[Samba] Samba AD member and connections from non-AD systems

Mon Apr 18 00:54:28 MDT 2011

Why do you need a wins server in a ads; wins support = yes!!??
To login with smbclient to a ads the host need to be a trusted machine, as I
know.

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Markus Iturriaga Woelfel
Gesendet: Montag, 18. April 2011 01:02
An: samba at lists.samba.org
Betreff: [Samba] Samba AD member and connections from non-AD systems

Hi - I've scoured the mailing list archives as well as other help sources
online and haven't figured out what my problem is or what I'm doing wrong.
Any help would be greatly appreciated.

Scenario:

I have a samba 3.5.5 server running on CentOS 5.5. This system is a member
of an Active Directory domain. FYI, I am not the domain administrator, but I
am an OU admin and can create machine accounts inside a OU. This system is
not meant to provide winbind type services to the Unix sude but simply allow
sharing of Unix file systems to Windows systems while authenticating against
the AD. Usernames in Linux and in the AD are translated via a username map
script.

If I understand the instructions at
https://wiki.samba.org/index.php/Samba%2C_Active_Directory_%26_LDAP
correctly, I don't have to run winbind in this scenario, however, I've tried
this with both winbind running and not running.

Connecting to services from AD member Windows systems works without any
problems. I can map Unix home areas and other shares and even the username
translation works fine. However, if I want to connect to the samba server
from a non-AD system, e.g. from another Linux system via smbclient or from a
Mac, I get a variety of errors. This leads me to believe there could be a
problem with the kerberos setup on the samba server.

If I don't run winbind, the error I get is:

session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If I do start winbind, the error is:

session setup failed: NT_STATUS_ACCESS_DENIED

My smb.conf file is:

workgroup = UTK
server string = Samba %v
netbios name = SAMBA
client schannel = no
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts hosts bcast
local master = yes
domain master = no
preferred master = no
enhanced browsing = yes
username map script = /etc/samba/netid_to_eecs.pl
client use spnego = no
security = ads
passdb backend = tdbsam
realm = UTK.TENNESSEE.EDU
password server = *
load printers = no

My /etc/krb5.conf file looks like this:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UTK.TENNESSEE.EDU
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 UTK.TENNESSEE.EDU = {
 kdc = a.b.c.d
 kdc = e.f.g.h

(list of AD domain controller IP addresses)

 }

[domain_realm]
 .kerberos.server = UTK.TENNESSEE.EDU
 .utk.tennessee.edu = UTK.TENNESSEE.EDU
 utk.tennessee.edu = UTK.TENNESSEE.EDU

The kinit command appears to succeed and the system appears to be properly
joined to the domain:  
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: miturria at UTK.TENNESSEE.EDU

Valid starting     Expires            Service principal
04/17/11 13:29:20  04/17/11 23:29:22
krbtgt/UTK.TENNESSEE.EDU at UTK.TENNESSEE.EDU
        renew until 04/18/11 13:29:20, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

samba ~ # net ads info
LDAP server: a.b.c.d
LDAP server name: domain.controller.name
Realm: UTK.TENNESSEE.EDU
Bind Path: dc=UTK,dc=TENNESSEE,dc=EDU
LDAP port: 389
Server time: Sun, 17 Apr 2011 18:57:44 EDT
KDC server: 160.36.76.183
Server time offset: 0

I'd be happy to post any log file excerpts that would help. Many of the
samba config file directives were put in because of similar-sounding
problems (e.g. client schannel and spnego). Here is a small excerpt of what
happens if I try this with winbind running. 

[2011/04/17 18:52:35.141821,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [UTK]\[miturria]@[KILKENNY]
[2011/04/17 18:52:35.141859,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.141884,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/04/17 18:52:35.141915,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/04/17 18:52:35.145914,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.145932,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [miturria] -> [miturria]
FAILED with error NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146031,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
NT_STATUS_ACCESS_DENIED
[2011/04/17 18:52:35.146635,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/04/17 18:52:35.146664,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to 
[2011/04/17 18:52:35.146911,  3] smbd/server.c:902(exit_server_common)
  Server exit (failed to receive smb request)

Any help would be greatly appreciated!
---
Markus A. Iturriaga Woelfel, IT Administrator
Electrical Engineering and Computer Science
University of Tennessee
203 Claxton Complex / 1122 Volunteer Blvd.
Knoxville, TN 37996-3450
miturria at eecs.utk.edu / (865) 974-3837
http://twitter.com/UTKEECSIT

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba