[Samba] Unable to get Samba-3.6.12 to authenticate using ADS

Lee Allen lee at leecallen.com
Fri May 24 15:12:10 MDT 2013 

I have a Samba-4 system running as an Active Directory server.  It's
working great: computers are joined to it, users are logged in, etc.  Good
job Samba developers, and thank you!

But of course I am not satisfied.  Now I want to configure another server
(well, a VM) as a file server using Samba-3.6.12.  I want it to refer to
the Samba4 server for all user authentication.  My understanding of the
documentation is that I set "server = ads" and join the samba3 system to my
domain.  I do not need to create any users/accounts on the Samba3
(fileserver) system.

Am I right so far?

But, it's not working -- it is not authenticating requests using the AD
server.  There are error messages coming out of Samba that I don't
understand (no surprise there).

I have read the relevant documentation, including the Domain Membership
section, and I have followed the instructions here:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member

Here are the details.

AD is Samba-4 running on samba-ad.allenlan.net (192.168.0.13).
Fileserver is Samba-3.6.12 on smb-test-zone.allenlan.net (192.168.0.17).
A Win7 PC named t110-win7-base.allenlan.net (192.168.0.93) is joined to the
domain, user "allenlan\lallen" is logged in to it, and I attempt to map a
share on the Samba-3.6.12 system using:
# net use L: \\192.168.0.17\Lee
this prompts for username (it should not), I enter "allenlan\lallen" (or "
allenlan.net\lallen"), it prompts for password, and I enter that.  The
authentication fails - the log file is below.

# cat /opt/local/etc/samba/smb.conf
[global]
   workgroup = ALLENLAN
   server string = Samba %v (%h)
   realm = allenlan.net
   security = ads
   password server = 192.168.0.13
   load printers = no
   guest account = guest

   (omitting the shares)

# kinit administrator at ALLENLAN.NET
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator at ALLENLAN.NET

  Issued                Expires               Principal
May 24 19:44:08 2013  May 25 05:44:08 2013  krbtgt/ALLENLAN.NET at ALLENLAN.NET

# net ads join -U Administrator%password

# net ads testjoin
Join is OK

# net ads info
LDAP server: 192.168.0.13
LDAP server name: samba-ad.allenlan.net
Realm: ALLENLAN.NET
Bind Path: dc=ALLENLAN,dc=NET
LDAP port: 389
Server time: Fri, 24 May 2013 19:44:36 UTC
KDC server: 192.168.0.13
Server time offset: 0

# /opt/local/sbin/smbd -i -d3 -s /opt/local/etc/samba/smb.conf
Maximum core file size limits now -3(soft) -3(hard)
smbd version 3.6.12 started.
Copyright Andrew Tridgell and the Samba Team 1992-2011
uid=0 gid=0 euid=0 egid=0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/opt/local/etc/samba/smb.conf"
Processing section "[global]"
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/opt/local/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[Lee]"
adding IPC service
added interface net0 ip=192.168.0.17 bcast=192.168.0.255
netmask=255.255.255.0
loaded services
Initialise the svcctl registry keys if needed.
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Closed policy
Initialise the eventlog registry keys if needed.
Closed policy
get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
Successfully contacted LDAP server 192.168.0.13
get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
get_dc_list: preferred server list: "samba-ad.allenlan.net, 192.168.0.13"
Successfully contacted LDAP server 192.168.0.13
Connected to LDAP server samba-ad.allenlan.net
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178 at please_ignore
ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] expiration
Sat, 25 May 2013 05:46:13 UTC
reloading printcap cache
No Printers found!!!
reload status: error
waiting for connections
Allowed connection from 192.168.0.93 (192.168.0.93)
init_oplocks: initializing messages.
Transaction 0 of length 159 (0 toread)
switch message SMBnegprot (pid 85924) conn 0x0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
Requested protocol [SMB 2.002]
Requested protocol [SMB 2.???]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 1622 (0 toread)
switch message SMBsesssetupX (pid 85924) conn 0x0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
Doing spnego session setup
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1476
libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Decrypt integrity check failed
libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Decrypt integrity check failed
Found account name from PAC: lallen []
Kerberos ticket principal name is [lallen at ALLENLAN.NET]
Username ALLENLAN\lallen is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Transaction 2 of length 1508 (0 toread)
switch message SMBsesssetupX (pid 85924) conn 0x0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
Doing spnego session setup
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
reply_spnego_negotiate: Got secblob of size 1362
libads/kerberos_verify.c:435: enc type [18] failed to decrypt with error
Decrypt integrity check failed
libads/kerberos_verify.c:435: enc type [17] failed to decrypt with error
Decrypt integrity check failed
Found account name from PAC: lallen []
Kerberos ticket principal name is [lallen at ALLENLAN.NET]
Username ALLENLAN\lallen is invalid on this system
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
receive_smb_raw_talloc failed for client 192.168.0.93 read error =
NT_STATUS_CONNECTION_RESET.
Server exit (failed to receive smb request)


This has had me stumped for several days.  Thank you for any & all help.

Lee Allen

More information about the samba mailing list