[Samba] "The account is not authorized to login from this station"

Shaun Glass - Business Connexion Shaun.Glass at bcx.co.za
Wed Jun 19 09:16:59 MDT 2013

Good Day,

I am testing, in a lab environment, samba shares with ad authentication for access. My setup is as follows :

* Windows 2008 RC2
* RHEL 5.9
* Windows 7
* Windows XP SP3

* Samba 3.0.33-3.39.el5_8

All machines, including the RHEL Server having been added to the Domain running on the Windows 2008 RC2 Server.

As per the subject, when trying to connect, from XP or Win 7, to the shares I get :

"The account is not authorized to login from this station"

My configuration files and any files or parts there of altered during setup. Note that this is a lab so all information is made up :

/etc/samba/smb.conf -

    netbios name = RHEL-5-SMB
    socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
    idmap uid = 10000-20000
    winbind enum users = yes
    winbind gid = 10000-20000
    workgroup = MUD-LAB
    os level = 20
    winbind enum groups = yes
    socket address =
    password server = *
    preferred master = no
    winbind separator = +
    max log size = 50
    log file = /var/log/samba/log.%m
    encrypt passwords = no
    dns proxy = no
    security = ADS
    wins server =
    wins proxy = no
    client ntlmv2 auth = yes

    comment = EFT
    path = /MIPEB-Live/EFT
    browseable = yes
    read only = no
    inherit acls = yes
    inherit permissions = yes
    create mask = 700
    directory mask = 700
    valid users = @"MUD-LAB+mip_sys_ad"

[EFT Rejection]
    comment = EFT Rejection
    path = /MIPEB-Live/EFT_Rejection
    browseable = yes
    read only = no
    inherit acls = yes
    inherit permissions = yes
    create mask = 700
    directory mask = 700
    valid users = @"MUD-LAB+mip_sys_ad"

[EFT Treasury]
    comment = EFT Treasury
    path = /MIPEB-Live/EFT_Treasury
    browseable = yes
    read only = no
    inherit acls = yes
    inherit permissions = yes
    create mask = 700
    directory mask = 700
    valid users = @"MUD-LAB+mip_sys_ad"

/etc/krb5.conf -

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = MUD-LAB.INTERNAL.CO.ZA
 dns_lookup_realm = false
 dns_lookup_kdc = true

# NOTE: hard coded KDC lines below to work around slow IPv6 DNS queries
#       see the following command for valid KDCs:
# host -t SRV _kerberos._tcp.MUD-LAB.INTERNAL.CO.ZA
# host -t SRV _kerberos._udp.MUD-LAB.INTERNAL.CO.ZA

  kdc =
  default_domain = mud-lab.internal.co.za


 profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

/etc/nsswitch -

passwd:     files winbind
shadow:     files winbind
group:      files winbind

/etc/pam.d/samba -

auth       required    pam_nologin.so
auth       include    system-auth
auth       required     /lib/security/pam_winbind.so
account    required     /lib/security/pam_winbind.so
account    include    system-auth
session    include    system-auth
password   include    system-auth

Some of the following is checks done on the RHEL Server to verify it is communicating with the Domain :

[root at rhel-5-smb samba]# wbinfo -u

[root at rhel-5-smb samba]# wbinfo -g
MUD-LAB+domain computers
MUD-LAB+domain controllers
MUD-LAB+schema admins
MUD-LAB+enterprise admins
MUD-LAB+cert publishers
MUD-LAB+domain admins
MUD-LAB+domain users
MUD-LAB+domain guests
MUD-LAB+group policy creator owners
MUD-LAB+ras and ias servers
MUD-LAB+allowed rodc password replication group
MUD-LAB+denied rodc password replication group
MUD-LAB+read-only domain controllers
MUD-LAB+enterprise read-only domain controllers

[root at rhel-5-smb samba]# wbinfo --group-info="MUD-LAB+mip_sys_ad"

[root at rhel-5-smb samba]# wbinfo -a MUD-LAB+da000450%Server at 2008
plaintext password authentication succeeded
challenge/response password authentication succeeded

The RHEL Server is based on our normal build where SSH authentication is also done against the Domain. As far as I know these files are involved with that :

/etc/pam.d/system-auth -

auth        required      pam_env.so
auth        required      pam_tally.so onerr=fail deny=3 magic_root per_user
auth        sufficient    pam_unix.so likeauth nullok
auth        sufficient    pam_stack.so service=krb5-secdom
auth        required      pam_deny.so
account     required      pam_tally.so magic_root
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     sufficient    pam_stack.so service=krb5-secdom
account     required      pam_permit.so
password    requisite     pam_cracklib.so retry=3 type=local minlen=7 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3 difignore=15
password    sufficient    pam_unix.so md5 shadow nullok use_authtok remember=24
password    sufficient    pam_stack.so service=krb5-secdom
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

/etc/pam.d/krb5-secdom -

auth       requisite                     pam_succeed_if.so quiet user ingroup secdom
auth       required                      pam_krb5.so
account    requisite                     pam_succeed_if.so quiet user ingroup secdom
account    require                       pam_krb5.so
password   required                      pam_krb5.so banner=MUD use_authtok
session    optional                      pam_krb5.so

"secdom" Is a group on the RHEL Server. Users that use SSH have there Domain ID's added to the local box but authenticate against the Domain. If in the Group "secdom" they are allowed in.

Now all the troubleshooting I have done seems to relate to the Workstations and their Security Policies. I have not been able to find the exact change required to be made. Hoping someone has had similar issues and could help ?

Much appreciated



The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and automatically archived by Mimecast SA (Pty) Ltd, an innovator in Software as a Service (SaaS) for business.  Mimecast Unified Email Management (UEM) offers email continuity, security, archiving and compliance with all current legislation.  To find out more, visit http://www.mimecast.co.za/uem.

More information about the samba mailing list