Scenario: Samba-3.0.20b domain member server on SuSE 9.3 (w/ all available patches applied) providing kerberos authentication through a Windows 2000 domain with AD4Unix services installed. Problem(s): 1. Can only view users from one OU in Active Directory (default is: CN=Users, problem container is: OU=authenticated) 2. According to log.winbind and log.smbd authentication fails with error: check_ntlm_password: Authentication for user [testj] -> [testj] FAILED with error NT_STATUS_WRONG_PASSWORD. Is this error due to falling back to NTLM authentication vs. Kerberos TGT systems? Troubleshooting performed: 1. Used 'net ads leave' to remove from domain, updated Samba+Winbind from 3.0.13 to 3.0.20b 2. Manually removed machine trust account from active directory 3. Manually removed cache files for Samba prior to upgrade 4. Attempted using 3.0.21rc1 release with same results 5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS member server which would authenticate via Kerberos without problems. 6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o AD4Unix setup 7. Am in the process of upgrading Win2K domain server (in test env.) to provide AD4Unix services to see if it breaks. Any help, insight into this is definately appreciated Here is the pertinent configuration files: [smb.conf] [global] workgroup = DOMAIN realm = DOMAIN.COM server string = new-odin.domain.com security = ADS update encrypted = Yes encrypt passwords = yes password server = * preferred master = No domain master = No idmap uid = 500-500000 idmap gid = 500-500000 winbind trusted domains only = yes winbind separator = / winbind cache time = 5 winbind use default domain = Yes winbind nested groups = Yes log level = 2 interfaces = eth* bind interfaces only = yes socket options = IPTOS_LOWDELAY TCP_NODELAY [images] comment = ODIN user = %S path = /odin/images inherit acls = Yes browseable = yes writeable = yes read only = no public = yes [home] comment = User Home Directories user = %S path = /odin/home/%S inherit acls = Yes writeable = yes read only = no public = no browseable = yes [krb5.conf] [libdefaults] default_realm = DOMAIN.COM clockskew = 300 [realms] UTAH.EDU = { kdc = 192.168.0.10 default_domain = domain.com admin_server = 192.168.0.10 } [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [domain_realm] .domain.com = DOMAIN.COM domain.com = DOMAIN.COM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false retain_after_close = false minimum_uid = 0 } [nsswitch.conf] passwd: files winbind shadow: files winbind group: files winbind hosts: files dns winbind networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files -- Jason Gerfen "Oh I have seen alot of what the world can do, and its breaking my heart in two..." ~ Wild World, Cat Stevens
Ok in my test environment I just got done updating the schema on the Win2K domain to include the AD4Unix package and I am still able to authentication and view all users from any container including the CN=Users (default) and a new OU=authenticated. Can someone please help me out on this? The only major difference between the test domain and the live domain is the number of users at this point and the container setup in AD. Jason Gerfen wrote:> Scenario: Samba-3.0.20b domain member server on SuSE 9.3 (w/ all > available patches applied) providing kerberos authentication through a > Windows 2000 domain with AD4Unix services installed. > > Problem(s): > 1. Can only view users from one OU in Active Directory (default is: > CN=Users, problem container is: OU=authenticated) > 2. According to log.winbind and log.smbd authentication fails with > error: check_ntlm_password: Authentication for user [testj] -> > [testj] FAILED with error NT_STATUS_WRONG_PASSWORD. Is this error due > to falling back to NTLM authentication vs. Kerberos TGT systems? > > Troubleshooting performed: > 1. Used 'net ads leave' to remove from domain, updated Samba+Winbind > from 3.0.13 to 3.0.20b > 2. Manually removed machine trust account from active directory > 3. Manually removed cache files for Samba prior to upgrade > 4. Attempted using 3.0.21rc1 release with same results > 5. Created a Win 2K test domain w/o AD4Unix and Samba-3.0.13 ADS > member server which would authenticate via Kerberos without problems. > 6. Upgraded Samba to 3.0.20b and still worked fine on test domain w/o > AD4Unix setup > 7. Am in the process of upgrading Win2K domain server (in test env.) > to provide AD4Unix services to see if it breaks. > > Any help, insight into this is definately appreciated > > Here is the pertinent configuration files: > > [smb.conf] > [global] > workgroup = DOMAIN > realm = DOMAIN.COM > server string = new-odin.domain.com > security = ADS > update encrypted = Yes > encrypt passwords = yes > password server = * > preferred master = No > domain master = No > idmap uid = 500-500000 > idmap gid = 500-500000 > winbind trusted domains only = yes > winbind separator = / > winbind cache time = 5 > winbind use default domain = Yes > winbind nested groups = Yes > log level = 2 > interfaces = eth* > bind interfaces only = yes > socket options = IPTOS_LOWDELAY TCP_NODELAY > > [images] > comment = ODIN > user = %S > path = /odin/images > inherit acls = Yes > browseable = yes > writeable = yes > read only = no > public = yes > > > [home] > comment = User Home Directories > user = %S > path = /odin/home/%S > inherit acls = Yes > writeable = yes > read only = no > public = no > browseable = yes > > [krb5.conf] > [libdefaults] > default_realm = DOMAIN.COM > clockskew = 300 > > [realms] > UTAH.EDU = { > kdc = 192.168.0.10 > default_domain = domain.com > admin_server = 192.168.0.10 > } > > > [logging] > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmin.log > default = FILE:/var/log/krb5lib.log > > [domain_realm] > .domain.com = DOMAIN.COM > domain.com = DOMAIN.COM > > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > retain_after_close = false > minimum_uid = 0 > } > > [nsswitch.conf] > passwd: files winbind > shadow: files winbind > group: files winbind > > hosts: files dns winbind > networks: files dns > > services: files > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files > publickey: files > > bootparams: files > automount: files nis > aliases: files >-- Jason Gerfen "Oh I have seen alot of what the world can do, and its breaking my heart in two..." ~ Wild World, Cat Stevens