[Samba] problems with authentication

Rowland penny rpenny at samba.org
Mon Aug 5 06:59:49 UTC 2019 

On 04/08/2019 23:18, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I set up a samba 4 in Debian 9.9 as a Domain member server, but
> authentication is not working as follows:
>
> root at srv-proxy:/etc/samba# wbinfo -a marcio at EMPRESA.COM.BR
> Enter marcio at EMPRESA.COM.BR's password:
> plaintext password authentication succeeded
> Enter marcio at EMPRESA.COM.BR's password:
> challenge/response password authentication failed
> wbcAuthenticateUserEx(+marcio at EMPRESA.COM.BR): error code was
> NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error message was: Wrong Password
> Could not authenticate user marcio at EMPRESA.COM.BR with challenge/response
>
> My password is correct!
> #############################################
> My DC are:
> Primary: Samba 4 DC (Debian 9.9)
> Secondary: Windows Server 2008
>
> Follows my configurations files:
>
> SMB.CONF
>
> [global]
>    netbios name = SRV-PROXY
>    workgroup = EMPRESA
>    security = ADS
>    realm = EMPRESA.COM.BR
>    encrypt passwords = yes
>
>    idmap config *:backend = tdb
>    idmap config *:range = 3000-7999
>    idmap config EMPRESA:backend = ad
>    idmap config EMPRESA:schema_mode = rfc2307
>    idmap config EMPRESA:range = 100000-999999
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users = yes
>    winbind enum groups = yes
>
>    vfs objects = acl_xattr
>    map acl inherit = Yes
>    store dos attributes = Yes
>
> ##############################################
>
> NSSWITCH.CONF
>
> root at srv-proxy:/etc/samba# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
> ########################################################################
>
> root at srv-proxy:/etc# net ads join -Uadministrator
> Enter marcio's password:
> Using short domain name -- EMPRESA
> Joined 'SRV-PROXY' to dns domain 'empresa.com.br'
>
> root at srv-proxy:/etc# net ads testjoin
> Join is OK
>
>
> root at srv-proxy:/etc/samba# kinit marcio
> Password for marcio at EMPRESA.COM.BR:
> root at srv-proxy:/etc/samba# klist -l
> Principal name                 Cache name
> --------------                 ----------
> marcio at EMPRESA.COM.BR      FILE:/tmp/krb5cc_0
>
> #####################################################################
>
> The wbinfo -g and wbinfo -u commands are working properly.
>
>
> Could anybody help me?
>
> Regards,
>
> Márcio Bacci

Remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf

Have you given your users a uidNumber attribute containing a unique 
number inside the range '100000-999999' ?

Have you also given 'Domain Users' a gidNumber attribute containing a 
number inside the same range ?

Rowland

More information about the samba mailing list