John Stile
2005-Apr-18 17:55 UTC
[Samba] Auth errors with winbind on member server with Native AD
So many people have posted this problem!
The steps to debug need to be in a FAQ.
The short question is:
Can there be a disconnect between the short and long REALM names,
leading to winbind-to-AD authentication errors? and How do I fix it?
I can access windows shares or join a AD Domain with:
mount -t smbfs -o username=johns,workgroup=ms //library/Source_Safe tmp/
--or--
net ads join -Ujohns -Wms
but I can't authenticate with my samba server
smbclient -L localhost -Ujohns -d10
<error snip>
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE'
* Detailed log at http://www.stilen.com/smbclient_debug.txt
==> /var/log/samba/log.subversion01 <==
[2005/04/18 10:29:41, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: MS\johns
[2005/04/18 10:29:41, 0] auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
MS\johns!
And winbind log (in debug mode)
http://www.stilen.com/winbind_log.txt
This command tells me the real realm is MS.MSLI.COM
net ads info
LDAP server: 192.168.50.42
LDAP server name: stan
Realm: MS.MSLI.COM
Bind Path: dc=MS,dc=MSLI,dc=COM
LDAP port: 389
Server time: Wed, 13 Apr 2005 13:15:37 GMT
KDC server: 192.168.50.42
Server time offset: 0
When I communicate with the KDC, it assumes the full realm:
kinit johns
Password for johns@MS.MSLI.COM:
<finish without error>
How I got my self into this mess.
----------------------------------
Debian testing
samba 3.0.10-1
winbind 3.0.10-1
krb5-config 1.6
krb5-user 1.3.6-2
# Install the Debian way
aptitude install winbind samba smbfs samba-client smbclient
Workgroup/Domain Name? ms
Use password encryption? <yes>
Modify smb.conf to use WINS settings from DHCP? <no>
How do you want to run Samba? daemons
Create samba password database, /var/lib/samba/passdb.tdb? <yes>
# Stop smb/nmb/winbind
/etc/init.d/samba stop
/etc/init.d/winbind stop
# Remove old files
find / -name '*.tdb' |xargs rm -rf
# Edit my files nsswitch.conf, smb.conf, and krb5.conf
< see Files section below >
# Join that ADS domain
net ads join -Ujohns
johns's password:
[2005/04/13 20:17:56, 0]
libads/ldap.c:ads_add_machine_acct(1368)
ads_add_machine_acct: Host account for subversion01 already
exists - modifying old account
Using short domain name -- MS
Joined 'SUBVERSION01' to realm 'MS.MSLI.COM'
# Look for newly created tdb files.
find / -name "*.tdb"
/var/lib/samba/secrets.tdb
# Start winbind in debug mode
winbindd -S -i -F -d 8 -Y
Log at: http://www.stilen.com/winbind_log.txt
# Look for newly created tdb files.
find / -name "*.tdb"
/var/lib/samba/secrets.tdb
/var/lib/samba/winbindd_idmap.tdb
/var/run/samba/gencache.tdb
/var/run/samba/messages.tdb
/var/cache/samba/winbindd_cache.tdb
/var/cache/samba/netsamlogon_cache.tdb
# Names retrieved from AD do not begin with MS+ ?
wbinfo -u
Administator
johns
subversion01$
...
wbinfo -g
Domain Admins
Domain Users
Domain Guests
Domain Computers
...
# Valid member of the domain.
wbinfo -t
checking the trust secret via RPC calls succeeded
# I can authenticat to the KDC
kinit johns
Password for johns@MS.MSLI.COM:
<finish without error>
# When I try list the samba shares without a password, it works
smbclient -L localhost
Password:
Anonymous login successful
Domain=[MS] OS=[Unix] Server=[Samba 3.0.10-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (subversion01)
ADMIN$ IPC IPC Service (subversion01)
Anonymous login successful
Domain=[MS] OS=[Unix] Server=[Samba 3.0.10-Debian]
Server Comment
--------- -------
KENNY
STAN
SUBVERSION01 subversion01
Workgroup Master
--------- -------
MS STAN
# When I try to list the samba shares with authenticaiton, it fails.
smbclient -L library -ujohns -wms
session setup failed: NT_STATUS_LOGON_FAILURE'
This has been a popular problem, without solutions, so the problem may
be quite complex. This post tells me many people have problems with
this:
http://lists.samba.org/archive/samba/2004-May/085923.htmlThis person
This person seems to have the same issues:
http://lists.samba.org/archive/samba/2003-October/076088.html
----------------------------
Files:
----------------------------
/etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files dns winbind
----------------------------
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MS.MSLI.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MS.MSLI.COM = {
kdc = 192.168.50.42
admin_server = 192.168.50.42
default_domain = ms.msli.com
}
[domain_realm]
ms = MS.MSLI.COM
.ms = MS.MSLI.COM
.msli.com = MS.MSLI.COM
msli.com = MS.MSLI.COM
ms.msli.com = MS.MSLI.COM
.ms.msli.com = MS.MSLI.COM
[login]
krb4_convert = true
krb4_get_tickets = true
----------------------------
/etc/samba/smb.conf
[global]
realm = MS.MSLI.COM
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
workgroup = MS
security = ADS
password server = *
wins support = yes
wins server = 192.168.50.42
server string = subversion01
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam guest
obey pam restrictions = yes
invalid users = root daemon bin sys adm lp listen noaccess
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
load printers = no
socket options = TCP_NODELAY
[homes]
comment = Home Directories
browseable = no
writable = no
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
--
._____________________.
| \0/ John Stile |
| UniX Administration |
| / \ 510-305-3800 |
| john@stilen.com |
.---------------------.
Paul_Krash
2005-Apr-18 18:48 UTC
[Samba] Auth errors with winbind on member server with Native AD
John Stile wrote:> So many people have posted this problem! > The steps to debug need to be in a FAQ. > > The short question is: > Can there be a disconnect between the short and long REALM names, > leading to winbind-to-AD authentication errors? and How do I fix it?Read this 1st (if you have not already). http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html I am assuming W2K3 server, your realm mapping in krb5.conf looks fine. However, conversion from krb4 is not necessary. What do the Windows Server Logs say? Other thing I though might help: in nsswitch.conf change to: passwd: files winbind shadow: files nisplus nis group: files winbind hosts: files dns winbind bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files winbind nisplus aliases: files nisplus Best, PKrash
Possibly Parallel Threads
- ssh + pam_winbind error 'incorrect password or invaid membership'
- Unknown PAM failiure in WIN2003/ Active Directory + samba
- Samba as domain member server cannot authenticate users
- Authentication problem with samba 3.3.4 on AIX 5.3
- samba+ldap: Simu.- login of 2 different users => user rejected