[Samba] Trouble authenticating to Samba shares with Win 2k3 ADS

Jason Gerfen jason.gerfen at scl.utah.edu
Wed Jul 23 19:18:24 GMT 2008


Turn up the debugging and take a look at the following schema attributes 
for the user you are attempting to authenticate. It looks like some 
POSIX account data may be missing.

uidNumber
gidNumber
sfuHomeDirectory
loginShell

Also turn up the debugging to 20, restart your samba server and required 
services (winbind etc.) and try again. You might want to also look into 
using the wbinfo --help under the SID to GID, and SID to UID mapping 
functions.

If those are not working then the schema attributes or values are 
missing in the AD account schema.

Andrew Masterson wrote:
> I added those lines (and changed the range to 10000-20000), and still
> smbclient returns the same error.
> 
> "session setup failed: NT_STATUS_LOGON_FAILURE"
> 
> I also updated the krb5.conf file as I noticed some errors (Improper
> format of Kerberos configuration file) in some of the logs.  Those
> errors are now gone, and the only idmap log file I see is
> log.winbindd-idmap and it gives:
> 
> [root at solar etc]# more /var/log/samba/log.winbindd-idmap 
> [2008/07/23 11:03:44, 1] nsswitch/idmap.c:idmap_init(377)
>   Initializing idmap domains
> [2008/07/23 11:03:44, 1]
> nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
>   Could not get unix ID
> 
> And the second message (error) wasn't happening before.  Am I missing a
> module to provide the AD idmap backend? (although it looks like it is
> trying to do it and failing)
> 
> New krb5.conf file
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = DNAME.LOCAL
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  DNAME.LOCAL = {
>   kdc = DCONTR.DNAME.local:88
>   admin_server = DCONTR.DNAME.local:749
>   default_domain = DNAME.local
>  }
> 
> [domain_realm]
>  .DNAME.local = DNAME.LOCAL
>  DNAME.local = DNAME.LOCAL
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> 
> -----Original Message-----
> From: Jason Gerfen [mailto:jason.gerfen at scl.utah.edu] 
> Sent: Wednesday, July 23, 2008 10:58 AM
> To: Andrew Masterson
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Trouble authenticating to Samba shares with Win 2k3
> ADS
> 
> Try using the following in your smb.conf
> 
> client signing = yes
> client schannel = no
> client use spnego = yes
> client lanman auth = no
> client NTLMv2 auth = yes
> client plaintext auth = no
> 
> idmap domains = DOMAIN
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:default = yes
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 1000 - 300000000
> 
> And for troubleshooting try taking a look at the 
> /var/log/samba/log.idmap* logs for UID/GID to SID mapping
> 
> Or you can use
> %> wbinfo -i <USER>
> %> wbinfo -n <USER>
> %> wbinfo -s <USER>
> 
> Hope that helps some.
> 
> Andrew Masterson wrote:
>> I may have a deficiency in understanding the procedure for ADS
>> authentication with samba, but most of the server setup works so far.
> I
>> have bound a Red Hat Enterprise 5 server to our windows domain, it
> shows
>> up in DNS and ADS, I can ping it, but I can't get samba shares to be
>> accessible to users, or even get the smbclient to return shares
>> properly.
>>
>>  
>>
>> wbinfo -g returns the domain groups properly
>>
>> wbinfo -u return the domain users properly
>>
>>  
>>
>> [root at solar samba]# wbinfo -a 'DNAME\uname'%secret 
>>
>> plaintext password authentication succeeded
>>
>> challenge/response password authentication succeeded
>>
>>  
>>
>> [root at solar samba]# wbinfo -K 'DNAME\uname'%secret 
>>
>> plaintext kerberos password authentication for [DNAME\uname%secret]
>> succeeded (requesting cctype: FILE)
>>
>> credentials were put in: FILE:/tmp/krb5cc_0
>>
>>  
>>
>> [root at solar samba]# wbinfo -t
>>
>> checking the trust secret via RPC calls succeeded
>>
>>  
>>
>> So that all works fine.  smbclient chokes though:
>>
>>  
>>
>> [root at solar samba]# smbclient -L solar -U 'DNAME\uname'
>>
>> Password:
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>  
>>
>> [root at solar samba]# smbclient -L solar -U uname
>>
>> Password:
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>  
>>
>> or if I even use a samba user that I have setup with smbpasswd
>>
>>  
>>
>> [root at solar samba]# smbclient -L solar -U sambaname
>>
>> Password:
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>  
>>
>> The only log file in /var/log/samba that shows any changes is log.nmbd
>>
>>  
>>
>> [2008/07/23 08:18:47, 0]
> nmbd/nmbd_namequery.c:query_name_response(109)
>>   query_name_response: Multiple (2) responses received for a query on
>> subnet 192.168.77.244 for name DNAME<1d>.
>>
>>   This response was from IP 192.168.77.216, reporting an IP address of
>> 192.168.77.216.
>>
>>  
>>
>> Here is my smb.conf
>>
>>  
>>
>> # Samba config file created using SWAT
>>
>> # from 127.0.0.1 (127.0.0.1)
>>
>> # Date: 2008/07/17 09:25:15
>>
>>  
>>
>> [global]
>>
>>    workgroup = DNAME
>>
>>    realm = DNAME.LOCAL
>>
>>    netbios aliases = solar.dname.local, solar.dname.com
>>
>>    server string = Samba %v %h
>>
>>    interfaces = 192.168.77.244
>>
>>    security = ADS
>>
>> #  security = user
>>
>>    auth methods = winbind
>>
>>    use kerberos keytab = Yes
>>
>>    encrypt passwords = yes
>>
>>    winbind enum users = Yes
>>
>>    winbind enum groups = Yes
>>
>>    preferred master = No
>>
>>    local master = No
>>
>>    domain master = No
>>
>>    ldap ssl = no
>>
>>    idmap domains = DNAME
>>
>>    idmap uid = 10000-20000
>>
>>    idmap gid = 10000-20000
>>
>>  
>>
>> [T_drive]
>>
>>    writeable = yes
>>
>>    valid users = sambaname,'DNAME\uname'
>>
>>    public = yes
>>
>>    path = /data/T_drive
>>
>>  
>>
>> Here is krb5.conf
>>
>>  
>>
>> [logging]
>>
>> default = FILE:/var/log/krb5libs.log
>>
>> kdc = FILE:/var/log/krb5kdc.log
>>
>> admin_server = FILE:/var/log/kadmind.log
>>
>>  
>>
>> [libdefaults]
>>
>> default_realm = DNAME.LOCAL
>>
>>  
>>
>> [realms]
>>
>> DNAME.LOCAL = {
>>
>>    default_domain =
>>
>>    kdc = nvautil01.DNAME.local:
>>
>>    admin_server = nvadom01:
>>
>> }
>>
>>  
>>
>> [domain_realm]
>>
>> dname.local = DNAME.LOCAL
>>
>>  
>>
>> pam.d directory samba file
>>
>>  
>>
>> [root at solar samba]# more /etc/pam.d/samba
>>
>> #%PAM-1.0
>>
>> auth    sufficient      pam_krb5afs.so
>>
>> account sufficient      pam_krb5afs.so
>>
>> auth    sufficient      pam_winbind.so
>>
>> account sufficient      pam_winbind.so
>>
>> session sufficient      pam_krb5afs.so
>>
>> password       sufficient  pam_krb5afs.so
>>
>> auth     required       pam_unix.so
>>
>> account  required       pam_unix.so
>>
>> session sufficient      pam_winbind.so
>>
>> password       sufficient  pam_winbind.so
>>
> 
> 


-- 
Jason Gerfen
Systems Administration/Web application development
jason.gerfen at scl.utah.edu

Marriott Library
Lab Systems PC
295 South 1500 East
Salt Lake City, Utah 84112-0806
Ext 5-9810

"Tomorrow isn't promised so we live for today"


More information about the samba mailing list