[Samba] Accessing member server prompts for credentials

Wed Jun 18 15:35:58 GMT 2008

Leon Stringer wrote:
> I'm still struggling with this if anyone can help.
>
> I'm back tracking through the HOWTO and realised that I hadn't created
> a machine trust account.
>
> So I've done:
>  # groupadd machines
>  # /usr/sbin/useradd -g machines -d /var/lib/nobody -c "Test Server" -s /bin/false server1
>  # passwd -l server1
>  Locking password for user server1.
>  # smbpasswd -a -m server1
>  Failed to modify password entry for user server1$
>
> Please can anyone tell me why this last step fails?
>   

Those commands are for working with an NT4 domain. They're of no use if 
you're trying to join samba to an AD domain.

>  
>   
>> From: Leon Stringer <leon.stringer at ntlworld.com>
>> Date: 2008/06/17 Tue AM 11:13:14 GMT
>> To: <samba at lists.samba.org>
>> Subject: [Samba] Accessing member server prompts for credentials
>>
>> Hi,
>>
>> I'm trying to join a server as an AD member but it isn't working.
>>
>> I do:
>>
>>  kinit ADMINISTRATOR at DOMAIN1.CO.UK
>>
>> which prompts for the password and displays nothing else. Then I do:
>>
>>  net ads join -U Administrator%XXXXX
>>
>> which returns:
>>
>>  Using short domain name -- DOMAIN1
>>  Joined 'SERVER1' to realm 'DOMAIN1.CO.UK'
>>
>> So all looks OK, but when I try to browse the shares on \\server1
>> from another domain member I'm prompted for a username and password. Any valid domain credentials are rejected.
>>
>> The log file for the IP address for the computer I'm trying to connect
>> from says:
>>
>>  [2008/06/17 11:54:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(316)
>>    Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
>>
>> log.smbd says:
>>  [2008/06/17 11:55:47, 0] auth/auth_util.c:create_builtin_administrators(792)
>>    create_builtin_administrators: Failed to create Administrators
>>  [2008/06/17 11:55:47, 0] auth/auth_util.c:create_builtin_users(758)
>>    create_builtin_users: Failed to create Users
>>
>> smb.conf says:
>>  [global]
>>         workgroup = DOMAIN1
>>         realm = DOMAIN1.CO.UK
>>         security = ADS
>>
>> Samba 3.0.30 on Fedora 8.
>>
>> Can anyone tell me where I'm going wrong?
>>
>>     
>
>   

Actually, it all looks good so far, but you need a little more setup so 
samba can authenticate accounts against AD.

Do you have winbindd running?
What does 'wbinfo -t' tell you?
Do you have the winbind sections in smb.conf configured correctly?
Can you get a list of AD accounts with 'wbinfo -u'?
Did you configure nsswitch.conf correctly?
If 'id "DOMAIN\user"' returns useful info about the user, your machine 
is authenticating with AD correctly.
Also, ntpd needs to sync the time very closely with the domain. 'date ; 
net time -w DOMAIN' should show times that are within seconds of each other.

Go back to the Samba HOWTO and review Ch. 24 and 29. Any text in the 
HOWTO that mentions NT4 or PDC or BDC configuration is not for your 
situation.

-- 
Toby Bluhm
Alltech Medical Systems America, Inc.
30825 Aurora Road Suite 100
Solon Ohio 44139
440-424-2240 ext203