[Samba] Samba server authenticating to W2k3 ADS

[Matthew Arguin]

I am looking for some info on an issue I have authenticating Samba
3.0(Centos 5) to a W2k3 AD.

Server info:
Samba server:  HP DL 365, Centos 5 linux:
samba-3.0.28-1.el5_2.1
samba-common-3.0.28-1.el5_2.1
pam_krb5-2.2.11-1
krb5-workstation-1.6.1-25.el5_2.1
krb5-libs-1.6.1-25.el5_2.1
pam_krb5-2.2.11-1
krb5-libs-1.6.1-25.el5_2.1

KRB libs were installed and then updated via YUM.

Windows server: Same hardware, Win2k3 R2 Ent.


 I have followed the instructions that I found on samba.org and seem to have
the krb stuff working and I am pretty sure the first time that I tried
joining the domain I got no error, but it did not seem to complete.....And
when I try to join the domain again I get the following error:

[root at XXX ~]# net ads join -U Administrator
Administrator's password:
[2008/10/21 18:38:52, 0] libads/sasl.c:ads_sasl_spnego_bind(330)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: Invalid credentials


Although I have confirmed the creditials repeatedly...and KRB seems to be
working:

[root at XXX ~]# kinit Administrator at JPRINC.NET
Password for Administrator at JPRINC.NET:
[root at XXX ~]#


krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm =JPRINC.NET

[realms]
 JPRINC.NET = {
  kdc = ad1.jprinc.net
 }

[domain_realm]
 .kerberos.server = JPRINC.NET

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }





And smb.conf:

#
# smb.conf - configuration to allow for all MPR file sharing requirements
#
[global]
    large readwrite = no
    workgroup = JPRINC.NET
    realm = JPRINC.NET
    netbios name = AD1
    preferred master = no
    server string = %h Linux File Server (Samba)
    log file = /var/log/samba/log.%m
    log level = 5
    max log size = 1000
    security = ADS
    password server = ad1.jprinc.net
    encrypt passwords = yes
    winbind separator = -
    printcap name = cups
    printing = cups
    idmap uid = 10000-20000
    idmap gid = 10000-20000

[public]
    comment = Marketplace Rewards Public Share
    writable = yes
    path = /fileshare/public
    public = yes
    guest account = nobody
    map to guest = bad user
    only guest = yes
    browsable = yes
[homes]
    comment = User Home Directories
    valid users = %S
    browseable = No
    read only = No
    writable = Yes


I seem to have some sort of connectivity to the domain because the info
below is correct:


[root at XXX ~]# net ads info
LDAP server: A.B.C.D
LDAP server name: ad1.jprinc.net
Realm: JPRINC.NET
Bind Path: dc=JPRINC,dc=NET
LDAP port: 389
Server time: Tue, 21 Oct 2008 18:39:58 UTC
KDC server: A.B.C.D
Server time offset: -108








--
Matthew Arguin
Production Support
Jackpotrewards, Inc.
275 Grove St
Newton, MA 02466
617-795-2850 x 2325
www.jackpotrewards.com