[Samba] Kerberos Authentication problem "Username X is invalid on this system"

Shaun Anderson sanderson at chooses1.com
Wed Jan 14 16:33:55 MST 2015

This is a new Samba config that has not yet worked.  I have installed sernet-samba 4.1.14.

[root at sltltfsee samba]# rpm -qa | grep sernet

I have been added to the domain and all of that appears to work fine.  I have created shares, however am unable to access them.

Here are the contents of nsswitch.conf:
[root at sltltfsee samba]# cat /etc/nsswitch.conf | grep -v "#"

passwd:     compat winbindd files
shadow:     compat files
group:      compat winbind files
hosts:      files dns wins

bootparams: nisplus [NOTFOUND=return] files

ethers:     db files
netmasks:   files
networks:   files dns
protocols:  db files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

krb.conf file:
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

default_realm = MYDOMAIN.ORG
dns_lookup_realm = true
;dns_lookup_realm = false
dns_lookup_kdc = true
;dns_lookup_kdc = false
ticket_lifetime = 600
renew_lifetime = 7d
forwardable = true

  admin_server = SL1TDC3.MYDOMAIN.ORG
  default_domain = MYDOMAIN.ORG

.mydomain.org = MYDOMAIN.ORG
mydomain.org = MYDOMAIN.ORG

Smb.conf file:
[root at sltltfsee samba]# cat /etc/samba/smb.conf

   workgroup = SL1
   netbios name = SLTLTFSEE
   server string = LTFSEE Server
   realm = SL1.MYDOMAIN.ORG
   security = ads
   encrypt passwords = yes
   idmap config * : range = 16777216-33554431
   idmap config * : backend = tdb
   template shell = /bash/bin
   allow trusted domains = Yes
   client ntlmv2 auth = yes
   force unknown acl user = yes
   auth methods = guest sam winbind
   passdb backend = tdbsam
   groupdb:backend = tdb
   interfaces = eth1 lo
   username map = /etc/samba/smbusers
   guest ok = yes

log level =3
log file = /var/log/samba/smb.ltfsee.log
max log size = 50

winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind use default domain =true
winbind offline logon = true
winbind refresh tickets = Yes

#GPFS items
        gpfs:sharemodes = yes
        gpfs:prealloc = yes
        gpfs:dfreequota = yes
        gpfs:hsm = yes
        gpfs:winattr = yes
        gpfs:leases = yes

#General FS items
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = yes


   path = /gpfs/ltfsee/general
   read only = no
   valid users = @"Domain Users"

Things such as winbind lookups work just fine:
[root at sltltfsee samba]# wbinfo -a choatej%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root at sltltfsee samba]# wbinfo -i SL1\\choatej

[root at sltltfsee samba]# wbinfo -U 16777216

[root at sltltfsee samba]# wbinfo -s S-1-5-21-1823944398-2898753305-4095703837-125569
SL1\choatej 1

User can authenticate using ntlm_auth:
[root at sltltfsee samba]# ntlm_auth --username=choatej
NT_STATUS_OK: Success (0x0)

Attempting to access share from a windows client gives "Access is denied" message.

From the smb log "smb.ltfsee.log"
[2015/01/14 16:26:02.882034,  3] ../source3/smbd/negprot.c:672(reply_negprot)
  Selected protocol SMB 2.???
[2015/01/14 16:26:02.887418,  3] ../source3/smbd/smb2_negprot.c:243(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2015/01/14 16:26:02.990573,  3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: choatej [Choate, James]
[2015/01/14 16:26:02.990632,  3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [choatej at SL1.MYDOMAIN.ORG]
[2015/01/14 16:26:02.991491,  1] ../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username SL1\choatej is invalid on this system
[2015/01/14 16:26:02.991554,  1] ../source3/auth/auth_generic.c:97(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/01/14 16:26:02.996300,  3] ../source3/smbd/server_exit.c:221(exit_server_common)

Kerberos ticket was generated using 'net ads kerberos kinit -P'

[root at sltltfsee samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hubijarm_u at SL1.STLUKES-INT.ORG

Valid starting     Expires            Service principal
01/14/15 15:52:23  01/14/15 16:02:23  krbtgt/SL1.MYDOMAIN.ORG at SL1.MYDOMAIN.ORG
        renew until 01/21/15 15:52:23

I'm by no means a kerberos expert, but if I have a generated ticket then what is being missed?  Where is the 'Username X is invalid on this system" message coming from?


Shaun Anderson
"Aut viam inveniam aut faciam"

DISCLAIMER: The information in this message (and any attachments hereto) may be
confidential and protected from disclosure. If the reader of this message is
neither the intended recipient nor an agent responsible for delivering the
message to the intended recipient, you are hereby notified that any unauthorized
disclosure of this information is strictly prohibited. Any unauthorized
disclosure may cause the breaching party to be liable to ConvergeOne Holdings
Corp. and/or its subsidiaries and affiliates for damages.  If you have received
this message in error, please notify the sender by replying to the e-mail
message, and delete it from your computer without reading it or saving it in any

More information about the samba mailing list