[Samba] samba ADS-based authentication fails with NT_STATUS_NO_SUCH_USER but wbinfo works

Andrew Masterson Andrew.Masterson at nuvistaenergy.com
Fri Feb 18 10:28:53 MST 2011 

> On 18 February 2011 16:32, Andrew Masterson
> <Andrew.Masterson at nuvistaenergy.com> wrote:
> > First thing I would do is a testparm -v on both the old and new
boxes, and do a diff -
> a on those files to see what has changed.
> >
> > Samba changes default options between versions so what may have
worked on an
> older version is not guaranteed to work on the new ones.
> >
> > Also, what does your krb5.conf file look like?
> >
> > -=Andrew

> -----Original Message-----
> From: samba-bounces at lists.samba.org
[mailto:samba-bounces at lists.samba.org]
> On Behalf Of Geoff Winkless
> Sent: Friday, February 18, 2011 10:14 AM
> To: samba
> Subject: Re: [Samba] samba ADS-based authentication fails with
> NT_STATUS_NO_SUCH_USER but wbinfo works
> 
> Once again, I forgot to change the "To:" line so apologies to Andrew,
> who will have this twice....
> 
> Hi Andrew, thanks for the response.
> 
> (I've modified the subject line because I just realised I
> mis-remembered the error message when I typed the subject line
> before...)
> 
> I was running 3.0.33 on both boxes with identical conf files; it
> wasn't working then, so I updated to 3.5 in case it improved matters
> (it didn't). I can't get onto the first box right now cos I don't have
> admin rights on it and the owner's not here, but I'll try to get the
> output from testparm on Monday.
> 
> krb5.conf file looks like this:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = LAN.XXXX.CO.UK
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  LAN.XXXX.CO.UK = {
>  kdc = 192.168.3.1
>  admin_server = 192.168.3.1
>  default_domain = LAN.XXXX.CO.UK
>  }
> 
> [domain_realm]
>  .lan.xxxx.co.uk = LAN.XXXX.CO.UK
>  lan.xxxx.co.uk = LAN.XXXX.CO.UK
> 
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
>  pam = {
>   debug = false
>   ticket_lifetime = 36000
>   renew_lifetime = 36000
>   forwardable = true
>   krb4_convert = false
>  }
> 
> Thanks again
> 
> Geoff
> 

Your krb5.conf files looks pretty much the same, except I had to modify
mine to get it to work with 2008DCs, I specify the ports in the realms
section, and have no kdc profile.  Did you copy that kdc.conf file over
as well (if it is needed at all?)

 default_tkt_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
 default_tgs_enctypes = arcfour-hmac-md5 aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96

-=Andrew

More information about the samba mailing list