmbd
> 
>  
> 
> [2008/07/23 08:18:47, 0] nmbd/nmbd_namequery.c:query_name_response(109)
> 
>   query_name_response: Multiple (2) responses received for a query on
> subnet 192.168.77.244 for name DNAME<1d>.
> 
>   This response was from IP 192.168.77.216, reporting an IP address of
> 192.168.77.216.
> 
>  
> 
> Here is my smb.conf
> 
>  
> 
> # Samba config file created using SWAT
> 
> # from 127.0.0.1 (127.0.0.1)
> 
> # Date: 2008/07/17 09:25:15
> 
>  
> 
> [global]
> 
>    workgroup = DNAME
> 
>    realm = DNAME.LOCAL
> 
>    netbios aliases = solar.dname.local, solar.dname.com
> 
>    server string = Samba %v %h
> 
>    interfaces = 192.168.77.244
> 
>    security = ADS
> 
> #  security = user
> 
>    auth methods = winbind
> 
>    use kerberos keytab = Yes
> 
>    encrypt passwords = yes
> 
>    winbind enum users = Yes
> 
>    winbind enum groups = Yes
> 
>    preferred master = No
> 
>    local master = No
> 
>    domain master = No
> 
>    ldap ssl = no
> 
>    idmap domains = DNAME
> 
>    idmap uid = 10000-20000
> 
>    idmap gid = 10000-20000
> 
>  
> 
> [T_drive]
> 
>    writeable = yes
> 
>    valid users = sambaname,'DNAME\uname'
> 
>    public = yes
> 
>    path = /data/T_drive
> 
>  
> 
> Here is krb5.conf
> 
>  
> 
> [logging]
> 
> default = FILE:/var/log/krb5libs.log
> 
> kdc = FILE:/var/log/krb5kdc.log
> 
> admin_server = FILE:/var/log/kadmind.log
> 
>  
> 
> [libdefaults]
> 
> default_realm = DNAME.LOCAL
> 
>  
> 
> [realms]
> 
> DNAME.LOCAL = {
> 
>    default_domain =
> 
>    kdc = nvautil01.DNAME.local:
> 
>    admin_server = nvadom01:
> 
> }
> 
>  
> 
> [domain_realm]
> 
> dname.local = DNAME.LOCAL
> 
>  
> 
> pam.d directory samba file
> 
>  
> 
> [root at solar samba]# more /etc/pam.d/samba
> 
> #%PAM-1.0
> 
> auth    sufficient      pam_krb5afs.so
> 
> account sufficient      pam_krb5afs.so
> 
> auth    sufficient      pam_winbind.so
> 
> account sufficient      pam_winbind.so
> 
> session sufficient      pam_krb5afs.so
> 
> password       sufficient  pam_krb5afs.so
> 
> auth     required       pam_unix.so
> 
> account  required       pam_unix.so
> 
> session sufficient      pam_winbind.so
> 
> password       sufficient  pam_winbind.so
> 


-- 
Jas

More information about the samba mailing list