[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Geoff Rowland growland at heavyhammer.com
Fri Apr 25 09:27:48 MDT 2014 

To be safe, I performed a clean installation of Ubuntu 14.04 to make 
sure the upgrade process wasn't breaking things.  I am able to join a 
domain, however it will always tell me invalid password when trying to 
log in with a domain account.  I guess that the major change was going 
from Samba3 to Samba4 with these versions.  I don't see anything crazy 
in the samba logs.  Am I missing something?  here are the steps I followed:

apt-get install krb5-config krb5-user winbind samba smbclient 
libnss-winbind libpam-winbind

config files:

smb.conf (had a more complex one but using this simple one for testing):

|[global]

     workgroup = MYDOMAIN
     security = ADS
     realm = MYDOMAIN.COM
     netbios name = trusty

     idmap config *:backend = tdb
     idmap config *:range = 70001-80000
     idmap config MYDOMAIN:backend = ad
     idmap config MYDOMAIN:schema_mode = rfc2307
     idmap config MYDOMAIN:range = 500-40000

     winbind nss info = rfc2307
     [test]
     path = /srv/samba/test
     read only = no

|

krb5.conf:

|[libdefaults]
     default_realm = MYDOMAIN.COM
     ticket_lifetime = 24000
     allow_weak_crypto = yes
     [realms]
     MYDOMAIN.COM = {
             kdc = my.domain.com
             admin_server = my.domain.com
             default_domain = MYDOMAIN.COM
     }


     [domain_realm]
     .mydomain.com = MYDOMAIN.COM
     mydomain.com = MYDOMAIN.COM
     [login]
     krb4_convert = true
     krb4_get_tickets = false|

/etc/nsswitch.conf

|     passwd:         compat winbind
     group:          compat winbind
     shadow:         compat

     hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
     networks:       files

     protocols:      db files
     services:       db files
     ethers:         db files
     rpc:            db files

     netgroup:       nis|


net ads join -U username

succesfully joins the domain
kinit account at MYDOMAIN.COM
klist confirms ticket created
su domainuser = "user not in passwd"
log out and try to log in with domain user = "invalid password"
log in with local account type
wbinfo -u shows domain users
wbinfo -g shows domain groups

not sure what else to try?
these exact steps work in Ubuntu 12.04

More information about the samba mailing list