[Samba] {Samba4] Problem with Joining Samba3 to Samba4 AD Domain

Varoujan Avanessians vavanessians at accoes.com
Tue Jan 8 09:40:22 MST 2013

Hello everyone
I have reached the end of my rope and desperately need help.
I recently installed two Samba4 Active Directory Domain Controllers on
CentOS 6.3 which are working perfectly, and I had joined a Samba3 Server to
this domain and everything went well. I could authenticate users on samba3
server and could see all the groups in the domain, but I was having
permissions problem accessing the share that I had created on the Samba3
server. I could see the Share but could not access it. with some poking
around I discovered that disabling the "selinux" would solve the issue.
Everything was working well before the New Year. Today when I tried to
access the share I got the Same problem, so I thought I might restart the
server and after restart I had the following error messages in

Jan  7 15:42:58 samba3 winbindd[2346]: [2013/01/07 15:42:58.674815,  0]
Jan  7 15:42:58 samba3 winbindd[2346]:   kinit succeeded but
ads_sasl_spnego_krb5_bind failed: Invalid credentials

I noticed that I could no longer see the users or groups when I ran wbinf
-u and wbinfo -g.

Here are the step I took to try and resolve the problem but without success:

1- Removed the samba3 machine from Samba4 AD
2- Stopped smb and winbind on samba3
3- deleted all tdb files from /var/lib/samba
4- started the smb and winbind services
5 - ran:
root at Samba3 ~]# kinit administrator
Password for administrator at DOMAIN.COMPANY.COM:
Warning: Your password will expire in 17 days on Fri Jan 25 15:00:57 2013
[root at Samba3 ~]#

6- Next I arn:
[root at Samba3 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at DOMAIN.COMPANY.COM

Valid starting     Expires            Service principal
01/07/13 16:17:58  01/08/13 02:17:58  krbtgt/DOMAIN>
    renew until 01/08/13 16:17:28

7- Then I tried the following commands in turn

[root at Samba3 ~]# net ads join -U administrator
Enter administrator's password:
[2013/01/07 16:21:03.456721,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

[root at Samba3 ~]# net ads testjoin
[2013/01/07 16:25:09.437670,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
[2013/01/07 16:25:09.665259,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Join to domain is not valid: Invalid credentials

[root at Samba3 ~]# net rpc join -U administrator
Enter administrator's password:
Joined domain DOMAIN.

[root at Samba3 ~]# net rpc testjoin
Join to 'DOMAIN' is OK

[root at GLEN-Samba1 ~]# net ads info -U Administrator
Enter Administrator's password:
LDAP server:
LDAP server name: samba-ad.domain.company.com
Bind Path: dc=DOMAIN,dc=COMPANY,dc=COM
LDAP port: 389
Server time: Mon, 07 Jan 2013 16:27:56 PST
KDC server:
Server time offset: 26

[root at Samba3 ~]#  net rpc info -U Administrator
Enter Administrator's password:
Domain Name: DOMAIN
Domain SID: S-1-5-21-2572227374-1339717712-1008418335
Sequence number: 1
Num users: 17
Num domain groups: 12
Num local groups: 26

[root at Samba3 ~]# wbinfo -a vavanessians%somepassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root at Samba3 ~]# wbinfo -K 'vavanessians%somepassword'
plaintext kerberos password authentication for [vavanessians%somepassword]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

but when I run "wbinfo -u" or "wbinfo -g" I get nothing

My configuration files are:

[root at Samba3 ~]# cat /etc/krb5.conf
ticket_lifetime = 24h
default_realm = DOMAIN.COMPANY.COM
# default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
# default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
kdc =
default_domain = DOMAIN.COMPANY.COM
.domain.company.com = DOMAIN.COMPANY.COM
domain.company.com = DOMAIN.COMPANY.COM
profile = /etc/krb5kdc/kdc.conf
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.logog

[root at Samba3 ~]# cat /etc/hosts localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 samba3.domain.company.com samba3 samba-ad.domain.company.com samba-ad

[root at Samba3 ~]# cat /etc/samba/smb.conf
netbios name = Samba3
workgroup = DOMAIN
preferred master = no
server string = Samba File Server
security = ads
encrypt passwords = yes

log level = 3
log file = /var/log/samba/log.%m
max log size = 50
printcap name = cups
printing = cups

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +

idmap uid = 600-20000
idmap gid = 600-20000
os level = 20

password server = *
dns proxy = no
template shell = /bin/bash
template homedir = /home/%U

comment = The Old Novel O-Drive
path = /data
browseable = yes
read only = noSer Olmy
inherit acls = yes
inherit permissions = yes
create mask = 700
directory mask = 700
valid users = "DOMAIN+Dmain Admins"
admin users = "DOMAIN+Domain Admins"

passwd: compat winbind
shadow: compathttp://
group: compat winbind

[root at Samba3 ~]# cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so cached_login use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient [default=bad success=ok user_unkown=ignore] pam_krb5.so
account sufficient [default = bad success=ok user_unknown=ignore]
pam_winbind.so cached_login use_first_pass
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
password sufficient pam_krb5.so use_authtok
password sufficient pam_winbind.so cached_login use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
session required pam_unix.so
session optional pam_krb5.so
session required pam_winbind.so use_first_pass

Thank you in advance for any help you can provide.

*Varouj (V.J.) Avanessians | Sr. Linux Sys Administrator | ACCO Engineered
6265 San Fernando Rd | Glendale, California | 91201- 2214
(818)-730-5846 Mobile | (818)-244-6571 Main*

More information about the samba mailing list