[Samba] Help with ADS authentication and Samba

Brian O'Mahony brian.omahony at curamsoftware.com
Fri Mar 11 06:27:06 MST 2011 

It is XP.

When I ran net use \\rhel5u5\tmp /USER:DOMAIN\brian.omahony I get:

The password or user name is invalid for \\rhel5u5live\tmp.

Enter the password for 'ITDESIGN2\brian.omahony' to connect to 'rhel5u5live':
System error 1326 has occurred.

Logon failure: unknown user name or bad password.

Obviously I entered my windows password when I was prompted.

The working server does NOT have entries in the hosts file, and this server DOES. However both can dig the DC successfully.

Here is the machine log:

[root at rhel5u5live samba]# cat log.soundwave 
[2011/03/11 13:25:31,  6] param/loadparm.c:7028(lp_file_list_changed)
  lp_file_list_changed()
  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Fri Mar 11 13:21:32 2011
  
[2011/03/11 13:25:31,  5] smbd/reply.c:503(reply_special)
  init msg_type=0x81 msg_flags=0x0
[2011/03/11 13:25:31,  5] lib/util_sock.c:528(read_fd_with_timeout)
  read_fd_with_timeout: blocking read. EOF from client.
[2011/03/11 13:25:31,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/03/11 13:25:31,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2011/03/11 13:25:31,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/03/11 13:25:31,  5] smbd/uid.c:368(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2011/03/11 13:25:31,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to 
[2011/03/11 13:25:31,  3] smbd/connection.c:42(yield_connection)
  deleting connection record returned NT_STATUS_NOT_FOUND
[2011/03/11 13:25:31,  3] smbd/server.c:845(exit_server_common)
  Server exit (failed to receive smb request)


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Geoff Winkless
Sent: Friday, March 11, 2011 11:49 AM
To: samba
Subject: Re: [Samba] Help with ADS authentication and Samba

2011/3/11 Brian O'Mahony <brian.omahony at curamsoftware.com>:
> Hi there, just recently joined this list as I seem to be having a little trouble that I am hoping someone can help with.
>
> I recently installed a RHEL5.5 server and updated samba to samba3-3.4.11-42.el5.x86_64.rpm. I had never set up samba to authenticate with ADS so I read a little bit and dove right in. The server now works fine, so when I browse to \\machinename<file:///\\machinename> no login box pops up, and I see the shares, and every user in the domain can write to them.
>
> So far so good. I then try to replicate this on another server and then the problems started. Here is the procedure I followed:
>
> I copied smb.conf, krb5.conf over to the new server from the working copy. Edited nsswitch.conf to add winbind to the end of passwd, group and shadow.
>
> I then ran "kinit admin". This worked. I than ran kdestroy to destroy the token.
>
> [root at rhel5u5live ~]# net ads join -U ictadmin Enter ictadmin's 
> password:
> Using short domain name -- XXX
> Joined 'RHEL5U5LIVE' to realm 'xxx.com'
> [root at rhel5u5live ~]# net ads testjoin Join is OK [root at rhel5u5live 
> ~]# wbinfo -u | grep brian.om XXX/brian.omahony
>
>
> So it seems to be able to look up users etc on the Domain controller. How ever when I browse to \\machinename<file:///\\machinename> a login box pops up. I *know* I must have forgotten something, but cant figure out what.

Welcome to my world. I have exactly the same issue - one server works
fine, the other doesn't, even though all the wb tests seem to be fine.

Is it an XP client, by any chance?

I've narrowed it down to a kerberos issue, I believe. If you run

    net use \\servername\share /user:XXX/brian.omahony

does it work correctly without asking for a password? This seems to be
NTLM vs Kerberos auth, but I can't get any further than that.

One thing to check, make sure that you have FQDN entries in the
server's /etc/hosts (or as reverse entries in DNS) for your dc and the
server itself. ie when you do

  dig -x 192.168.6.10

(the ip address of the server, obviously) from the server, do you get
the full domain name or just the hostname? Various pages suggest that
might be the cause of the problem, although it doesn't help me.

Geoff
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.

More information about the samba mailing list