I'm having a problem authenticating to Active Directory. I can join
the machine to the domain, wbinfo -g/-u will list the groups and users
and I can map a drive using: smbclient -k //s-lorentz.s-res.uva.nl/c\$
However when I try to get the linux machine to authenticate a user
it doesn't work giving the error NT_STATUS_NO_LOGON_SERVERS
(0xc000005e). Looking further in the logs it fails at:
[2003/09/16 03:20:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493)
Doing kerberos session setup
[2003/09/16 03:20:22, 5] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(625)
cm_get_netlogon_cli: Using short for of domain name [S-RES.UVA.NL] for
netlogon rpc bind
[2003/09/16 03:20:22, 3] rpc_client/cli_pipe.c:rpc_api_pipe(457)
Bind NACK received on pipe 8003!
[2003/09/16 03:20:22, 2] rpc_client/cli_pipe.c:cli_nt_establish_netlogon(1578)
rpc bind to \PIPE\NETLOGON failed
[2003/09/16 03:20:22, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(312)
could not open handle to NETLOGON pipe (error: NT_STATUS_UNSUCCESSFUL)
[2003/09/16 03:20:22, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379)
NTLM CRAP authentication for user [S-RES.UVA.NL]\[jmintha1@S-RES.UVA.NL]
returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
On the windows side I see the error:
Pre-authentication failed:
User Name: gnowee$
User ID: S-RES\gnowee$
Service Name: krbtgt/S-RES.UVA.NL
Pre-Authentication Type: 0x0
Failure Code: 0x19
I've tried everything I can thing of (I'm using the debian package
3.0rc4, but I've tried compiling my own too) but can't figure out what
I've missed. Anyone else have an idea?
Thanks for any help,
Jim
Details on what I have done:
(s-lorentz.s-res.uva.nl - AD Domain Controller
admin - Domain Admin for AD
jim - regular user
gnowee.ic.uva.nl - Linux machine)
# initialize kerberos sucessfully with:
% kinit admin@S-RES.UVA.NL
Password for admin@S-RES.UVA.NL: gandalf
# Join the machine to active directory
% net ads join -U admin@S-RES.UVA.NL
admin@S-RES.UVA.NL password: gandalf
Using short domain name -- S-RES.UVA.NL
Joined 'GNOWEE' to realm 'S-RES.UVA.NL'
# try out wbinfo
% wbinfo -g
S-RES.UVA.NL\blaahgroup
S-RES.UVA.NL\testgroep
...
# Try to authenticate a user
% wbinfo -a jim@S-RES.UVA.NL%wizard
plaintext password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user jim@S-RES.UVA.NL%wizard with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error messsage was: No logon servers
Could not authenticate user jim@S-RES.UVA.NL with challenge/response
# /etc/krb5.conf:
[libdefaults]
default_realm = S-RES.UVA.NL
[realms]
S-RES.UVA.NL = {
kdc = s-lorentz.s-res.uva.nl
}
# smb.conf
workgroup = S-RES.UVA.NL
netbios name = gnowee
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
log level = 3 passdb:5 auth:10 winbind:10
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
realm = S-RES.UVA.NL
encrypt passwords = true
password server = s-lorentz.s-res.uva.nl
security = ADS
socket options = TCP_NODELAY
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
--
Jim Mintha Email: j.t.mintha@uva.nl
System Administrator Work: +31 20 525-4919
Informatiseringscentrum Home: +31 20 662-3892
University of Amsterdam Debian GNU/Linux: jmintha@debian.org
_There are always Possibilities_ http://www.mintha.com
On Tue, 2003-09-16 at 11:38, Jim Mintha wrote:> I'm having a problem authenticating to Active Directory. I can join > the machine to the domain, wbinfo -g/-u will list the groups and users > and I can map a drive using: smbclient -k //s-lorentz.s-res.uva.nl/c\$ > However when I try to get the linux machine to authenticate a user > it doesn't work giving the error NT_STATUS_NO_LOGON_SERVERS > (0xc000005e). Looking further in the logs it fails at: > > [2003/09/16 03:20:22, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(493) > Doing kerberos session setup > [2003/09/16 03:20:22, 5] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(625) > cm_get_netlogon_cli: Using short for of domain name [S-RES.UVA.NL] for netlogon rpc bind > [2003/09/16 03:20:22, 3] rpc_client/cli_pipe.c:rpc_api_pipe(457) > Bind NACK received on pipe 8003!> workgroup = S-RES.UVA.NLIs this really the netbios workgroup name? This is different to the domain name. For 'security=ads' you should also specify the realm. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030916/72fc6f9d/attachment.bin
># Try to authenticate a user > >% wbinfo -a jim@S-RES.UVA.NL%wizard >plaintext password authentication failed >error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) >error messsage was: No logon servers >Could not authenticate user jim@S-RES.UVA.NL%wizard with plaintextpassword>challenge/response password authentication failed >error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) >error messsage was: No logon servers >Could not authenticate user jim@S-RES.UVA.NL with challenge/response > > ># smb.conf >workgroup = S-RES.UVA.NL >netbios name = gnowee >server string = %h server (Samba %v) >log file = /var/log/samba/log.%m >log level = 3 passdb:5 auth:10 winbind:10 >max log size = 1000 >syslog = 0 >panic action = /usr/share/samba/panic-action %d >realm = S-RES.UVA.NL >encrypt passwords = true >password server = s-lorentz.s-res.uva.nl >security = ADS >socket options = TCP_NODELAY >idmap uid = 10000-20000 >idmap gid = 10000-20000 >winbind enum users = yes >winbind enum groups = yesYour message is "No logon servers", and there is no such declaration in your smb.conf. How about setting a password server (for example any DC)? -- Vincent
On Tue, 2003-09-16 at 23:16, Vincent.Badier@alcatel.fr wrote:> ># Try to authenticate a user > > > >% wbinfo -a jim@S-RES.UVA.NL%wizard > >plaintext password authentication failed > >error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) > >error messsage was: No logon servers> Your message is "No logon servers", and there is no such declaration in > your smb.conf. > How about setting a password server (for example any DC)?No, in this case the other logs show this is unrelated. (We can find the DCs on our own, and unless you have reason to configure otherwise, it should work just fine). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030916/349b9d99/attachment.bin
On Wed, Sep 17, 2003 at 12:05:44AM +1000, Andrew Bartlett wrote:> On Tue, 2003-09-16 at 23:16, Vincent.Badier@alcatel.fr wrote: > > ># Try to authenticate a user > > > > > >% wbinfo -a jim@S-RES.UVA.NL%wizard > > >plaintext password authentication failed > > >error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) > > >error messsage was: No logon servers > > > Your message is "No logon servers", and there is no such declaration in > > your smb.conf. > > How about setting a password server (for example any DC)? > > No, in this case the other logs show this is unrelated. (We can find > the DCs on our own, and unless you have reason to configure otherwise, > it should work just fine).and I did have "password server" set in the smb.conf. Following your suggestion about the workgroup, I have set the workgroup to "S-RES" instead of "S-RES.UVA.NL". It now works much better now. wbinfo -t and wbinfo -a both work correctly. I will now go further with making a share on the linux box with AD authentication but it looks like the problem is solved. Thanks for all the help! Jim -- Jim Mintha Email: j.t.mintha@uva.nl System Administrator Work: +31 20 525-4919 Informatiseringscentrum Home: +31 20 662-3892 University of Amsterdam Debian GNU/Linux: jmintha@debian.org _There are always Possibilities_ http://www.mintha.com