[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS
Andrew Masterson
Andrew.Masterson at nuvistaenergy.com
Wed Jul 23 17:23:31 GMT 2008
I added those lines (and changed the range to 10000-20000), and still
smbclient returns the same error.
"session setup failed: NT_STATUS_LOGON_FAILURE"
I also updated the krb5.conf file as I noticed some errors (Improper
format of Kerberos configuration file) in some of the logs. Those
errors are now gone, and the only idmap log file I see is
log.winbindd-idmap and it gives:
[root at solar etc]# more /var/log/samba/log.winbindd-idmap
[2008/07/23 11:03:44, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/07/23 11:03:44, 1]
nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
Could not get unix ID
And the second message (error) wasn't happening before. Am I missing a
module to provide the AD idmap backend? (although it looks like it is
trying to do it and failing)
New krb5.conf file
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DNAME.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
DNAME.LOCAL = {
kdc = DCONTR.DNAME.local:88
admin_server = DCONTR.DNAME.local:749
default_domain = DNAME.local
}
[domain_realm]
.DNAME.local = DNAME.LOCAL
DNAME.local = DNAME.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-----Original Message-----
From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu]
Sent: Wednesday, July 23, 2008 10:58 AM
To: Andrew Masterson
Cc: samba at lists.samba.org
Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3
ADS
Try using the following in your smb.conf
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
idmap domains = DOMAIN
idmap config DOMAIN:backend = ad
idmap config DOMAIN:default = yes
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1000 - 300000000
And for troubleshooting try taking a look at the
/var/log/samba/log.idmap* logs for UID/GID to SID mapping
Or you can use
%> wbinfo -i <USER>
%> wbinfo -n <USER>
%> wbinfo -s <USER>
Hope that helps some.
Andrew Masterson wrote:
> I may have a deficiency in understanding the procedure for ADS
> authentication with samba, but most of the server setup works so far.
I
> have bound a Red Hat Enterprise 5 server to our windows domain, it
shows
> up in DNS and ADS, I can ping it, but I can't get samba shares to be
> accessible to users, or even get the smbclient to return shares
> properly.
>
>
>
> wbinfo -g returns the domain groups properly
>
> wbinfo -u return the domain users properly
>
>
>
> [root at solar samba]# wbinfo -a 'DNAME\uname'%secret
>
> plaintext password authentication succeeded
>
> challenge/response password authentication succeeded
>
>
>
> [root at solar samba]# wbinfo -K 'DNAME\uname'%secret
>
> plaintext kerberos password authentication for [DNAME\uname%secret]
> succeeded (requesting cctype: FILE)
>
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> [root at solar samba]# wbinfo -t
>
> checking the trust secret via RPC calls succeeded
>
>
>
> So that all works fine. smbclient chokes though:
>
>
>
> [root at solar samba]# smbclient -L solar -U 'DNAME\uname'
>
> Password:
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
> [root at solar samba]# smbclient -L solar -U uname
>
> Password:
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
> or if I even use a samba user that I have setup with smbpasswd
>
>
>
> [root at solar samba]# smbclient -L solar -U sambaname
>
> Password:
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
> The only log file in /var/log/samba that shows any changes is log.nmbd
>
>
>
> [2008/07/23 08:18:47, 0]
nmbd/nmbd_namequery.c:query_name_response(109)
>
> query_name_response: Multiple (2) responses received for a query on
> subnet 192.168.77.244 for name DNAME<1d>.
>
> This response was from IP 192.168.77.216, reporting an IP address of
> 192.168.77.216.
>
>
>
> Here is my smb.conf
>
>
>
> # Samba config file created using SWAT
>
> # from 127.0.0.1 (127.0.0.1)
>
> # Date: 2008/07/17 09:25:15
>
>
>
> [global]
>
> workgroup = DNAME
>
> realm = DNAME.LOCAL
>
> netbios aliases = solar.dname.local, solar.dname.com
>
> server string = Samba %v %h
>
> interfaces = 192.168.77.244
>
> security = ADS
>
> # security = user
>
> auth methods = winbind
>
> use kerberos keytab = Yes
>
> encrypt passwords = yes
>
> winbind enum users = Yes
>
> winbind enum groups = Yes
>
> preferred master = No
>
> local master = No
>
> domain master = No
>
> ldap ssl = no
>
> idmap domains = DNAME
>
> idmap uid = 10000-20000
>
> idmap gid = 10000-20000
>
>
>
> [T_drive]
>
> writeable = yes
>
> valid users = sambaname,'DNAME\uname'
>
> public = yes
>
> path = /data/T_drive
>
>
>
> Here is krb5.conf
>
>
>
> [logging]
>
> default = FILE:/var/log/krb5libs.log
>
> kdc = FILE:/var/log/krb5kdc.log
>
> admin_server = FILE:/var/log/kadmind.log
>
>
>
> [libdefaults]
>
> default_realm = DNAME.LOCAL
>
>
>
> [realms]
>
> DNAME.LOCAL = {
>
> default_domain =
>
> kdc = nvautil01.DNAME.local:
>
> admin_server = nvadom01:
>
> }
>
>
>
> [domain_realm]
>
> dname.local = DNAME.LOCAL
>
>
>
> pam.d directory samba file
>
>
>
> [root at solar samba]# more /etc/pam.d/samba
>
> #%PAM-1.0
>
> auth sufficient pam_krb5afs.so
>
> account sufficient pam_krb5afs.so
>
> auth sufficient pam_winbind.so
>
> account sufficient pam_winbind.so
>
> session sufficient pam_krb5afs.so
>
> password sufficient pam_krb5afs.so
>
> auth required pam_unix.so
>
> account required pam_unix.so
>
> session sufficient pam_winbind.so
>
> password sufficient pam_winbind.so
>
--
Jas
More information about the samba
mailing list