[Samba] SAMBA + ADS + Kerberos Problem...

Michael Fernández M michael at michael.cl
Wed Jul 30 22:37:14 GMT 2008

Hi, I am trying to join a samba to ADS with kerberos + Winbind....

Everything is right, i mean, when i do the following:

kinit Administrator at DOMAIN.CL

(Ask for the password) and OK.


debian:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at DOMAIN.CL

Valid starting     Expires            Service principal
07/30/08 16:49:17  07/31/08 02:49:21  krbtgt/DOMAIN.CL at DOMAIN.CL
        renew until 07/31/08 02:49:17

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


net ads join -Uadministrator%pass

Is correct, the machine  is joined to the AD

getent passwd  Show the ADS users...
getent group show the ADS groups...

wbinfo -t 
checking the trust secret via RPC calls succeeded


smbclient //adspc/c\$ -k

Connect to the adspc without password and show the directories

The Big "BUT" is:

When I connect with a M$ user with smbclient to a local share on the
samba server i got: 

smbclient //localhost/eee/ -Uadministrator

session setup failed: NT_STATUS_ACCESS_DENIED

The  logs show:

[2008/07/30 17:01:32, 5] rpc_parse/parse_prs.c:prs_ntstatus(767)
      001c status      : NT_STATUS_ACCESS_DENIED
[2008/07/30 17:01:32, 10] libsmb/credentials.c:creds_client_check(325)
  creds_client_check: credentials check OK.
[2008/07/30 17:01:32, 3]
  winbindd_pam_auth: sam_logon returned ACCESS_DENIED.  Maybe the trust
account password was changed and we didn't know it. Killing connections
to domain DOMAIN

When i do:

wbinfo -u: Show the ADS user BUT not show the DOMAIN I mean:

Does not show: DOMAIN + ADS_USER only show ADS_USER
The same with wbinfo -g

Other think, every time i reset the machine i lost the ticket for
kerberos. This is not normal.....

The krb5.conf:

        default_realm = DOMAIN.CL

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc

        DOMAIN = {
                kdc =
                admin_server = adspc
                default_domain = DOMAIN.CL

        .domain.cl = DOMAIN.CL
         domain.cl = DOMAIN.CL
        krb4_convert = true
        krb4_get_tickets = false


* smb.conf:

security = ADS
netbios name = debian
realm = DOMAIN.CL
#username map = /etc/samba/smbusers
encrypt passwords = yes
password server =
workgroup = DOMAIN
idmap uid = 10000-20000
idmap gid = 10000-20000
ldap ssl = no
log level = 20
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
#domain master = no

* nssswitch.conf

passwd:         files winbind
group:          files winbind
shadow:         files
hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

The /pam.d/ Files..

* common-account

auth sufficient pam_winbind.so
account required        pam_unix.so

* common-auth

auth sufficient pam_winbind.so
auth required   pam_unix.so nullok_secure use_first_pass

* common-password

password   required   pam_unix.so nullok obscure min=4 max=50 md5

* common-session

session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel umask=0022

Well i hope somebody can help me with this! i tried to gave all the

THANKS!!!!!!!!!!!!!! a LOT!!


More information about the samba mailing list