[Samba] Samba server authenticating to W2k3 ADS

Matthew Arguin marguin at jackpotrewardsinc.com
Tue Oct 21 18:44:55 GMT 2008

I am looking for some info on an issue I have authenticating Samba
3.0(Centos 5) to a W2k3 AD.

Server info:
Samba server:  HP DL 365, Centos 5 linux:

KRB libs were installed and then updated via YUM.

Windows server: Same hardware, Win2k3 R2 Ent.

 I have followed the instructions that I found on samba.org and seem to have
the krb stuff working and I am pretty sure the first time that I tried
joining the domain I got no error, but it did not seem to complete.....And
when I try to join the domain again I get the following error:

[root at XXX ~]# net ads join -U Administrator
Administrator's password:
[2008/10/21 18:38:52, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: Invalid credentials

Although I have confirmed the creditials repeatedly...and KRB seems to be

[root at XXX ~]# kinit Administrator at JPRINC.NET
Password for Administrator at JPRINC.NET:
[root at XXX ~]#


 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm =JPRINC.NET

  kdc = ad1.jprinc.net

 .kerberos.server = JPRINC.NET

 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

And smb.conf:

# smb.conf - configuration to allow for all MPR file sharing requirements
    large readwrite = no
    workgroup = JPRINC.NET
    realm = JPRINC.NET
    netbios name = AD1
    preferred master = no
    server string = %h Linux File Server (Samba)
    log file = /var/log/samba/log.%m
    log level = 5
    max log size = 1000
    security = ADS
    password server = ad1.jprinc.net
    encrypt passwords = yes
    winbind separator = -
    printcap name = cups
    printing = cups
    idmap uid = 10000-20000
    idmap gid = 10000-20000

    comment = Marketplace Rewards Public Share
    writable = yes
    path = /fileshare/public
    public = yes
    guest account = nobody
    map to guest = bad user
    only guest = yes
    browsable = yes
    comment = User Home Directories
    valid users = %S
    browseable = No
    read only = No
    writable = Yes

I seem to have some sort of connectivity to the domain because the info
below is correct:

[root at XXX ~]# net ads info
LDAP server: A.B.C.D
LDAP server name: ad1.jprinc.net
Bind Path: dc=JPRINC,dc=NET
LDAP port: 389
Server time: Tue, 21 Oct 2008 18:39:58 UTC
KDC server: A.B.C.D
Server time offset: -108

Matthew Arguin
Production Support
Jackpotrewards, Inc.
275 Grove St
Newton, MA 02466
617-795-2850 x 2325

More information about the samba mailing list