Jonathan Johnson
2003-Nov-13 00:06 UTC
[Samba] Client accessing Samba doesn't authenticate against Active Directory
When a Windows client attempts to browse shares on a Samba 3.0 server authenticating against a Windows 2003 Active Directory domain, it requests credentials. Typing in user name and password fails. Basically, I can't see even see the shares. If I give username/password for a user in smbpasswd, then I can browse the Samba server. Configuration info: ADS server: LICENSE ADS server IP: 192.168.254.201 ADS domain/realm: 3KINGSINC.LOCAL Windows Server 2003 Samba server: DATASERVER Samba server IP: 192.168.254.250 RedHat Linux 9, Samba 3.0.0, krb5 1.3.1 successfully joined this to ADS domain Client: TS Client IP: 192.168.254.202 Windows Server 2003 is a member server in ADS domain ----- Output of wbinfo -t: checking the trust secret via RPC calls failed error code was NT_STATUS_UNSUCCESSFUL (0xc0000001) Could not check secret ----- Output of klist: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator@3KINGSINC.LOCAL Valid starting Expires Service principal 11/12/03 14:18:01 11/13/03 00:18:05 krbtgt/3KINGSINC.LOCAL@3KINGSINC.LOCAL renew until 11/13/03 14:18:01 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached ----- Output of kinit administrator@3KINGSINC.LOCAL Password for administrator@3KINGSINC.LOCAL:<passwd> [root@dataserver samba]# ----- Output of kadmin: Authenticating as principal administrator/admin@3KINGSINC.LOCAL with password. kadmin: Client not found in Kerberos database while initializing kadmin interface ----- Output of kadmin -p ADMINISTRATOR@3KINGSINC.LOCAL: Authenticating as principal ADMINISTRATOR@3KINGSINC.LOCAL with password. Password for ADMINISTRATOR@3KINGSINC.LOCAL:<passwd> kadmin: Database error! Required KADM5 principal missing while initializing kadmin interface ----- Output of smbclient -L license -U Administrator Password:<passwd> Sharename Type Comment --------- ---- ------- E$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share ADMIN$ Disk Remote Admin SYSVOL Disk Logon server share C$ Disk Default share Server Comment --------- ------- DATASERVER File Storage (BG Samba Server) LICENSE TS Workgroup Master --------- ------- 3 KINGS 3-I1FQNAK3OL85P 3KINGSINC LICENSE ----- Output of smbclient -L dataserver -U Administrator Password: session setup failed: NT_STATUS_NO_LOGON_SERVERS ----- Output of smbclient -k -L license -UAdministrator@3KINGS.LOCAL [2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! session setup failed: Server packet had invalid SMB signature! ----- Interesting lines of /var/log/samba/log.192.168.254.202: [2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) Failed to verify incoming ticket! (message is repeated twice) ----- Interesting lines of /var/log/samba/log.winbindd: [2003/11/12 15:54:55, 1] libsmb/smb_signing.c:signing_good(227) signing_good: SMB signature check failed on seq 1! [2003/11/12 15:54:55, 0] libsmb/clientgen.c:cli_receive_smb(121) SMB Signature verification failed on incoming packet! ----- Interesting lines of /var/log/messages: Nov 12 15:52:43 dataserver winbindd[21960]: [2003/11/12 15:52:43, 0] libsmb/clientgen.c:cli_receive_smb(121) Nov 12 15:52:43 dataserver winbindd[21960]: SMB Signature verification failed on incoming packet! ----- Content of smb.conf: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2003/11/12 14:18:40 # Global parameters [global] workgroup = 3KINGSINC realm = 3KINGSINC.LOCAL server string = File Storage (BG Samba Server) security = ADS password server = license.3kingsinc.local log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -d/home/%D/%U %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g dns proxy = No ldap ssl = no idmap uid = 10000-20000 idmap gid = 10000-20000 winbind use default domain = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No ----- Interesting lines of nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind hosts: files dns wins ----- Content of krb5.conf: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = 3KINGSINC.LOCAL dns_lookup_realm = false dns_lookup_kdc = false [realms] 3KINGSINC.LOCAL = { kdc = license.3kingsinc.local:88 admin_server = license.3kingsinc.local:749 default_domain = 3KINGSINC.LOCAL } [domain_realm] .3kingsinc.local = 3KINGSINC.LOCAL 3kingsinc.local = 3KINGSINC.LOCAL [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } ----- --Jon
Gerald (Jerry) Carter
2003-Nov-13 16:49 UTC
[Samba] Client accessing Samba doesn't authenticate against Active Directory
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Johnson wrote: | When a Windows client attempts to browse shares on a Samba 3.0 server | authenticating against a Windows 2003 Active Directory domain, it | requests credentials. Typing in user name and password fails Looks like you don't have the MIT krb5 1.3.1 libs or the latest version of Heimdal (don't remembe which version you need...cvs development snapshot maybe). | Output of smbclient -k -L license -UAdministrator@3KINGS.LOCAL | [2003/11/12 16:03:45, 0] libsmb/clientgen.c:cli_receive_smb(121) | SMB Signature verification failed on incoming packet! | session setup failed: Server packet had invalid SMB signature! ... | ----- | Interesting lines of /var/log/samba/log.192.168.254.202: | | [2003/11/12 14:00:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(172) | Failed to verify incoming ticket! | (message is repeated twice) | cheers, jerry - -- ~ ---------------------------------------------------------------------- ~ Hewlett-Packard ------------------------- http://www.hp.com ~ SAMBA Team ---------------------- http://www.samba.org ~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc ~ "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/s7YNIR7qMdg1EfYRAre8AJ4tW64CC2OTjxDD/zaU7k+HFcPungCfdZmC RLnMHyR095uIzJ48yg5EQ2Y=4M/D -----END PGP SIGNATURE-----