[Samba] problem authenticating users to Active Directory after Ubuntu 12.04 -> 14.04 upgrade

Fri Apr 25 10:11:19 MDT 2014

On 25/04/14 16:27, Geoff Rowland wrote:
> To be safe, I performed a clean installation of Ubuntu 14.04 to make 
> sure the upgrade process wasn't breaking things.  I am able to join a 
> domain, however it will always tell me invalid password when trying to 
> log in with a domain account.  I guess that the major change was going 
> from Samba3 to Samba4 with these versions. I don't see anything crazy 
> in the samba logs.  Am I missing something?  here are the steps I 
> followed:
>
> apt-get install krb5-config krb5-user winbind samba smbclient 
> libnss-winbind libpam-winbind
>
> config files:
>
> smb.conf (had a more complex one but using this simple one for testing):
>
> |[global]
>
>     workgroup = MYDOMAIN
>     security = ADS
>     realm = MYDOMAIN.COM
>     netbios name = trusty
>
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config MYDOMAIN:backend = ad
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 500-40000
>
>     winbind nss info = rfc2307
>     [test]
>     path = /srv/samba/test
>     read only = no
>
> |
>
> krb5.conf:
>
> |[libdefaults]
>     default_realm = MYDOMAIN.COM
>     ticket_lifetime = 24000
>     allow_weak_crypto = yes
>     [realms]
>     MYDOMAIN.COM = {
>             kdc = my.domain.com
>             admin_server = my.domain.com
>             default_domain = MYDOMAIN.COM
>     }
>
>
>     [domain_realm]
>     .mydomain.com = MYDOMAIN.COM
>     mydomain.com = MYDOMAIN.COM
>     [login]
>     krb4_convert = true
>     krb4_get_tickets = false|
>
> /etc/nsswitch.conf
>
> |     passwd:         compat winbind
>     group:          compat winbind
>     shadow:         compat
>
>     hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
>     networks:       files
>
>     protocols:      db files
>     services:       db files
>     ethers:         db files
>     rpc:            db files
>
>     netgroup:       nis|
>
>
> net ads join -U username
>
> succesfully joins the domain
> kinit account at MYDOMAIN.COM
> klist confirms ticket created
> su domainuser = "user not in passwd"
> log out and try to log in with domain user = "invalid password"
> log in with local account type
> wbinfo -u shows domain users
> wbinfo -g shows domain groups
>
> not sure what else to try?
> these exact steps work in Ubuntu 12.04
>
Hi, does 'getent passwd' show your domain users ?

Rowland